Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing I/Q data for FSK_Messaging_Service example #9

Open
rbdixon opened this issue Jan 22, 2018 · 4 comments
Open

Missing I/Q data for FSK_Messaging_Service example #9

rbdixon opened this issue Jan 22, 2018 · 4 comments

Comments

@rbdixon
Copy link

rbdixon commented Jan 22, 2018

I'm working on duplicating the examples from Fuzzing the Unfuzzable and ran into some missing parts:

  • FSK_Messaging_Service binary: I built this from the cb-multios repo
  • Valid input data for the test binary. I thought this would be in the cb-multios repo but if it is I've not found it.

My planned contribution is to create a simple test suite (pytest) that mirrors the two blog posts. These are great examples and It would be good to make sure they keep working as the project evolves.
@njv299
Copy link
Collaborator

njv299 commented Jan 22, 2018
edited
Loading

I really like the idea of creating a pytest suite!

You've found my dirty little secret...I had to hack up the 'pov.c' file in the FSK_Messaging_Service binary in order to get a valid IQ input that I could use. I've attached the modified version of pov.c that I used to generate the sample input (no promises on cleanliness, it was a quick hack). You can build this by just dropping it in temporarily over the pov.c that is in the cb-multios repo.

pov_modified.zip

One other potential pitfall is making sure that any addresses used in the PoC unicorn test harness are valid, as I think those could change if the binary is compiled on different systems. This could be mitigated by shipping the binary itself pre-built with the correct addresses.

@rbdixon
Copy link
Author

rbdixon commented Jan 25, 2018

Thank you. I've got some time next week to put this together.

@LittleSec
Copy link

Thank you. I build you pov_modified.c and get the new binary. And I also want to know how can I use the binary pov_1.pov to generate the sample input. Should I run ./pov_1.pov > output? but the context in this output file likes a binary file.
I also try the follow command:

~$ ./FSK_Messaging_Service < ./pov_1.pov # 1st
[[RECEIVER STARTED -- TIMESTAMP: 1453110580]]
[[RECEIVE ERROR]]
~$ ./pov_1.pov | ./FSK_Messaging_Service # 2nd
[[RECEIVER STARTED -- TIMESTAMP: 1453110580]]
Total 12 bytes received and 0 invalid packets.
Displaying 2 received packets:
Displaying packet 0 type 3:
[CONNECT MESSAGE]ASDF connected
Displaying packet 1 type 3:
[CONNECT MESSAGE]ASDF connected
^C # Ctrl+C
~$ ./FSK_Messaging_Service < output # 3rd
[[RECEIVER STARTED -- TIMESTAMP: 1453110580]]
Total 12 bytes received and 0 invalid packets.
Displaying 2 received packets:
Displaying packet 0 type 3:
[CONNECT MESSAGE]ASDF connected
Displaying packet 1 type 3:
[CONNECT MESSAGE]ASDF connected
~$

I think the 2nd and 3rd example are right, but it is just only one valid IQ input, isn't it?

@njv299
Copy link
Collaborator

njv299 commented Nov 29, 2018

It's been a while since I actually ran this so my memory is a bit fuzzy on this, but I believe that you are correct. Generate sample inputs using ./pov_1.pov > output, since the pov binary 'transmits' by writing to stdout. Within the pov.c file, you'll see multiple calls to cgc_transmit_all. I beiieve that the receiver code parses the output as multiple packets, causing the output that you see above (2 packets on each run).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rbdixon @njv299 @LittleSec