You must be signed in to star a gist
good bug on 7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
|downloaded data over usb is stored into 'dl_buf' @0x02021800. it contains a size field uint32_t 'dl_size' at 0x4.
|There's a check to ensure 'dl_size' is smaller than 0x4E800.
|however, an integer overflow can bypass the check if size is higher than 0xFDFDE7FF.
|'dl_buf' can be overflowed that way, but not sure if exploitable, because probably located at the end of memory.
|however, there's another interesting detail if 'dl_size' is larger 0xfffe00 :
|for every bulk transfer packet received, 'dl_size' is decreased by 0xfffe00 and 'dl_buf' is increased by 0xfffe00.
|by sending empty bulk packets, we can overflow 'dl_buf' without writing any data to 'dl_buf'.
|finally, when 'dl_size' is smaller than 0xfffe00, the last bulk transfer is written at arbitrary address 'dl_buf'.
|To achieve finer granularity on 'dl_buf' pointer, the first bulk transfer can be used to increase 'dl_buf' up to 64kb.