[00:01:10] *** Joins: franklin (~quassel@cpe-071-071-039-006.triad.res.rr.com) [00:02:21] *** franklin is now known as [Franklin] [00:46:35] *** Quits: Kebianizao (~kvirc@250.9.219.87.dynamic.jazztel.es) (Quit: Estaba usando KVIrc KVIrc Equilibrium 4.2.0, revision: 420, sources date: 20120701, built on: 2014-11-08 17:16:37 UTC 420 http://www.kvirc.net/) [01:33:35] hmmph. Can't find a (working) TTF assembler [01:36:36] <[Franklin]> ttf... truetype font? [01:38:10] [Franklin]: indeed [01:38:18] <[Franklin]> really? [01:38:41] Long story short, a few years back, a Google security researched used a fuzzer on freetype and reported a dozen or so vulns, [01:38:45] they were quickly fixed, [01:38:57] but they were a LOT of old version of the package out of there. [01:39:17] the 6G is one such device that uses a vulnerable version of freetype [01:39:43] It's a buffer overflow, so it isn't exactly trivial to exploit (and even to get a crash requires some specialized conditions) [01:39:44] <[Franklin]> ohh [01:39:52] But it should be possible [01:40:12] <[Franklin]> nice [01:40:29] [Franklin]: did you get my messages from this morning? [01:40:34] <[Franklin]> no [01:40:37] sec [01:56:54] Looking closer into the resources; found the localization files [01:57:04] If all goes as expected, I'll post a pic soon [02:07:25] c'mon work work work [02:13:02] Hmmm [02:15:32] appears my luck might be running out.. [02:16:38] ow8 [02:16:42] it worked ^_^ [02:19:18] *** Quits: [Franklin] (~quassel@cpe-071-071-039-006.triad.res.rr.com) (Ping timeout: 250 seconds) [02:20:01] TheSeven user890104: https://dumpyourphoto.com/photo/qmSI7YsYam [02:20:46] *** Joins: franklin (~quassel@cpe-071-071-039-006.triad.res.rr.com) [02:23:16] franklin: you're [Franklin]? [02:49:05] So, uh... [02:50:42] *** franklin is now known as [Franklin] [02:59:41] Steps to perform: [02:59:46] 1. Get ipsw [02:59:51] 2. Unzip [03:00:01] 3. Open up Firmware.MSE in a hex editor [03:01:26] 4. Edit the resources in place. For instance, I found the Spanish localization files and changed a few things around [03:01:44] <[Franklin]> so they're just in there raw? [03:01:58] <[Franklin]> and no checksums/signatures? [03:02:02] wait [03:02:28] 5. There is a checksum/signature on this section. Attempting to flash now will render your iPod unbootable (disk mode) [03:02:52] 6. Search from the top for the string DNANksid (NAND-flash disk section) For this firmware, it is at offset 20480 [03:03:03] <[Franklin]> nice number :) [03:03:10] <[Franklin]> 1<<11*10 [03:03:21] <[Franklin]> anyway, continue [03:03:45] 7. Change ksid to soso and a few hundred bytes later where it says DNANsoso, change that to DNANksid [03:04:04] <[Franklin]> what's this doing? [03:04:09] <[Franklin]> DNAN is NAND in little-endian [03:04:16] <[Franklin]> so the checksum? [03:10:31] <[Franklin]> wait... this thing doesn't allow video playback with OF?! [03:13:12] 8. This will swap disk mode and the main OS mode, so when the checksum fails and it tries to boot into disk mode, it gets tricked into booting into OS mode. This has the side effect of becoming software-bricked if you shut it down, but a simple connection to iTunes (no flashing or anything) is enough to get it back to OS-mode. [03:13:48] 9. Rezip up the files back into an IPSW, connect iPod to iTunes, shift-click restore and click the IPSW, wait a few minutes, and you're done [03:13:59] <[Saint]> [Franklin]: it has a 1.1" screen. [03:14:09] still :P [03:14:13] <[Franklin]> oh... ksid=disk soso=osos [03:14:18] yeah kik [03:14:18] <[Saint]> granted, its quite high res..but, yeah. [03:14:20] *lol [03:14:20] * [Franklin] hates little-endian [03:14:26] WHAT [03:14:27] NO [03:14:27] NO [03:14:28] NO [03:14:28] NO [03:14:29] NO [03:14:31] Intel is magic [03:14:31] <[Franklin]> YES [03:14:32] <[Franklin]> YES [03:14:33] <[Franklin]> YES [03:14:46] [Saint]: there's no anti-spam rules.. right? [03:14:46] <[Franklin]> it's just inconvenient [03:15:02] <[Saint]> likely so, but, I can't enforce them. [03:15:11] :P [03:15:18] <[Franklin]> ooh fun [03:15:20] [Saint]: See my picture? [03:15:44] [Franklin]: Granted, if every machine in the world was running one endian, I would prefer big-endian [03:15:59] <[Franklin]> shadowcoder: the one you showed me? [03:16:07] yeah [03:16:16] It was posted in here right after you dc'ed [03:16:19] <[Franklin]> ok here: https://dumpyourphoto.com/photo/qmSI7YsYam [03:16:48] Anyways [03:17:39] Time to figure out how to make freetype boot rockbox ^_^ [03:17:44] <[Franklin]> lol [03:17:57] <[Franklin]> can you run arbitrary code now? [03:18:07] <[Franklin]> or just play around with strings? [03:18:12] Can't actually run any code yet [03:18:17] Everything but rsrc is encrypted [03:18:33] Granted, rsrc contains all the strings, images, fonts, and sounds [03:18:50] But without another exploit, no code yet [03:19:18] <[Franklin]> shadowcoder: how does freetype come into play here? [03:19:37] [Franklin]: It [03:19:50] This device is running an older version of freetype, [03:19:58] released before a huge string of vulns were reported [03:19:58] <[Franklin]> to do what>? [03:20:32] I have a list of like 30 potential buffer overflows which this is vulnerable to; inevitably, one of them will work [03:20:44] <[Franklin]> but where's it used? [03:21:02] Everywhere? [03:21:31] Freetype is used for rendering fonts and therefore any and all text on this device will be passed through freetype at some point [03:21:41] <[Franklin]> so you're gonna try to edit the font in the resource section to exploit a buffer overflow? [03:21:58] Pretty much [03:22:50] <[Franklin]> shadowcoder: what version exactly does the nano use? [03:23:17] Not certain [03:23:37] The copyright is from 2006-2009, which is the right timeframe, [03:23:43] <[Franklin]> ok so you're just going to try all the exploits listed? [03:23:57] well, only a few are actually applicable to this [03:24:51] <[Franklin]> http://www.cvedetails.com/cve/CVE-2012-1126/ looks very promising [03:24:59] <[Franklin]> " possibly execute arbitrary code via crafted property data in a BDF font. " [03:26:07] TTF [03:26:26] <[Franklin]> it says bdf :P [03:26:35] no, the fonts here are TTF [03:26:40] BDF fonts won't work (I don't think?) [03:26:49] <[Franklin]> can you read pdfs on the nano? [03:27:07] Doubtful [03:27:27] <[Franklin]> this too: http://www.cvedetails.com/cve/CVE-2012-1128/ [03:27:37] <[Franklin]> possibly execute arbitrary code via a crafted TrueType font. [03:27:52] That's one of the ones I was looking at [03:28:10] <[Franklin]> too bad it doesn't say how to exploit it :) [03:29:40] It doesn't, but if you dig deep enough, the patches are somewhere [03:29:53] <[Franklin]> look at this: https://github.com/comex/star [03:30:01] <[Franklin]> it was used to jailbreak iphones [03:30:06] <[Franklin]> via freetype [03:30:12] yeah [03:31:51] Anyways, let's see if we can find the patch for this, then RE that, then figure out how to exploit it, then craft a font to do this, then design a NOP sled, then find the general address, then get code execution, then get a bootloader running, then get it to run code from the disk-mode accessible portion, then port rockbox to it :P [03:32:44] (mostly Google fu) [03:32:47] <[Franklin]> :) [03:33:04] <[Franklin]> http://www.cvedetails.com/cve/CVE-2010-3814/ looks good too [03:33:22] <[Franklin]> actually, not really [03:33:26] Yeah [03:33:29] heap is too hard to exploit [03:33:42] (IMO) [03:33:43] <[Franklin]> I'd say CVE-2012-1128 is the best bet for now [03:34:23] See if you can find the relevant patch then [03:35:14] [Franklin]: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4 [03:35:32] <[Franklin]> the magic of open-source :) [03:35:58] haha [03:36:34] <[Franklin]> ok... I can't really understand that commit [03:36:38] neither can I [03:37:02] * [Franklin] joins #freetyper [03:37:03] * [Franklin] joins #freetype [03:37:07] TheSeven suer890104 [Saint]: Think you can decipher what this patch does: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4 ? [03:37:56] <[Franklin]> shadowcoder: how'd you find that commit? [03:38:20] Linked from redhat's bugzilla [03:38:40] <[Franklin]> I saw this on NVD http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0b1c0c6b20bf121096afff206d570f26183402b3 [03:38:50] <[Franklin]> actually, on mozilla's bugzilla [03:39:14] <[Franklin]> oh wait... that's bdf? [03:39:16] yeah [03:39:17] <[Franklin]> never mind [03:39:28] <[Franklin]> so yeah, looks like http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=96cddb8d1d32d6738b06552083db9d6cee5b5cb4 [03:39:50] <[Franklin]> ok... it's patching a bytecode interpreter, it seems [03:39:56] Look into CVE-2012-1138 and CVE-2012-1135 [03:40:17] <[Franklin]> no, that's FF mobile [03:40:25] <[Franklin]> oh, never mind [03:40:32] <[Franklin]> it should still apply [03:40:34] yeah [03:41:27] <[Franklin]> OK... CVE-2012-1128, CVE-2012-1135, and CVE-2012-1138 are all promising [03:42:22] <[Franklin]> shadowcoder: I'm looking into the truetype bytecode [03:45:32] * [Franklin] gets a crash course on fonts [03:46:04] Going to head off to sleep [03:46:17] If you find anything, well, I have a bouncer :) [03:46:34] <[Franklin]> :D [04:00:56] <[Franklin]> man... 200 opcodes in a *font*!? [04:04:15] <[Franklin]> the freetype docs don't have much on the bytecode engine [04:21:48] <[Franklin]> shadowcoder: this looks very simple: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b [04:21:56] <[Franklin]> CVE-2012-1135 [04:22:46] <[Franklin]> shadowcoder: and this: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a33c013fe2dc6e65de2879682201d9c155292349 [04:22:46] <[Franklin]> both very simple typos [04:25:07] <[Franklin]> but they could be exploited with some skill and patience [04:27:53] <[Franklin]> that's all for now, going to bed [04:31:57] *** Quits: [Franklin] (~quassel@cpe-071-071-039-006.triad.res.rr.com) (Ping timeout: 240 seconds) [06:08:24] *** Quits: prof_wolfff (~prof_wolf@82.158.1.206.dyn.user.ono.com) (Ping timeout: 264 seconds) [06:21:23] *** Joins: prof_wolfff (~prof_wolf@82.158.1.206.dyn.user.ono.com) [06:46:47] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Ping timeout: 272 seconds) [06:47:39] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven) [16:14:54] *** Quits: Elfish (amba@2001:1608:12:1:13:3:3:7) (Ping timeout: 272 seconds) [16:16:33] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Read error: Connection reset by peer) [16:17:26] *** Joins: Elfish (amba@2001:1608:12:1:13:3:3:7) [16:18:50] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven) [20:22:21] *** Quits: prof_wolfff (~prof_wolf@82.158.1.206.dyn.user.ono.com) (Ping timeout: 265 seconds) [22:55:32] *** Quits: fmibot (~ircbot@freemyipod.org) (Remote host closed the connection) [22:57:50] *** Joins: fmibot (~ircbot@freemyipod.org) [22:57:50] *** ChanServ sets mode: +o fmibot [22:59:01] *** Quits: fmibot (~ircbot@freemyipod.org) (Remote host closed the connection) [22:59:22] *** Joins: fmibot (~ircbot@freemyipod.org) [22:59:22] *** ChanServ sets mode: +o fmibot [22:59:50] uhm... the freemyipod virtual server needs a memory upgrade :P [23:04:29] *** Quits: fmibot (~ircbot@freemyipod.org) (Remote host closed the connection) [23:04:45] *** Joins: fmibot (~ircbot@freemyipod.org) [23:04:45] *** ChanServ sets mode: +o fmibot