MicroCorruption: Whitehorse

Slaps you with a manual:

  • This lock is attached to a HSM-2 module.
  • Function to unlock door no longer in the lock firmware.

The main function just calls login. You set a breakpoint at login and a quick test input of aaaaaaaaaaaaaaaa

The login function:

  • The prompt gives a range for input to be between 8 to 16 characters.
  • However, the parameters for the getsn function:
    • r14: Holds the length of the input buffer. #0x30(48) characters. This is room for inputs > 16 chars.
    • r15: Holds the address to the input buffer -> #0x34d2
  • Input is passed to conditional_unlock_door

This function passes the input into INT 7E where it seems verification of password and unlocking door happens in the interrupt. Manipulation by jumping address to call to unlock_door for example, can not work here. Function to unlock door is not in the lock firmware

From the login function, notice that the return address(held by the SP) is the value in address add #0x10, SP.

An overflow test perhaps:

You discover that the 17th - 18th bytes of the input overwrite the return address! Good, good progress :).

You can jump to any address and execute instructions at that address… time to inject some shellcode!

From the manual,INT 7F is the actual trigger to unlock.

The payload: Push 7F and call INT.

You put the payload in the input, and have the value of the 17th -18th bytes be the address of the beginning of the payload.

No knock, unlock!

Addis is how we roll! :cool:

MicroCorruption: Reykjavik

MicroCorruption: Cusco

comments powered by Disqus