-
-
Save cwmto/3e7e42d5eca06fec5880f6307f9ffc3e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/usr/bin/env python3 | |
import binascii | |
from os import system | |
# sha256 9d9221671e64204c3719493fccc3cc76d1ae3f09b1d957ab84426205b7cd0c74 | |
BASE=0x8048000 | |
patches = [ | |
{ | |
# rm -rf conf stuff | |
'offset': 0x080add00, | |
'original': b'\x72\x6d\x20\x2d', | |
'patched': b'\x23\x23\x23\x23', | |
}, | |
{ | |
# loglevel | |
'offset': 0x080531ef, | |
'original': b'\xa1\x90\xdb\x0d\x08\x89\x04\x24\xe8\x84\xde\xff\xff', | |
'patched': b'\x31\xc0\x83\xc0\x07\x90\x90\x90\x90\x90\x90\x90\x90', | |
}, | |
# { | |
# WARNING - tar config - this will break the appliance | |
# make fs writeable `mount -o rw,remount /` | |
# `mkdir /var/ex` via SSH | |
# make sure to backup /usr/bin/csc to /usr/bin/csc_original | |
# overwrite original with patched that was uploaded via scp | |
# reboot | |
# decrypted config will be extracted to /var/ex/, appliance will be broken | |
# use serial access to restore original csc binary and reboot | |
#'offset': 0x080adb9f, | |
#'original': b'\x5f\x63\x6f\x6e\x66\x2f\x63\x73\x63\x00', | |
#'patched': b'\x2f\x76\x61\x72\x2f\x65\x78\x2f\x00' #/var/ex | |
# }, | |
] | |
def group(a, *ns): | |
for n in ns: | |
a = [a[i:i+n] for i in range(0, len(a), n)] | |
return a | |
def join(a, *cs): | |
return [cs[0].join(join(t, *cs[1:])) for t in a] if cs else a | |
def hexdump(data, offset): | |
toHex = lambda c: '{:02X}'.format(c) | |
toChr = lambda c: chr(c) if 32 <= c < 127 else '.' | |
make = lambda f, *cs: join(group(list(map(f, data)), 8, 2), *cs) | |
hs = make(toHex, ' ', ' ') | |
cs = make(toChr, ' ', '') | |
for i, (h, c) in enumerate(zip(hs, cs)): | |
print ('{:010X}: {:48} {:16}'.format(BASE + offset + i * 16, h, c)) | |
print() | |
def patch_all(patches=None): | |
if patches is None: | |
return | |
for patch in patches: | |
with open('./csc_patched', 'r+b') as f: | |
OFFSET = patch['offset']-BASE | |
f.seek(OFFSET) | |
data = f.read(len(patch['original'])) | |
if data == patch['original']: | |
print('[+] patching %d bytes' % len(patch['original'])) | |
hexdump(data, OFFSET) | |
else: | |
print('[-] bytes do not match') | |
hexdump(data, OFFSET) | |
return | |
f.seek(OFFSET) | |
f.write(bytes(patch['patched'])) | |
def main(): | |
system("cp ./csc ./csc_patched") | |
patch_all(patches=patches) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment