or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
 | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx
MITRE eCTF: The Ohio State University Attacking University at Buffalo
Arbitrary code execution
The bug is in
handle_update()
inbootloader.c
:uart_readline()
will continue to read data until a null byte or newline is encountered, allowing us to write unlimited data to the stack.Two other issues that aid in exploitation are:
To gain arbitrary code execution, we can:
Out script is shown below:
The shellcode disassembled and explained
The goal of our shellcode is to read EEPROM data and send it back to us over uart.
This shellcode makes a call to
EEPromRead
(at 0x7e94), followed by a call touart_write
(at 0x72e4). It was difficult to remove all of the null bytes from the shellcode. For example, we could not use regular indirect branch wthlr
instructions (blr x3
) since they contain a null byte. Instead, we manually setlr
and then do the jump usingmov pc, r3
. We also have to obfuscate constants that would otherwise have a null byte in them (e.g. 0x800). The sequence is equivalent to:Getting the flags
After dumping EEPROM from the device, getting the flags was relatively straightforward.
cfg0.bin
, protected it, and loaded it onto the device. This caused the flight to abort.