pwn-hisilicon-dvr icon indicating copy to clipboard operation
pwn-hisilicon-dvr copied to clipboard

Published 20 hours ago verified publisher icon tothi

smap guessing does not work: min Rss size is 8k

Open mschaefers opened this issue 4 years ago • 1 comments

when I run your exploit on my old Xiongmai cam, it can not guess the correct stack section base, because all my 8188 byte long entries have an Rss size of at least 8k:

Any idea on how to adapt the guessing algorithm to this model? (more model infos below)

[+] getting pidlist: found 41 processes
[+] searching for PID of '/usr/bin/Sofia': 812
[→] getting stack section base
(0, '0x622000', ((1996, 984, 984, 0, 0, 0, 984),))
(1, '0x818000', ((4, 4, 4, 0, 0, 0, 4),))
(2, '0x24a3000', ((5808, 5292, 5292, 0, 0, 0, 5292),))
(3, '0x4007f000', ((4, 4, 4, 0, 0, 0, 4),))
(4, '0x40080000', ((4, 4, 4, 0, 0, 0, 4),))
(5, '0x400c6000', ((4, 4, 4, 0, 0, 0, 4),))
(6, '0x400de000', ((4, 4, 4, 0, 0, 0, 4),))
(7, '0x40113000', ((4, 4, 4, 0, 0, 0, 4),))
(8, '0x40114000', ((8, 4, 4, 0, 0, 0, 4),))
(9, '0x4014d000', ((4, 4, 4, 0, 0, 0, 4),))
(10, '0x4014e000', ((40, 8, 8, 0, 0, 0, 8),))
(11, '0x4016a000', ((4, 4, 4, 0, 0, 0, 4),))
(12, '0x40247000', ((8, 8, 8, 0, 0, 0, 8),))
(13, '0x40249000', ((24, 12, 12, 0, 0, 0, 12),))
(14, '0x40266000', ((4, 4, 4, 0, 0, 0, 4),))
(15, '0x40279000', ((4, 4, 4, 0, 0, 0, 4),))
(16, '0x4030d000', ((8, 8, 8, 0, 0, 0, 8),))
(17, '0x4030f000', ((280, 280, 280, 0, 0, 0, 280),))
(18, '0x40356000', ((8188, 8, 8, 0, 0, 0, 8),))
(19, '0x40b92000', ((8188, 16, 16, 0, 0, 0, 16),))
(20, '0x413ae000', ((8188, 8, 8, 0, 0, 0, 8),))
(21, '0x41beb000', ((516, 516, 516, 0, 0, 0, 516),))
(22, '0x41c93000', ((8188, 12, 12, 0, 0, 0, 12),))
(23, '0x4249b000', ((10760, 3496, 3496, 0, 0, 0, 3496),))
(24, '0x42f65000', ((8188, 8, 8, 0, 0, 0, 8),))
(25, '0x437aa000', ((260, 4, 4, 0, 0, 0, 4),))
(26, '0x43839000', ((8188, 8, 8, 0, 0, 0, 8),))
(27, '0x4404c000', ((8188, 8, 8, 0, 0, 0, 8),))
(28, '0x4487d000', ((8704, 524, 524, 0, 0, 0, 524),))
(29, '0x45101000', ((8188, 20, 20, 0, 0, 0, 20),))
(30, '0x45943000', ((316, 56, 56, 0, 0, 0, 56),))
(31, '0x45a1c000', ((8188, 16, 16, 0, 0, 0, 16),))
(32, '0x4624c000', ((1000, 520, 520, 0, 0, 0, 520),))
(33, '0x465b6000', ((8188, 8, 8, 0, 0, 0, 8),))
(34, '0x46e56000', ((8188, 8, 8, 0, 0, 0, 8),))
(35, '0x47656000', ((8188, 8, 8, 0, 0, 0, 8),))
(36, '0x47e67000', ((8188, 8, 8, 0, 0, 0, 8),))
(37, '0x486bc000', ((8188, 12, 12, 0, 0, 0, 12),))
(38, '0x48ebc000', ((8188, 8, 8, 0, 0, 0, 8),))
(39, '0x497b4000', ((8860, 52, 52, 0, 0, 0, 52),))
(40, '0x4a06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(41, '0x4a86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(42, '0x4b06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(43, '0x4b86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(44, '0x4c0eb000', ((12288, 4108, 4108, 0, 0, 0, 4108),))
(45, '0x4ccec000', ((8188, 12, 12, 0, 0, 0, 12),))
(46, '0x4d520000', ((8188, 12, 12, 0, 0, 0, 12),))
(47, '0x4dd20000', ((8188, 8, 8, 0, 0, 0, 8),))
(48, '0x4e520000', ((8188, 8, 8, 0, 0, 0, 8),))
(49, '0x4ed25000', ((8188, 8, 8, 0, 0, 0, 8),))
(50, '0x4f525000', ((8188, 8, 8, 0, 0, 0, 8),))
(51, '0x4fd25000', ((8188, 8, 8, 0, 0, 0, 8),))
(52, '0x50525000', ((8188, 8, 8, 0, 0, 0, 8),))
(53, '0x50d25000', ((8188, 8, 8, 0, 0, 0, 8),))
(54, '0x515e3000', ((8188, 8, 8, 0, 0, 0, 8),))
(55, '0x51e89000', ((8188, 8, 8, 0, 0, 0, 8),))
(56, '0x52720000', ((8188, 8, 8, 0, 0, 0, 8),))
(57, '0x52f86000', ((8188, 8, 8, 0, 0, 0, 8),))
(58, '0x53786000', ((8188, 12, 12, 0, 0, 0, 12),))
(59, '0x54003000', ((8188, 16, 16, 0, 0, 0, 16),))
(60, '0x54868000', ((8188, 8, 8, 0, 0, 0, 8),))
(61, '0x550d4000', ((8188, 16, 16, 0, 0, 0, 16),))
(62, '0x558d4000', ((9196, 48, 48, 0, 0, 0, 48),))
(63, '0x56295000', ((8188, 12, 12, 0, 0, 0, 12),))
(64, '0x56acf000', ((8188, 8, 8, 0, 0, 0, 8),))
(65, '0x572cf000', ((8188, 32, 32, 0, 0, 0, 32),))
(66, '0x57b4a000', ((8188, 8, 8, 0, 0, 0, 8),))
(67, '0x5834a000', ((8188, 8, 8, 0, 0, 0, 8),))
(68, '0x58b9e000', ((8188, 8, 8, 0, 0, 0, 8),))
(69, '0x5940b000', ((8188, 8, 8, 0, 0, 0, 8),))
(70, '0x59c94000', ((8188, 8, 8, 0, 0, 0, 8),))
(71, '0x5a55e000', ((8188, 8, 8, 0, 0, 0, 8),))
(72, '0x5ad5e000', ((8188, 8, 8, 0, 0, 0, 8),))
(73, '0x5b5db000', ((8188, 8, 8, 0, 0, 0, 8),))
(74, '0x5be1a000', ((8188, 8, 8, 0, 0, 0, 8),))
(75, '0x5c6c4000', ((8188, 8, 8, 0, 0, 0, 8),))
(76, '0x5cf1e000', ((8188, 8, 8, 0, 0, 0, 8),))
(77, '0x5d71e000', ((8188, 8, 8, 0, 0, 0, 8),))
(78, '0x5df1e000', ((8188, 12, 12, 0, 0, 0, 12),))
(79, '0x5e71e000', ((8188, 12, 12, 0, 0, 0, 12),))
(80, '0xbed2c000', ((140, 136, 136, 0, 0, 0, 136),))
enter stack region id (guessed value = -1):

More Model Infos:

cat /proc/cpuinfo
Processor	: ARM926EJ-S rev 5 (v5l)
BogoMIPS	: 218.72
Features	: swp half thumb fastmult edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 5

Hardware	: hi3518
Revision	: 0000
Serial		: 0000000000000000

Hardware is detected as 50H10L

mschaefers avatar Mar 09 '20 14:03 mschaefers

first i would test the vulnerability itself and would try to exploit it without aslr. you can do it by telnetting to the device and attaching gdb to Sofia. if it works, you can identify the memory region, and you can try to implement the magical guess. look for the remote gdb section here if you need hints: https://github.com/tothi/pwn-hisilicon-dvr#remote-gdb

tothi avatar Mar 26 '20 03:03 tothi