cwmto/patch.py Secret

## patch.py
#/usr/bin/env python3
import binascii
from os import system

# sha256        9d9221671e64204c3719493fccc3cc76d1ae3f09b1d957ab84426205b7cd0c74
BASE=0x8048000

patches = [
    {
        # rm -rf conf stuff
        'offset': 0x080add00,
        'original': b'\x72\x6d\x20\x2d',
        'patched':  b'\x23\x23\x23\x23',
    },
    {
        # loglevel
        'offset': 0x080531ef,
        'original': b'\xa1\x90\xdb\x0d\x08\x89\x04\x24\xe8\x84\xde\xff\xff',
        'patched':  b'\x31\xc0\x83\xc0\x07\x90\x90\x90\x90\x90\x90\x90\x90',
    },
#       {
        # WARNING - tar config - this will break the appliance
        # make fs writeable `mount -o rw,remount /`
        # `mkdir /var/ex` via SSH
        # make sure to backup /usr/bin/csc to /usr/bin/csc_original
        # overwrite original with patched that was uploaded via scp
        # reboot
        # decrypted config will be extracted to /var/ex/, appliance will be broken
        # use serial access to restore original csc binary and reboot

        #'offset': 0x080adb9f,
        #'original': b'\x5f\x63\x6f\x6e\x66\x2f\x63\x73\x63\x00',
        #'patched':  b'\x2f\x76\x61\x72\x2f\x65\x78\x2f\x00'   #/var/ex
#       },
]

def group(a, *ns):
    for n in ns:
        a = [a[i:i+n] for i in range(0, len(a), n)]
    return a

def join(a, *cs):
     return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a

def hexdump(data, offset):
    toHex = lambda c: '{:02X}'.format(c)
    toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
    make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs)
    hs = make(toHex, '  ', ' ')
    cs = make(toChr, ' ', '')
    for i, (h, c) in enumerate(zip(hs, cs)):
        print ('{:010X}: {:48}  {:16}'.format(BASE + offset + i * 16, h, c))
    print()


def patch_all(patches=None):
 if patches is None:
           return

    for patch in patches:
        with open('./csc_patched', 'r+b') as f:
            OFFSET = patch['offset']-BASE
            f.seek(OFFSET)
            data = f.read(len(patch['original']))
            if data == patch['original']:
                print('[+] patching %d bytes' % len(patch['original']))
                hexdump(data, OFFSET)

            else:
                print('[-] bytes do not match')
                hexdump(data, OFFSET)
                return
            f.seek(OFFSET)
            f.write(bytes(patch['patched']))


def main():
    system("cp ./csc ./csc_patched")
    patch_all(patches=patches)

if __name__ == '__main__':
    main()
	#/usr/bin/env python3
	import binascii
	from os import system

	# sha256 9d9221671e64204c3719493fccc3cc76d1ae3f09b1d957ab84426205b7cd0c74
	BASE=0x8048000

	patches = [
	{
	# rm -rf conf stuff
	'offset': 0x080add00,
	'original': b'\x72\x6d\x20\x2d',
	'patched': b'\x23\x23\x23\x23',
	},
	{
	# loglevel
	'offset': 0x080531ef,
	'original': b'\xa1\x90\xdb\x0d\x08\x89\x04\x24\xe8\x84\xde\xff\xff',
	'patched': b'\x31\xc0\x83\xc0\x07\x90\x90\x90\x90\x90\x90\x90\x90',
	},
	# {
	# WARNING - tar config - this will break the appliance
	# make fs writeable `mount -o rw,remount /`
	# `mkdir /var/ex` via SSH
	# make sure to backup /usr/bin/csc to /usr/bin/csc_original
	# overwrite original with patched that was uploaded via scp
	# reboot
	# decrypted config will be extracted to /var/ex/, appliance will be broken
	# use serial access to restore original csc binary and reboot

	#'offset': 0x080adb9f,
	#'original': b'\x5f\x63\x6f\x6e\x66\x2f\x63\x73\x63\x00',
	#'patched': b'\x2f\x76\x61\x72\x2f\x65\x78\x2f\x00' #/var/ex
	# },
	]

	def group(a, *ns):
	for n in ns:
	a = [a[i:i+n] for i in range(0, len(a), n)]
	return a

	def join(a, *cs):
	return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a

	def hexdump(data, offset):
	toHex = lambda c: '{:02X}'.format(c)
	toChr = lambda c: chr(c) if 32 <= c < 127 else '.'
	make = lambda f, cs: join(group(list(map(f, data)), 8, 2), cs)
	hs = make(toHex, ' ', ' ')
	cs = make(toChr, ' ', '')
	for i, (h, c) in enumerate(zip(hs, cs)):
	print ('{:010X}: {:48} {:16}'.format(BASE + offset + i * 16, h, c))
	print()


	def patch_all(patches=None):
	if patches is None:
	return

	for patch in patches:
	with open('./csc_patched', 'r+b') as f:
	OFFSET = patch['offset']-BASE
	f.seek(OFFSET)
	data = f.read(len(patch['original']))
	if data == patch['original']:
	print('[+] patching %d bytes' % len(patch['original']))
	hexdump(data, OFFSET)

	else:
	print('[-] bytes do not match')
	hexdump(data, OFFSET)
	return
	f.seek(OFFSET)
	f.write(bytes(patch['patched']))


	def main():
	system("cp ./csc ./csc_patched")
	patch_all(patches=patches)

	if __name__ == '__main__':
	main()