#
3. Hanoi
#
Challenge Overview
OVERVIEW
- This lock is attached the the LockIT Pro HSM-1.
- We have updated the lock firmware to connect with the hardware
security module.
---
This is Hardware Version B. It contains the Bluetooth connector
built in, and two available ports: the LockIT Pro Deadbolt should
be connected to port 1, and the LockIT Pro HSM-1 should be
connected to port 2.running the application
Enter the password to continue.
Remember: passwords are between 8 and 16 characters.
> password
Testing if password is valid.
That password is not correct.
---
2400: 7061 7373 776f 7264 0000 0000 0000 0000 password........
2410: 0000 0000 0000 0000 0000 0000 0000 0000 ................
#
Solution
Looking at the disassembly shows something interesting:
4520 <login>
---
453c: b012 ce45 call #0x45ce <getsn>
4540: 3f40 0024 mov #0x2400, r15
---
455a: f290 ce00 1024 cmp.b #0xce, &0x2410
4560: 0720 jnz $+0x10 <login+0x50>
4562: 3f40 f144 mov #0x44f1 "Access granted.", r15
4566: b012 de45 call #0x45de <puts>
456a: b012 4844 call #0x4448 <unlock_door>There is a check 0x10 bytes after our user input. Setting a breakpoint and testing for an overflow in out input:
41*0x10+0xce
Enter the password to continue.
Remember: passwords are between 8 and 16 characters.
> 41414141414141414141414141414141ce
Testing if password is valid.
Access granted.Solves the challenge.
Bufferoverflows <3