Created
February 12, 2020 08:09
-
-
Save frederic/6228d60b8ddcf959eb3bea105f49348e to your computer and use it in GitHub Desktop.
good bug on 7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
downloaded data over usb is stored into 'dl_buf' @0x02021800. it contains a size field uint32_t 'dl_size' at 0x4. | |
There's a check to ensure 'dl_size' is smaller than 0x4E800. | |
however, an integer overflow can bypass the check if size is higher than 0xFDFDE7FF. | |
'dl_buf' can be overflowed that way, but not sure if exploitable, because probably located at the end of memory. | |
however, there's another interesting detail if 'dl_size' is larger 0xfffe00 : | |
for every bulk transfer packet received, 'dl_size' is decreased by 0xfffe00 and 'dl_buf' is increased by 0xfffe00. | |
by sending empty bulk packets, we can overflow 'dl_buf' without writing any data to 'dl_buf'. | |
finally, when 'dl_size' is smaller than 0xfffe00, the last bulk transfer is written at arbitrary address 'dl_buf'. | |
To achieve finer granularity on 'dl_buf' pointer, the first bulk transfer can be used to increase 'dl_buf' up to 64kb. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment