airbus-seclab / ilo4_toolbox Goto Github PK

Toolbox for HPE iLO4 & iLO5 analysis

License: GNU General Public License v2.0

Go 2.08% Ruby 9.74% C 19.46% Python 57.24% Assembly 9.51% Shell 1.20% Makefile 0.76%

ilo4_toolbox's Issues

Fan Speed Mod

Is it possible to make a fan speed mod for the ILO? In the elf.bin there is a Thermal.json file that I think could be modified to allow the temperature thresholds to be modified.

Methods to recover broken firmware

After a number of custom firmware flashes, I now have an unresponsive iLO. Web does not work, SSH does not work, iLO is not visible during boot, and HP's Linux-based flasher also does not work.

Is there another way (short of a SPI programmer) to recover from a bad update? A backup ROM, perhaps?

how to recover symbols

Hi, how do you recover the standard library function symbols table or all other symbols?

IDA can't recognize symbols such as strcmp printf...
Thanks.

Hello!
I got an error, when run compiled iloscan (with edited targets: one IP range).
Error message:
panic: runtime error: index out of range
goroutine 1 [running]:
main.main()
../iloscan.go:157 +0x2e5

So line 157 is "targets := []string{os.Args[1]}"

What it could be?

ILO crashed when 3G to 4G memory holes are read

Hi,
I try to traverse the physical memory through DMA. When I read an address above 3G (possibly an MMIO address), iLO will crash and restart.
Reading addresses that exceed the upper limit of physical memory can cause the same problem.
It can be determined that the CopyFromMemoryRegion function caused the crash after writing the address to the register.
iLO version is iLO4 - 250, hardware is HP Microserver Gen 8, and I tried both the web & ssh exploit.

My question is:

Is there a method to determine the unreadable address in the physical address space through iLO (MMIO, vt-D protection, exceeding the upper limit of memory, etc.)
If an unreadable address is written to the register, can I check a flag bit or something before calling CopyFromMemoryRegion to prevent iLO from crashing.

I tried to reverse the CHIF task, but couldn't find the answer.

iLO4 <= 2.73 reveals HW serial and model unauthenticated via /upnp/BasicDevice.xml

I'm not sure if the issue is already known or not, but it feels like HPE iLO 4 <= 2.60 always reveals the hardware serial number, the model name and the model description when accessing unauthenticated the url http://…/upnp/BasicDevice.xml of HPE iLO. I did not find any way in the HPE iLO interface to disable this, specifically at "Insight Management Integration", the "Level of Data Returned" is set to "Disabled (No Response to Request)".

Completely obsfuscated example from a random HPE iLO4 with firmware 2.60 found on the Internet via port 80 (HTTP) and port 443 (HTTPS):

<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:Basic:1</deviceType>
<friendlyName>ILOAB01234C5D</friendlyName>
<manufacturer>Hewlett Packard Enterprise</manufacturer>
<manufacturerURL>http://www.hpe.com/</manufacturerURL>
<modelDescription>iLO 4 in ProLiant DL360 Gen9</modelDescription>
<modelName>iLO 4 in ProLiant DL360 Gen9</modelName>
<modelNumber>2.60</modelNumber>
<modelURL>http://www.hpe.com/info/ilo</modelURL>
<serialNumber>AB01234C5D</serialNumber>
<UDN>uuid:5c745d4b-4316-44a0-be17-4499304f1b9e</UDN>
<iconList>
<icon>
<mimetype>image/x-icon</mimetype>
<width>48</width>
<height>48</height>
<depth>32</depth>
<url>/favicon.ico</url>
</icon>
</iconList>
<presentationURL>/</presentationURL>
</device>
</root>

While this might not be a huge information leak, it still makes the serial number accessible, which is enough to keep the HPE support busy and/or to continue with some social hacking/engineering methods.

Let me know in case the issue is not known to you and this should be followed up with HPE PSRT, but then I would like to ask you for assistance.

Error in inserting backdoor in HPE ILO V 2.40

Error when trying

 ./insert_backdoor.sh ilo4_240.bin

I have downloaded the firmware from here

   [-] Error, bad file content at offset 1410
   Traceback (most recent call last):
   File "./ilo4_repack.py", line 18, in <module>
   with open(sys.argv[3], "rb") as f:
   IOError: [Errno 2] No such file or directory: 'outdir/elf.bin.patched'

dissection.rb fails on ilo4_101.bin

I am not sure if it is a problem similar to #8

Tested with the latest version: a3e4b31

The dissection.rb script does not work on ilo4_101.bin. At that time it is unclear if it is a quirk of this version or a problem with the script itself. From the output below it looks like it is not able to locate the right number of entries for task 0x10, 0x11 and 0x12:

ilo4_toolbox/scripts/iLO4$ ruby dissection.rb ilo4_101.bin_outdir/elf.bin 
ruby: warning: shebang line ending with \r may cause problems
> extract from ilo4_101.bin_outdir/elf.bin
--
[..].

> task 0x0f (C:\ilo4\r101\secmgr\bin\secmgr.elf) - 0x00000039 entries
    range: dw1 0x00 - dw2 0x007 - base 0x00001000 - size 0x0000F000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x005 - base 0x00010000 - size 0x00066000 - id 0x00000122 - .blackbox.elf.text
    range: dw1 0x00 - dw2 0x007 - base 0x00076000 - size 0x00002000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x007 - base 0x00078000 - size 0x000D7000 - id 0x00000123 - .blackbox.elf.data
    range: dw1 0x01 - dw2 0x007 - base 0x00150000 - size 0x00004000 - id 0x00000129 - .blackbox.Initial.stack
    range: dw1 0x01 - dw2 0x007 - base 0x00154000 - size 0x000B4000 - id 0x0000012a - .blackbox.heap
    range: dw1 0x00 - dw2 0x007 - base 0x00208000 - size 0x00010000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x107 - base 0x00218000 - size 0x00008000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x107 - base 0x00220000 - size 0x00004000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x00224000 - size 0x003DC000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x00600000 - size 0x01000000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01600000 - size 0x00180000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x005 - base 0x01780000 - size 0x0002E000 - id 0x00000022 - .libc.so.text
    range: dw1 0x00 - dw2 0x007 - base 0x017ae000 - size 0x00002000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x007 - base 0x017b0000 - size 0x00001000 - id 0x00000125 - .libc.so.data
    range: dw1 0x00 - dw2 0x007 - base 0x017b1000 - size 0x00003000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x007 - base 0x017b4000 - size 0x00001000 - id 0x00000126 - .libc.so.bss
    range: dw1 0x00 - dw2 0x007 - base 0x017b5000 - size 0x0002B000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x005 - base 0x017e0000 - size 0x00007000 - id 0x00000020 - .libINTEGRITY.so.text
    range: dw1 0x00 - dw2 0x007 - base 0x017e7000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x007 - base 0x017e8000 - size 0x00001000 - id 0x00000124 - .libINTEGRITY.so.data
    range: dw1 0x00 - dw2 0x007 - base 0x017e9000 - size 0x00417000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x005 - base 0x01c00000 - size 0x0003B000 - id 0x00000025 - .libevlog.so.text
    range: dw1 0x00 - dw2 0x007 - base 0x01c3b000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x007 - base 0x01c3c000 - size 0x00002000 - id 0x00000127 - .libevlog.so.data
    range: dw1 0x00 - dw2 0x007 - base 0x01c3e000 - size 0x00002000 - id 0xffffffff 
    range: dw1 0x01 - dw2 0x007 - base 0x01c40000 - size 0x00008000 - id 0x00000128 - .libevlog.so.data
    range: dw1 0x00 - dw2 0x007 - base 0x01c48000 - size 0x002B8000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f00000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f01000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f02000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f03000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f04000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f05000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f06000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f07000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f08000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f09000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f0a000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f0b000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f0c000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f0d000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f0e000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f0f000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f10000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f11000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f12000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f13000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f14000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f15000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f16000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f17000 - size 0x00004000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f1b000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f1c000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f1d000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f1e000 - size 0x00001000 - id 0xffffffff 
    range: dw1 0x00 - dw2 0x007 - base 0x01f1f000 - size 0x000E1000 - id 0xffffffff 

> task 0x10 (C:\ilo4\r101\pwrmgr\bin\pwrmgr.elf) - 0x00000000 entries

> task 0x11 (C:\ilo4\r101\webserv\bin\webserv.elf) - 0x00000000 entries

> task 0x12 (C:\ilo4\r101\ribcl\bin\ribcl.elf) - 0x02a4d869 entries
Traceback (most recent call last):
	19: from dissection.rb:355:in `<main>'
	18: from dissection.rb:255:in `list_boottable'
	17: from (eval):1:in `times'
	16: from (eval):1:in `times'
	15: from dissection.rb:263:in `block in list_boottable'
	14: from (eval):1:in `times'
	13: from (eval):1:in `times'
	12: from dissection.rb:264:in `block (2 levels) in list_boottable'
	11: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:21:in `read'
	10: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:145:in `read'
	 9: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:254:in `start_read'
	 8: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base.rb:147:in `block in read'
	 7: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/struct.rb:139:in `do_read'
	 6: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/struct.rb:139:in `each'
	 5: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/struct.rb:139:in `block in do_read'
	 4: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/base_primitive.rb:129:in `do_read'
	 3: from (eval):23:in `read_and_return_value'
	 2: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/io.rb:276:in `readbytes'
	 1: from /var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/io.rb:312:in `read'
/var/lib/gems/2.5.0/gems/bindata-2.4.3/lib/bindata/io.rb:162:in `read_raw': undefined method `read' for nil:NilClass (NoMethodError)

Error in patch_webserver_250.py when insert backdoor!

[+] Patch applied to outdir/bootloader.bin.patched
[+] Patch applied to outdir/kernel_main.bin.patched
Traceback (most recent call last):
File "./patch_webserver_250.py", line 29, in
handler_code = asm_sc(f.read())
File "./patch_webserver_250.py", line 11, in asm_sc
ks = Ks(KS_ARCH_ARM, KS_MODE_ARM)
NameError: global name 'Ks' is not defined
Traceback (most recent call last):
File "./ilo4_repack.py", line 18, in
with open(sys.argv[3], "rb") as f:
IOError: [Errno 2] No such file or directory: 'outdir/elf.bin.patched'
[+] Firmware ready to be flashed

Add support for iLO moonshot

It looks like iLO_Chassis_Management_Firmware_158.bin from https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=5378292&swItemId=MTX_acee361e49bb406e9174f471c7&swEnvOid=4184#tab1 is close to iLO5 but ilo5_extract.py fails to extract it.

$ python2.7 ilo5_extract.py ~/Desktop/iLO_Chassis_Management_Firmware_158.bin ~/Desktop/iLO_Chassis_Management_Firmware_158
[+] Extracting certificate 0
[+] Extracting certificate 1
[+] Extracting certificate 2
[+] iLO HPIMAGE header :
  > img_magic          : HPIMAGE
  > version major      : 0x1
  > version minor      : 0x1
  > field_A            : 0x00
  > device id          : ILO
0000  9d 7b 31 2f e3 c9 76 4d bf f6 b9 d0 d0 85 a9 52   .{1/..vM.......R

  > field_1C            : 0x1
  > field_20            : 0x0
  > field_24            : 0x0
  > field_28            : 0x0
  > field_2C            : 0x0
  > field_30            : 0x0
  > field_34            : 0x0
  > field_38            : 0x0
  > field_3C            : 0x10607e2
  > version             : 1.58
  > name                : iLO Chassis Manager
  > gap



[+] iLO boot block footer:
  > module                  : ��������������������������������
  > fw_magic                : 0xffffffff
  > header_type             : 0xffffffff
  > field_28                : 0x-1
  > type                    : 0x-1
  > flags                   : 0xffffffff
  > field_30                : 0xffffffff
  > field_34                : 0xffffffff
  > field_38                : 0xffffffff
  > backward_crc_offset     : 0xffffffff
  > forward_crc_offset      : 0xffffffff
  > img_crc                 : 0xffffffff
  > compressed_size         : 0xffffffff
  > decompressed_size       : 0xffffffff
  > field_50                : 0xffffffff
  > field_54                : 0xffffffff
  > crypto_params_index     : 0xffff
  > crypto_params_index 2   : 0xffff
  > header_crc              : 0xffffffff
  > field_60                : 0xffffffff
  > field_64                : 0xffffffff
  > field_68                : 0xffffffff
  > field_6C                : 0xffffffff
  > field_70                : 0xffffffff
  > field_74                : 0xffffffff
  > field_78                : 0xffffffff
  > field_7C                : 0xffffffff
  > copyright               : ��������������������������������������������������������������������������������������������������������������������������������
  > signature
0000  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0010  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0020  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0030  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0040  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0050  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0060  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0070  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0080  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0090  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
00a0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
00b0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
00c0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
00d0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
00e0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
00f0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0100  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0110  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0120  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0130  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0140  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0150  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0160  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0170  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0180  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
0190  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
01a0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
01b0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
01c0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
01d0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
01e0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................
01f0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

  > fw_magic_end       : 0x354f4c69

[+] header crc ok: 0xe2b03c14
[x] failed to check header crc: 0xffffffff

Flash checksum for iLO4 2.60 missing

https://github.com/airbus-seclab/ilo4_toolbox/blob/master/scripts/iLO4/exploits/exploit_check_flash.py ends with iLO4 2.55 while 2.60 was already released in May 2018.

Offsets in libc.so

I'd like to extend the functionality. How did you come up with the offsets in hp_ilo_4_250.h for libc.so?
/* libc.so */ static void *(*malloc)(size_t size) = (const void *)0x017B85E8;

etc...

@fishilico

RSA key format is not supported

Hello,

I have this value error when i'm launching :
python ilo5_fw_decrypt.py --infile ilo5_235.bin

Traceback (most recent call last): File "/home/kali/Desktop/ILO_TOOLBOX/ilo4_toolbox/scripts/iLO5/ilo5_fw_decrypt.py", line 82, in <module> rsa_pkey = load_private_key() File "/home/kali/Desktop/ILO_TOOLBOX/ilo4_toolbox/scripts/iLO5/ilo5_fw_decrypt.py", line 50, in load_private_key pkey = RSA.import_key(key_buffer, passphrase=pem_password_cb()) File "/usr/local/lib/python3.10/dist-packages/Crypto/PublicKey/RSA.py", line 736, in import_key return _import_keyDER(der, passphrase) File "/usr/local/lib/python3.10/dist-packages/Crypto/PublicKey/RSA.py", line 679, in _import_keyDER raise ValueError("RSA key format is not supported") ValueError: RSA key format is not supported

I have pycryptodome 3.6.5. I use the same rsa_private_key_ilo5.asc file. I don't know why this error appears ?

thanks for your help,
Best regards

MAC tag is not valid

Hi,

when decrypting firmware above ilo5 2.78, it gives an error:
[x] decrypt_and_verify failed? MAC tag is not valid,

Cannot Flash Backdoored Firmware

I'm unable to flash the firmware created using insert_backdoor.sh.

My setup is iLO4 version 2.50 with an ubuntu linux Host OS.
insert_backdoor.sh correctly creates the backdoored firmware "ilo4_250.bin.backdoored.toflash"
The script finishes and says "Firmware ready to be flashed" however when attempting to flash the firmware using the iLO Web Gui it fails to flash the firmware.

I noticed in your demo gif when the insert_backdoor.sh script finishes it references a script "exploit_write_flash_page.py". I can't seem to find this script in the code you provide and my version of insert_backdoor.sh simply says "Firmware ready to be flashed" when it completes.

What is the correct method of flashing the backdoored firmware?

Thanks again for your help and for your awesome contribution to the community. Really great work.

iLO 4 < 2.00 lacks of rest api

Has anyone found a replacement for /rest/v1/AccountService/Accounts to use the Authentication Bypass Exploit on older iLO4 Versions (<2.00)?

exploit_check_flash.py does not work with firmware versions other than 2.50

Bonjour!

ilo4_toolbox/scripts/iLO4/exploits/exploit_check_flash.py does not work with firmware versions other than 2.50 because ilo4_toolbox/scripts/iLO4/exploits/exploit_offsets.py is missing their respective 'VComClientSync_Call' definitions.
I did try to simply copy 2.50's definition of 'VComClientSync_Call' for version 1.53 without success.

Cheers!

dissection.rb fails on ilo5_135.bin

The dissection.rb script does not work on ilo5_135.bin. At that time it is unclear if it is a quirk of this version or a problem with the script itself. From the output below it looks like it is not able to locate the first module name and also the type, offset and size fields seem wrong:

ilo4_toolbox/scripts/iLO5$ ruby dissection.rb ilo5_135.bin_outdir/elf_main.bin
ruby: warning: shebang line ending with \r may cause problems
> extract from ilo5_135.bin_outdir/elf_main.bin
--
  >                              - type 1946157056 - offset 0x00000000 - size 0x00000000 bytes
Traceback (most recent call last):
	4: from dissection.rb:346:in `<main>'
	3: from dissection.rb:324:in `extract_mods'
	2: from dissection.rb:324:in `each'
	1: from dissection.rb:335:in `block in extract_mods'
dissection.rb:335:in `join': no implicit conversion of nil into String (TypeError)

A working case with another firmware version e.g. on ilo5_130.bin is:

ilo4_toolbox/scripts/iLO5$ ruby dissection.rb ilo5_130.bin_outdir/elf_main.bin
ruby: warning: shebang line ending with \r may cause problems
> extract from ilo5_130.bin_outdir/elf_main.bin
--
  >               .dvrspi.elf.RO - type PROGBITS - offset 0x00007574 - size 0x00003f58 bytes
  >               .dvrspi.elf.RW - type PROGBITS - offset 0x0000b4cc - size 0x00000694 bytes
  >          .libINTEGRITY.so.RO - type PROGBITS - offset 0x0000bb60 - size 0x000048c0 bytes
  >          .libINTEGRITY.so.RW - type PROGBITS - offset 0x00010420 - size 0x00000018 bytes
  >                  .libc.so.RW - type PROGBITS - offset 0x00010438 - size 0x000009c0 bytes
  >        .VComCShared_RM.so.RW - type PROGBITS - offset 0x00010df8 - size 0x00000070 bytes
  >              .dvrgpio.elf.RW - type PROGBITS - offset 0x00010e68 - size 0x0000109c bytes
  >                  .libc.so.RO - type PROGBITS - offset 0x00011f04 - size 0x00035ff8 bytes
  >        .VComCShared_RM.so.RO - type PROGBITS - offset 0x00047efc - size 0x00008a90 bytes
  >              .dvrgpio.elf.RO - type PROGBITS - offset 0x0005098c - size 0x00008738 bytes
...

linux_backdoor.S is missing

backdoor_client.py requires linux_backdoor.S to inject the backdoor code to Linux side.

However, linux_backdoor.S is missing now, so please upload it for a good demo.

exploit_get_users.py missing ?

Hi,

In demo 2 you use a script exploit_get_users.py which dumps users with passwords from ILO.
I can't find this script in the repo, where is it ?

I want to use it on my DL380e Gen8 which had a dead NAND issue, so I got another motherboard but without the tag with the default ILO password. I want to use this exploit so I can know what is the default password.

Any other way to know what is the default ILO password for my server is welcome.

insert_backdoor.sh did not work properly

hi,
insert_backdoor.sh did not work properly so I patched bootloader and kernel manually with hex editor,
then I changed patch_webserver.py like this:
commenting capestone related code in program because it generated errors.

def disasm_sc(sc):
    cs = Cs(CS_ARCH_ARM, CS_MODE_ARM)
    for i in cs.disasm(sc, 0):
	   print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))

after that I manually applied some changes to elf.bin from "outdir folder" like change value from offset 0x188B18 to "D43C1A00"
with hex editor.
but when I wanted to upload ilo4_250.bin(ilo4_250.bin.backdoored.toflash) from iLO web interface it contained some errors so firmware update process could not complete successfully.

airbus-seclab / ilo4_toolbox Goto Github PK

ilo4_toolbox's Issues

Recommend Projects

Recommend Topics

Recommend Org