smap guessing does not work: min Rss size is 8k

[mschaefers]

when I run your exploit on my old Xiongmai cam, it can not guess the correct stack section base, because all my 8188 byte long entries have an Rss size of at least 8k:

Any idea on how to adapt the guessing algorithm to this model? (more model infos below)

[+] getting pidlist: found 41 processes
[+] searching for PID of '/usr/bin/Sofia': 812
[→] getting stack section base
(0, '0x622000', ((1996, 984, 984, 0, 0, 0, 984),))
(1, '0x818000', ((4, 4, 4, 0, 0, 0, 4),))
(2, '0x24a3000', ((5808, 5292, 5292, 0, 0, 0, 5292),))
(3, '0x4007f000', ((4, 4, 4, 0, 0, 0, 4),))
(4, '0x40080000', ((4, 4, 4, 0, 0, 0, 4),))
(5, '0x400c6000', ((4, 4, 4, 0, 0, 0, 4),))
(6, '0x400de000', ((4, 4, 4, 0, 0, 0, 4),))
(7, '0x40113000', ((4, 4, 4, 0, 0, 0, 4),))
(8, '0x40114000', ((8, 4, 4, 0, 0, 0, 4),))
(9, '0x4014d000', ((4, 4, 4, 0, 0, 0, 4),))
(10, '0x4014e000', ((40, 8, 8, 0, 0, 0, 8),))
(11, '0x4016a000', ((4, 4, 4, 0, 0, 0, 4),))
(12, '0x40247000', ((8, 8, 8, 0, 0, 0, 8),))
(13, '0x40249000', ((24, 12, 12, 0, 0, 0, 12),))
(14, '0x40266000', ((4, 4, 4, 0, 0, 0, 4),))
(15, '0x40279000', ((4, 4, 4, 0, 0, 0, 4),))
(16, '0x4030d000', ((8, 8, 8, 0, 0, 0, 8),))
(17, '0x4030f000', ((280, 280, 280, 0, 0, 0, 280),))
(18, '0x40356000', ((8188, 8, 8, 0, 0, 0, 8),))
(19, '0x40b92000', ((8188, 16, 16, 0, 0, 0, 16),))
(20, '0x413ae000', ((8188, 8, 8, 0, 0, 0, 8),))
(21, '0x41beb000', ((516, 516, 516, 0, 0, 0, 516),))
(22, '0x41c93000', ((8188, 12, 12, 0, 0, 0, 12),))
(23, '0x4249b000', ((10760, 3496, 3496, 0, 0, 0, 3496),))
(24, '0x42f65000', ((8188, 8, 8, 0, 0, 0, 8),))
(25, '0x437aa000', ((260, 4, 4, 0, 0, 0, 4),))
(26, '0x43839000', ((8188, 8, 8, 0, 0, 0, 8),))
(27, '0x4404c000', ((8188, 8, 8, 0, 0, 0, 8),))
(28, '0x4487d000', ((8704, 524, 524, 0, 0, 0, 524),))
(29, '0x45101000', ((8188, 20, 20, 0, 0, 0, 20),))
(30, '0x45943000', ((316, 56, 56, 0, 0, 0, 56),))
(31, '0x45a1c000', ((8188, 16, 16, 0, 0, 0, 16),))
(32, '0x4624c000', ((1000, 520, 520, 0, 0, 0, 520),))
(33, '0x465b6000', ((8188, 8, 8, 0, 0, 0, 8),))
(34, '0x46e56000', ((8188, 8, 8, 0, 0, 0, 8),))
(35, '0x47656000', ((8188, 8, 8, 0, 0, 0, 8),))
(36, '0x47e67000', ((8188, 8, 8, 0, 0, 0, 8),))
(37, '0x486bc000', ((8188, 12, 12, 0, 0, 0, 12),))
(38, '0x48ebc000', ((8188, 8, 8, 0, 0, 0, 8),))
(39, '0x497b4000', ((8860, 52, 52, 0, 0, 0, 52),))
(40, '0x4a06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(41, '0x4a86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(42, '0x4b06d000', ((8188, 8, 8, 0, 0, 0, 8),))
(43, '0x4b86d000', ((8188, 8, 8, 0, 0, 0, 8),))
(44, '0x4c0eb000', ((12288, 4108, 4108, 0, 0, 0, 4108),))
(45, '0x4ccec000', ((8188, 12, 12, 0, 0, 0, 12),))
(46, '0x4d520000', ((8188, 12, 12, 0, 0, 0, 12),))
(47, '0x4dd20000', ((8188, 8, 8, 0, 0, 0, 8),))
(48, '0x4e520000', ((8188, 8, 8, 0, 0, 0, 8),))
(49, '0x4ed25000', ((8188, 8, 8, 0, 0, 0, 8),))
(50, '0x4f525000', ((8188, 8, 8, 0, 0, 0, 8),))
(51, '0x4fd25000', ((8188, 8, 8, 0, 0, 0, 8),))
(52, '0x50525000', ((8188, 8, 8, 0, 0, 0, 8),))
(53, '0x50d25000', ((8188, 8, 8, 0, 0, 0, 8),))
(54, '0x515e3000', ((8188, 8, 8, 0, 0, 0, 8),))
(55, '0x51e89000', ((8188, 8, 8, 0, 0, 0, 8),))
(56, '0x52720000', ((8188, 8, 8, 0, 0, 0, 8),))
(57, '0x52f86000', ((8188, 8, 8, 0, 0, 0, 8),))
(58, '0x53786000', ((8188, 12, 12, 0, 0, 0, 12),))
(59, '0x54003000', ((8188, 16, 16, 0, 0, 0, 16),))
(60, '0x54868000', ((8188, 8, 8, 0, 0, 0, 8),))
(61, '0x550d4000', ((8188, 16, 16, 0, 0, 0, 16),))
(62, '0x558d4000', ((9196, 48, 48, 0, 0, 0, 48),))
(63, '0x56295000', ((8188, 12, 12, 0, 0, 0, 12),))
(64, '0x56acf000', ((8188, 8, 8, 0, 0, 0, 8),))
(65, '0x572cf000', ((8188, 32, 32, 0, 0, 0, 32),))
(66, '0x57b4a000', ((8188, 8, 8, 0, 0, 0, 8),))
(67, '0x5834a000', ((8188, 8, 8, 0, 0, 0, 8),))
(68, '0x58b9e000', ((8188, 8, 8, 0, 0, 0, 8),))
(69, '0x5940b000', ((8188, 8, 8, 0, 0, 0, 8),))
(70, '0x59c94000', ((8188, 8, 8, 0, 0, 0, 8),))
(71, '0x5a55e000', ((8188, 8, 8, 0, 0, 0, 8),))
(72, '0x5ad5e000', ((8188, 8, 8, 0, 0, 0, 8),))
(73, '0x5b5db000', ((8188, 8, 8, 0, 0, 0, 8),))
(74, '0x5be1a000', ((8188, 8, 8, 0, 0, 0, 8),))
(75, '0x5c6c4000', ((8188, 8, 8, 0, 0, 0, 8),))
(76, '0x5cf1e000', ((8188, 8, 8, 0, 0, 0, 8),))
(77, '0x5d71e000', ((8188, 8, 8, 0, 0, 0, 8),))
(78, '0x5df1e000', ((8188, 12, 12, 0, 0, 0, 12),))
(79, '0x5e71e000', ((8188, 12, 12, 0, 0, 0, 12),))
(80, '0xbed2c000', ((140, 136, 136, 0, 0, 0, 136),))
enter stack region id (guessed value = -1): 

More Model Infos:

cat /proc/cpuinfo
Processor	: ARM926EJ-S rev 5 (v5l)
BogoMIPS	: 218.72
Features	: swp half thumb fastmult edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 5

Hardware	: hi3518
Revision	: 0000
Serial		: 0000000000000000

Hardware is detected as 50H10L

[tothi]

first i would test the vulnerability itself and would try to exploit it without aslr. you can do it by telnetting to the device and attaching gdb to Sofia. if it works, you can identify the memory region, and you can try to implement the magical guess. look for the remote gdb section here if you need hints: https://github.com/tothi/pwn-hisilicon-dvr#remote-gdb