Wednesday 31 October 2012

On the road with Arduino

Well the Arduino UNO kit has arrived and I'm very impressed. Lots of things to try and I'm already well beyond the flashing LED tutorial that is the electronics version of HelloWorld.

Some quick experimenting has shown that the servo is easy to position using this example. Similarly I have built up a quick serial communication app that replies to a specific string (based on this). Interestingly you need to tweak PUTTY to talk to it correctly


// Command line variables
String command; // String input from command prompt
String temp1,temp2; // temporary strings
char inByte; // Byte input from command prompt
char carray[6]; // character array for string to int // manipulation
int a,b,c; // temporary numbers

void setup(){
    Serial.begin(9600);
 }


void loop(){

    // Input serial information:
    if (Serial.available() > 0){
       inByte = Serial.read();
        // only input if a letter, number, =,?,+ are typed!
        if ((inByte >= 65 && inByte <= 90) || (inByte >=97 && inByte <=122) || (inByte >= 48 &&     inByte <=57) || inByte == 43 || inByte == 61 || inByte == 63) {
          command.concat(inByte);

        }
       
     }// end serial.available
     // Process command when NL/CR are entered:
     if (inByte == 10 || inByte == 13){
       if (command.equalsIgnoreCase("hey")){
         Serial.println("hello there!");
       }       command="";      }
}

Friday 26 October 2012

ASCII only exploiting

So an interesting problem was given to a group of us this week. The vulnerable function in IE was controlled using an ASCII string. Most people took this as a sign that heap spraying was required and therefore used a string like "   " to point to heap space and hopefully their NOP sled.

I took the "crafty" approach and instead decided that the whole shell code could be contained in the string, not just the pointer.

msfencode (part of Metasploit) has an excellent encoder option that will encode only using alphanumeric characters. Unfortunately when you try this, you will get non alpha characters mixed in wherever it fails to find the right commands.

msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/alpha_mixed


In this case, you will need to find a ROP gadget to move the address of the start of your shell code in to one of the registers. If you're lucky it will already be in one. You can then give it to msfencode as an argument:
 msfpayload windows/exec CMD=calc.exe R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed
 If you need to go searching for ROP gadget there are a couple of tools that may help you. First check out Immunity's !gadget  command. Alternatively there's Mona, a Python add-on (https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/). These were enough to go searching through for a non-ASLR'd gadget that moved the right value to the right register.


Thursday 25 October 2012

R00t beer fridge

So as an update to the previous post, I've been doing some research over the last couple of days and found that:
a) servos are weird things that require crazy Pulse Width Modulation (PWM) to control them. This is not something Raspberry Pis do out of the box. I've seen a few cases where they use an in between piece of hardware to work around this.
b) arduinos can be made to do some crazy stuff. Like run a web server

For these two reasons I have (sadly) moved over to using Arduino. I would love to use a Pi but it's horses for courses and although I think it's possible to use a Pi for a project like this, it's just too much effort.

The Arduino will be delivered tomorrow so I can get to grips with the basics over the weekend and have the first photos next week.

It looks like the locking mechanism will be best done with Meccano. Using servos to move the locks into place will mean that they can be used without a second power source and won't "fail open" if someone was to pull the plug. It will either be a sliding bar, or a latch.

Saturday 20 October 2012

Raspi: zero to hero.

So I'm at step zero here. Let me just give a quick intro first to what I want to do along with a little background.

The goal is to create a hacking challenge for some friends. The prize is a can of "r00t" beer. This beer will be locked away in a fridge. The lock is controlled by a Raspberry Pi. There will be several stages to pass before the fridge will unlock and the prize will be gained.

Now the background. I have owned a Raspi for about 2 months. In that time I have rather sadly not done much with it. It currently sits as a XMBC server for my television, but it's lack of YouTube support and limited Codecs means that it's not all that great. I know that Raspis have support for electronics but my electronics know how is very "trial and error" (see the Glone if you don't believe me).

My goal of blogging about this is I feel my position now is very similar to many people out there. We have a Pi, we want to build something cool, but we don't know where to start. Well I will try to get this project seen through to completion and along the way blog about the various resources and mistakes I run into that may help you all out there.


So... the first step. I want to get a raspi installed with a *nix build that will support the IO functionality. A basic layout is here. If I can get an LED to turn on and off with a command then that's level 1 completed. The next step will be getting it to drive a motor. Stay tuned :-)