Merge pull request nccgroup#12 from cq674350529/feat/enhancing_disabl…

…e_aslr use kernel parameter "norandmaps" to disable ASLR for the newest images
NimdaKey · Mar 26, 2019 · 9de16bd · 9de16bd
2 parents 1ce62cd + 0162ac3
commit 9de16bd
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 5 deletions.
diff --git a/bin.py b/bin.py
@@ -193,6 +193,31 @@ def unroot(firmwarefile, out_bin_name=None):
     logmsg("unroot: Writing %s (%d bytes)..." % (out_bin_name, len(data)))
     open(out_bin_name, 'wb').write(data)
 
+# For some firmwares such as asav9101.qcow2, use kernel parameter 'norandmaps' to disable ASLR instead.
+def disable_aslr(firmwarefile, out_bin_name=None):
+
+    if out_bin_name == None:
+        fileinfo = os.path.splitext(firmwarefile)
+        out_bin_name = fileinfo[0] + '-noaslr' + fileinfo[1]
+    original_cmdline = b"quiet loglevel=0 auto"
+    replace_cmdline = b"norandmaps quiet"
+
+    bin_data = open(firmwarefile, 'rb').read()
+    idx = bin_data.rfind(original_cmdline)
+    if idx == -1:
+        logmsg("Warning: Could not find kernel command line, trying alternative method")
+        # e.g. for 8.0.3
+        original_cmdline = b"auto quiet loglevel=0"
+        idx = bin_data.rfind(original_cmdline)
+        if idx == -1:
+            logmsg("Error: Could not find kernel command line")
+            sys.exit(1)
+    while len(replace_cmdline) < len(original_cmdline):
+        replace_cmdline += b' '
+    bin_data = bin_data.replace(original_cmdline, replace_cmdline)
+    logmsg("disable_aslr: Writing %s (%d bytes)..." % (out_bin_name, len(bin_data)))
+    open(out_bin_name, 'wb').write(bin_data)
+
 if __name__ == '__main__':
     parser = argparse.ArgumentParser()
     parser.add_argument('-f', '--firmware-file', dest='firmware_file', default=None)
@@ -201,6 +226,7 @@ def unroot(firmwarefile, out_bin_name=None):
     parser.add_argument('-r', '--repack', dest='repack', default=False, action="store_true")
     parser.add_argument('-t', '--root', dest='root', default=False, action="store_true")
     parser.add_argument('-T', '--unroot', dest='unroot', default=False, action="store_true")
+    parser.add_argument('-A', '--disable-aslr', dest='disable_aslr', default=False, action="store_true")
     parser.add_argument('-o', '--output-file', dest='outputfile', default=None)
     args = parser.parse_args()
 
@@ -211,7 +237,11 @@ def unroot(firmwarefile, out_bin_name=None):
         if not args.firmware_file or not args.gzip_file:
             parser.error("[bin] Error: Provide a firmware and a gzip file for repacking")
         repack(args.firmware_file, args.gzip_file, args.outputfile)
-        if args.root:
+        if args.disable_aslr:
+            disable_aslr(args.outputfile, args.outputfile)
+            if args.root:
+                logmsg("Warning: Ignore '--root' option for we have to disable ASLR using kernel parameter 'norandmaps'")
+        elif args.root:
             root(args.outputfile, args.outputfile)
         sys.exit()
 
@@ -221,6 +251,15 @@ def unroot(firmwarefile, out_bin_name=None):
         unpack(args.firmware_file)
         sys.exit()
 
+    # For option args.disable_aslr has conflict with option args.root, just give preference to the former.
+    if args.disable_aslr:
+        if not args.firmware_file:
+            parser.error("[bin] Error: Provide a firmware file for disabling ASLR")
+        disable_aslr(args.firmware_file, args.outputfile)
+        if args.root:
+            logmsg("Warning: Ignore '--root' option for we have to disable ASLR using kernel parameter 'norandmaps'")
+        sys.exit()
+
     if args.root:
         if not args.firmware_file:
             parser.error("[bin] Error: Provide a firmware file for rooting")

diff --git a/unpack_repack_bin.sh b/unpack_repack_bin.sh
@@ -404,7 +404,16 @@ disable_aslr()
         #echo "kernel.randomize_va_space = 0" >> etc/sysctl.conf.procps
         # because it looks like rcS.common overrides our value later in the boot process
         # so we just make the modification in rcS.common :)
-        sed -i 's/echo 2 > \/proc\/sys\/kernel\/randomize_va_space/echo 0 > \/proc\/sys\/kernel\/randomize_va_space/' asa/scripts/rcS.common
+
+        # deal with case when no randomize_va_space in asa/scripts/rcS.common, such as asav9101.qcow2
+        VASPACE=$(grep randomize_va_space "asa/scripts/rcS.common")
+        if [ -n "$VASPACE" ]
+        then
+            sed -i 's/echo 2 > \/proc\/sys\/kernel\/randomize_va_space/echo 0 > \/proc\/sys\/kernel\/randomize_va_space/' asa/scripts/rcS.common
+        else
+            # use kernel parameter 'norandmaps' instead
+            DISABLE_ASLR_ARGS=--disable-aslr
+        fi
     fi
 }
 
@@ -942,11 +951,11 @@ repack_bin()
     else
         ROOTARGS=
     fi
-    dbglog ${FWTOOL} -r -f "$FWFILE" -g "$GZIP_MODIFIED" -o "$OUTFILE" $ROOTARGS
-    ${FWTOOL} -r -f "$FWFILE" -g "$GZIP_MODIFIED" -o "$OUTFILE" $ROOTARGS
+    dbglog ${FWTOOL} -r -f "$FWFILE" -g "$GZIP_MODIFIED" -o "$OUTFILE" $ROOTARGS $DISABLE_ASLR_ARGS
+    ${FWTOOL} -r -f "$FWFILE" -g "$GZIP_MODIFIED" -o "$OUTFILE" $ROOTARGS $DISABLE_ASLR_ARGS
     if [ $? != 0 ];
     then
-        log "${FWTOOL} -r -f "$FWFILE" -g "$GZIP_MODIFIED" -o "$OUTFILE" $ROOTARGS failed"
+        log "${FWTOOL} -r -f "$FWFILE" -g "$GZIP_MODIFIED" -o "$OUTFILE" $ROOTARGS $DISABLE_ASLR_ARGS failed"
         exit 1
     fi