Skip to content

Instantly share code, notes, and snippets.

@cwmto

cwmto/patch.py Secret

Created May 11, 2020
Embed
What would you like to do?
#/usr/bin/env python3
import binascii
from os import system
# sha256 9d9221671e64204c3719493fccc3cc76d1ae3f09b1d957ab84426205b7cd0c74
BASE=0x8048000
patches = [
{
# rm -rf conf stuff
'offset': 0x080add00,
'original': b'\x72\x6d\x20\x2d',
'patched': b'\x23\x23\x23\x23',
},
{
# loglevel
'offset': 0x080531ef,
'original': b'\xa1\x90\xdb\x0d\x08\x89\x04\x24\xe8\x84\xde\xff\xff',
'patched': b'\x31\xc0\x83\xc0\x07\x90\x90\x90\x90\x90\x90\x90\x90',
},
# {
# WARNING - tar config - this will break the appliance
# make fs writeable `mount -o rw,remount /`
# `mkdir /var/ex` via SSH
# make sure to backup /usr/bin/csc to /usr/bin/csc_original
# overwrite original with patched that was uploaded via scp
# reboot
# decrypted config will be extracted to /var/ex/, appliance will be broken
# use serial access to restore original csc binary and reboot
#'offset': 0x080adb9f,
#'original': b'\x5f\x63\x6f\x6e\x66\x2f\x63\x73\x63\x00',
#'patched': b'\x2f\x76\x61\x72\x2f\x65\x78\x2f\x00' #/var/ex
# },
]
def group(a, *ns):
for n in ns:
a = [a[i:i+n] for i in range(0, len(a), n)]
return a
def join(a, *cs):
return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a
def hexdump(data, offset):
toHex = lambda c: '{:02X}'.format(c)
toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
hs = make(toHex, ' ', ' ')
cs = make(toChr, ' ', '')
for i, (h, c) in enumerate(zip(hs, cs)):
print ('{:010X}: {:48} {:16}'.format(BASE + offset + i * 16, h, c))
print()
def patch_all(patches=None):
if patches is None:
return
for patch in patches:
with open('./csc_patched', 'r+b') as f:
OFFSET = patch['offset']-BASE
f.seek(OFFSET)
data = f.read(len(patch['original']))
if data == patch['original']:
print('[+] patching %d bytes' % len(patch['original']))
hexdump(data, OFFSET)
else:
print('[-] bytes do not match')
hexdump(data, OFFSET)
return
f.seek(OFFSET)
f.write(bytes(patch['patched']))
def main():
system("cp ./csc ./csc_patched")
patch_all(patches=patches)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment