Go Down

Topic: Handle memory (Read 14168 times) previous topic - next topic

KeithRB

He is using the same vector as the internet worm.

KeithRB

Address operator:

void *addr = &function_name;

holmes4

That wiki article needs a re-write but as the arduino has no os and no other programs running on it its not a problem any way.

Mark

nickgammon


Ok, so if I call once at the setup the function will be on the board. I tried the attack but still doesn't work.


I'm not surprised. The compiler may well "inline" the function call, and not put it where you are hoping it will go.

I don't see the point to this. You don't "hack" Arduinos in the same way you hack Windows PCs. For one thing, the program code is in flash memory and cannot be modified. This seems to me to be a pointless and (if I may say without giving offence) time-wasting exercise.
Please post technical questions on the forum, not by personal message. Thanks!

More info: http://www.gammon.com.au/electronics

DarkCoffee

I don't want modify the program code, I just want reach the return address of the function readSerialString() and overwrite it with another address.
I counted 8+4+1 bytes (8 for buffer, 4 for smallbuffer, 1 for sb) = 13 bytes.
I wrote "1234567891234\x19\x02\x00\x00" and I the board reset itself.
Do you know a way to understand where is the return address of that function?
Do you think is impossible to do it?

holmes4

Quote
Do you think is impossible to do it?


With out a Ph.D - yes (or send me lots of cash)

Mark

PeterH


Do you know a way to understand where is the return address of that function?
Do you think is impossible to do it?


If you're going to do this then you need to understand how the stack frame and local variables are laid out in memory.

It's certainly possible to corrupt the stack frame, although the Arduino seems irrelevant to this problem and you could develop the code to do this do this far more easily in a PC development environment where you can inspect the memory via a debugger instead of trying to solve the problem in the very limited environment of an Arduino.

You serial handling code is likely to cause 'buffer overflow' problems of its own since you don't seem to be null-terminating your received strings - I would suggest you get the basics working first before you try to do anything clever.

DarkCoffee

I'm working on Atmel Studio 6 indeed for the debugger. For the moment I use the simulator.

I added the last two lines:
Code: [Select]
if(Serial.available()) {
while (Serial.available()){
sb = Serial.read();
buffer[indexB] = sb;
indexB++;
}
buffer[indexB] = '\0';
indexB++;
}


Can you suggest me a way to find the return address?
Thank you so much for the help!

nickgammon

It isn't available in C. What you are trying to do is non-portable. Because of the way the compiler optimizes, whatever you do, even if you get it to work, may fail if you then add another line of code, somewhere else in the program. It doesn't prove anything useful.
Please post technical questions on the forum, not by personal message. Thanks!

More info: http://www.gammon.com.au/electronics

PaulS

Quote
It's for a project so I don't think the professor is silly or stupid!

Explain the project, NOT how you think you should implement it. As you've tossed out all kinds of buzzwords, it sounds like you don't understand the project.

You might be right about the professor not being silly or stupid, but the way you appear to be trying to implement the project DOES seem silly or stupid.
The art of getting good answers lies in asking good questions.

nickgammon


It's for a project so I don't think the professor is silly or stupid!


Can you quote the actual project requirements?
Please post technical questions on the forum, not by personal message. Thanks!

More info: http://www.gammon.com.au/electronics

AWOL

Quote
Code:

#define F_CPU=16000000

?
I'm working with Atmel Studio 6 so I need that line.

Does Atmel Studio 6 work in some way that is completely antithetical to the rest of the C programming world?

DarkCoffee


Quote
It's for a project so I don't think the professor is silly or stupid!

Explain the project, NOT how you think you should implement it. As you've tossed out all kinds of buzzwords, it sounds like you don't understand the project.

You might be right about the professor not being silly or stupid, but the way you appear to be trying to implement the project DOES seem silly or stupid.


The goal of the project is attack the board exploiting stack buffer overflows, hence finding the return address to overwriting with a pointer.

AWOL

I'd take the address of a stack frame variable, and dump out values around it, looking for an address in the range of the calling function.
Of course, it'd be ironic if the compiler inlined the function...

DarkCoffee


Go Up