I am developing a new exploit chain for the ESP8266

[jeremysalwen]

The ESP8266 can be vulnerable to the lighleak/cloudcutter exploit. However, the callback pointer which those exploits use is not available to exploit on the ESP8266 in the version I looked at. Instead, the issue appears as a heap buffer overflow. Unfortunately there are a few integrity checks in the allocator used, so we are quite restricted in what we can do with it. However, we are able to write zero words to any address in memory.

I think it might be possible to use this primitive to overwrite the keys with zero bytes, and then use tuya convert for the final stage. However, I am not so familiar with the PSK code on the ESP8266, and I thought someone from this project might know:

1. When is the key loaded into memory to validate the signature?
2. Where is the key loaded from?
3. Are there any globals at fixed addresses that affect the process of loading the key?

p.s.
The full details of the primitive are as follows:

For any 4 byte region of memory, if the second byte is greater than about ~24, I can

1. Write 0 to the first byte
2. Change the second byte to a smaller value and set its last few bits to 1.
3. Write an uncontrolled pointer to the app image to the third byte
4. Write an uncontrolled smallish number to the fourth byte (derived from a source line number).

I think I could repeat this primitive to zero out a region of memory.