From ad29de34a0250cb65cdad35c3703f174f2c40a82 Mon Sep 17 00:00:00 2001 From: robalb <11277482+robalb@users.noreply.github.com> Date: Sat, 18 May 2024 00:37:23 +0200 Subject: [PATCH] general writing revisions --- astro-website/src/pages/posts/camac-cc32.mdx | 51 +++++++++++-------- .../src/pages/posts/pingctf-calc.mdx | 18 +++---- astro-website/src/pages/projects.mdx | 15 ------ 3 files changed, 37 insertions(+), 47 deletions(-) diff --git a/astro-website/src/pages/posts/camac-cc32.mdx b/astro-website/src/pages/posts/camac-cc32.mdx index e65c0e9..dc775df 100644 --- a/astro-website/src/pages/posts/camac-cc32.mdx +++ b/astro-website/src/pages/posts/camac-cc32.mdx @@ -14,17 +14,19 @@ information required to write C programs that interface to CAMAC systems, withou ## What is a CAMAC system? -CAMAC is a [modular crate system](https://en.wikipedia.org/wiki/Modular_crate_electronics) used in the nuclear and particle physics industry for data aquisition.
In practical terms a CAMAC system is a metallic cabinet, called a **CRATE**, in which electronic modules can be inserted. +CAMAC is an ancient [modular crate system](https://en.wikipedia.org/wiki/Modular_crate_electronics) +used in the nuclear and particle physics industry for data aquisition.
+In practical terms a CAMAC system is a metallic cabinet, called a **CRATE**, in which electronic modules can be inserted. -A CRATE has 24 stations, numbered 1-24 in which a module can be inserted.
+A CRATE has 24 stations, numbered 1-24 in which modules can be inserted.
station 25, the rightmost station, is reserved for a **CRATE CONTROLLER** whose purpose is to issue **CAMAC COMMANDS** to the modules and transfer information between a computer and the modules. In this article we are going to focus on a specific CRATE CONTROLLER: the [PCI-CC32](https://manualzz.com/doc/o/a55u3/manual-cc32-controller) -from ARW Elektroniks Which connects to a Linux computer. +from ARW Elektroniks Which connects to a Linux computer. This happens to be the setup in a nuclear physics lab at UniMib. - + _Highlighted in this picture: A CAMAC CRATE in the wild. Station 12, 16, and 21 are occupied by some modules. Station 24-25 is occupied by the CRATE CONTROLLER. You can see the cable that connects it to the computer._ @@ -76,26 +78,22 @@ As always, the way a module reacts to Z, I, or C commands is described in its do ### Controlling a CAMAC crate with a C program -> We are going to assume that the libcc32 library and driver are already correcly installed on your computer. In other words: Someone already installed everything, you only need to figure out how things work. This is common in most lab setups. - +We are starting with the assumption that the libcc32 library and driver are already correcly installed on your computer. +In other words: Someone already set up everything, you only need to figure out how things work. #### connecting to the crate -In Linux everything is represented as a file. That's right, even the internet is a file! You shouldn't be surprised that this includes CAMAC crates.
-When a crate is connected to the computer it appears as a special file in the `/dev` folder, usually called cc32_1. -If you have multiple crates connected to your computer, you will see multiple files in the `/dev` folder. -You can find them by running the command `ls /dev` in a terminal. - -If you've ever written a C program that reads from a file these concepts will be very familiar to you: -Normally, when you want to interact with a file you need to open a connection to it and store it in a special FILE variable, also -referred to as FILE handle. - -Similarly, if you want to interact with a crate you need to open a connection to it and store it in a special CC32_HANDLE variable. +When the libcc32 driver is installed on the computer and a camac crate is connected, +the crate should appear as a special file in the `/dev` folder, usually called cc32_1. +If you have multiple crates connected to your computer, you will see multiple files with a similar name in the `/dev` folder. -In practical terms this can be done with the following code +The first step is therefore to identify the name of the crate. You can do it by running the command `ls /dev`. +In our example the crate is associated to a device file called `cc32_1`. +The next step is to write a c program that connects to that crate, does nothing, then quits. ```c +// program.c #include "libcc32.h" //the device file where your CAMAC CRATE can be accessed @@ -115,7 +113,7 @@ int main(int argc, char *argv){ /* * - * put the rest of the code here + * we'll put the rest of the code here * */ @@ -123,15 +121,25 @@ int main(int argc, char *argv){ cc32_close(&handle); } +``` + +This program should compile and close without errors. ``` +gcc program.c -o program + +./program +``` + + #### Read and Write commands Once you have an open connection to the crate, you can use the functions defined in the library to execute two type of commands: - **WRITE** commands: they are composed of N, A, F, and the additional data that you want to write into the selected module.
- Use write commands for all function codes >= 16, even if they don't expect any data: just set the data parameter to 0, it will be ignored. + They are called write commands, but that's just a bad naming choice. You are actually supposed to use them for all + function codes >= 16, even if they don't expect any data: just set the data parameter to 0, it will be ignored. ```c /** Write 16 bits to an adress made out of N,A,F @@ -147,7 +155,8 @@ Once you have an open connection to the crate, you can use the functions defined cc32_write_word(handle, N, A, F, data); ``` - **READ** commands: they are composed of N, A, F, and they return some data from the selected module
- Use read commands for all function codes < 16, even if they don't return any data + They are called read commands, but that's also just a bad naming choice. You are supposed to use them for + all function codes < 16, even if they don't return any data. ```c /** Read 24 bits from an adress made out of N,A,F and get the Q and X responses @@ -168,7 +177,7 @@ Once you have an open connection to the crate, you can use the functions defined Note: This number will never be negative This function may fail at reading data - The reading was successfull only if the Q and X responses are both equal 1 + The reading was successfull only if the Q and X responses are both set to 1 by the function. */ unsigned long data = cc32_read_long_qx(handle, N, A, F, &Q, &X); ``` diff --git a/astro-website/src/pages/posts/pingctf-calc.mdx b/astro-website/src/pages/posts/pingctf-calc.mdx index 692c544..60b2eb4 100644 --- a/astro-website/src/pages/posts/pingctf-calc.mdx +++ b/astro-website/src/pages/posts/pingctf-calc.mdx @@ -113,12 +113,13 @@ Next, we can convert all invalid characters into Unicode sequences: \u{03c}img\u{020}src\u{3d}1\u{020}onerror\u{3d}alert\u{020}\u{3E} = 1+1 ``` -Inject it into the page, and...
+Inject it into the page, and voilĂ  we successfully injected html:
```html
Invalid Identifier name:
``` -Boom! The image is created, but we get a CSP error + +There is only one issue: The image is created, but we get a CSP error ### The correct solution @@ -131,14 +132,9 @@ style-src-elem 'self'; script-src 'self' 'unsafe-eval'; ``` -The policy blocks any kind of attack on the `innerHTML` flaw, including the Identifier trick we covered and other similar ones that exploited returned strings or inconsistencies in parsing comments. - -In the end, the correct solution involved a logic error that made it possible to bypass the AST validation. A full writeup of the exploit is [available here](https://gist.github.com/egonny/4dbf5151f99059ae58cf9390c7cc3830) - -To solve this challenge i lost a lot of time looking at parser inconsistencies without realizing that the CSP was making them completely useless, eventually losing a lot of precious time.
I didn't manage to solve the challenge in time, but I definitely learned some useful lessons along the way. - - - - +The policy blocks any kind of attack on the `innerHTML` flaw, +including the Identifier trick we covered and a similar one that exploited returned strings and inconsistencies in parsing comments. +In the end, the correct solution involved a logic error that made it possible to bypass the AST validation. +A full writeup of the exploit is [available here](https://gist.github.com/egonny/4dbf5151f99059ae58cf9390c7cc3830) diff --git a/astro-website/src/pages/projects.mdx b/astro-website/src/pages/projects.mdx index 04f85cf..36367e9 100644 --- a/astro-website/src/pages/projects.mdx +++ b/astro-website/src/pages/projects.mdx @@ -11,7 +11,6 @@ import Picture from '../components/Picture.astro' import PictureThemed from '../components/PictureThemed.astro' - [Custom vm emulator and debugger](#custom-vm-emulator-and-debugger) -- [This website](#this-website) - [Morse code web radio](#morse-code-web-radio) - [Infrastructure](#infrastructure) - [Students management system](#students-management-system) @@ -40,20 +39,6 @@ required to solve a challenge. At the moment i'm still following the course, and practicing binary exploitation by playing CTFs. All my experiences on this subject are documented [in these articles](/articles/#pwn) -### This website -This website is part of my ongoing effort to enhance my technical writing skills.
-As Stephen King said, 'Writing is refined thinking.' -I believe that strong technical writing directly correlates with better engineering. - -From a technical point of view, although the main focus is on the writing, -I like to customize my articles with interactive elements, taking some extra time to curate -the visual aestethics and the accessibility of the pages. -All the meta-articles about the development of the website are tracked unde the tag [this website](/articles/#this-website). -The base design is a fork of [Tania Rascia's blog](https://github.com/taniarascia/taniarascia.com), -relying heavily on the [new moon](https://github.com/taniarascia/new-moon) dark theme. -The source code is available on [github](https://github.com/robalb/my-website/) - - ### Morse code web radio This is an old project I started in 2018, during my first years of high school.