Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
good bug on 7
downloaded data over usb is stored into 'dl_buf' @0x02021800. it contains a size field uint32_t 'dl_size' at 0x4.
There's a check to ensure 'dl_size' is smaller than 0x4E800.
however, an integer overflow can bypass the check if size is higher than 0xFDFDE7FF.
'dl_buf' can be overflowed that way, but not sure if exploitable, because probably located at the end of memory.
however, there's another interesting detail if 'dl_size' is larger 0xfffe00 :
for every bulk transfer packet received, 'dl_size' is decreased by 0xfffe00 and 'dl_buf' is increased by 0xfffe00.
by sending empty bulk packets, we can overflow 'dl_buf' without writing any data to 'dl_buf'.
finally, when 'dl_size' is smaller than 0xfffe00, the last bulk transfer is written at arbitrary address 'dl_buf'.
To achieve finer granularity on 'dl_buf' pointer, the first bulk transfer can be used to increase 'dl_buf' up to 64kb.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment