-
Notifications
You must be signed in to change notification settings - Fork 37
/
Copy pathasa_libmempool.py
126 lines (109 loc) · 4.06 KB
/
asa_libmempool.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/usr/bin/python3
#
# This file is part of asadbg.
# Copyright (c) 2017, Aaron Adams <aaron.adams(at)nccgroup(dot)trust>
# Copyright (c) 2017, Cedric Halbronn <cedric.halbronn(at)nccgroup(dot)trust>
#
# This GDB script is a wrapper on top of libmempool/libmempool_gdb.py
# except that we automatically detect what ASA version we add an additional
# `mpsymbol` command that can be used to dump out the symbols, if known
import os
import sys
import importlib
# Our own libraries
cwd = os.getcwd()
sys.path.insert(0, cwd)
import helper_gdb as hgdb
importlib.reload(hgdb)
import helper as h
importlib.reload(h)
sys.path.insert(0, os.path.join(cwd, "libmempool"))
import libmempool_gdb as lmp_gdb
importlib.reload(lmp_gdb)
class logger:
def logmsg(self, s, end=None):
if type(s) == str:
if end != None:
print("[asa_libmempool] " + s, end=end)
else:
print("[asa_libmempool] " + s)
else:
print(s)
# hardcoded symbols so we don't have to remember them
# these could also be based on mempool_array like in libdlmalloc
mp_global_symbols = {
"asav962-7.qcow2":{
"mp_mstate": 0x7ffff7ff73c0
},
"asav941-200.qcow2":{
"mp_mstate": 0x7ffff6e273c0,
},
"asa924-k8.bin":{
"mp_mstate" : 0xa84001e4,
},
"asa912-smp-k8.bin":{
"mp_mstate" : 0x7fff1ebf73b8,
},
}
class mpsymbols(gdb.Command):
help_str = "mpsymbols : show ASA mempool symbols"
def __init__(self):
super(mpsymbols, self).__init__("mpsymbols", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
self.initOK = False
self.libdl = None
self.target = None
self.mh_version = None
self.log = logger()
try:
targetdb = os.environ["ASADBG_DB"]
except:
self.log.logmsg("You need to define ASADBG_DB first")
exit()
self.bin_name = hgdb.get_info()
self.log.logmsg("firmware name: %s" % self.bin_name)
targets = h.load_targets(targetdb)
for t in targets:
if t["fw"] == self.bin_name:
self.target = t
break
if not self.target:
self.log.logmsg("[!] Could not find bin name in targets")
return
if "heap_alloc" not in self.target.keys():
self.log.logmsg("[!] Could not find heap alloc in target, defaulting to mempool header v2")
self.mh_version = lmp_gdb.lmp.MEMPOOL_VERSION_2
else:
if "dlmalloc 2.8" in self.target["heap_alloc"] or \
"ptmalloc" in self.target["heap_alloc"]:
self.log.logmsg("Detected mempool header v2")
self.mh_version = lmp_gdb.lmp.MEMPOOL_VERSION_2
elif "dlmalloc 2.6" in self.target["heap_alloc"]:
self.log.logmsg("Detected mempool header v1")
self.mh_version = lmp_gdb.lmp.MEMPOOL_VERSION_1
else:
self.log.logmsg("[!] Need to add support for new heap alloc for detecting mempool header version?")
return
self.initOK = True
def invoke(self, arg, from_tty):
if not self.initOK:
self.log.logmsg("[!] Could not use mpsymbols")
return
try:
mp_symbols = mp_global_symbols[self.bin_name]
if mp_symbols != None:
self.log.logmsg("mp_symbols:")
for k in mp_symbols.keys():
self.log.logmsg(" %s: 0x%x" % (k, mp_symbols.get(k)))
except:
self.log.logmsg("mp_symbols failed to initalize, consider adding target to mp_global_symbols")
if __name__ == "__main__":
log = logger()
mps = mpsymbols()
help_extra = mpsymbols.help_str
lmp_gdb.mphelp(mh_version=mps.mh_version, help_extra=help_extra)
lmp_gdb.mpbinwalk(mh_version=mps.mh_version)
lmp_gdb.mpheader(mh_version=mps.mh_version)
lmp_gdb.mpbin(mh_version=mps.mh_version)
lmp_gdb.mpmstate(mh_version=mps.mh_version)
lmp_gdb.mpfindchunk(mh_version=mps.mh_version)
log.logmsg("loaded")