iceman1001
commented
1 year ago I am confused of your actions. you write a MFU card then run autopwn against the same card?
Closed dperret closed 1 year ago
iceman1001
commented
1 year ago I am confused of your actions. you write a MFU card then run autopwn against the same card?
dperret
commented
1 year ago Sorry, no, those were run against different cards. I ran hf 14a sniff against a MFU card, tried to write the trace and got the crash. I tried to dump that MFU card with the sniffed password and got another crash. I ran autopwn against a completely different mifare classic 1K card.
iceman1001
commented
1 year ago Try write down the exact commands which is needed to replicate the bug.
dperret
commented
1 year ago The commands to reproduce the bug were With a MFU card and reader
hf 14a sniff -c -r
trace save -f mfutracefileWith the MFU card only
hf mfu dump -k 9FD5E9A9and with a different MF Classic 1K card only
hf mf autopwnHere is the terminal output reproducing the bug, showing both the commands and the output from the proxmark3 client.
pentoo ~ # proxmark3 /dev/ttyACM0
[=] Session log /root/.proxmark3/logs/log_20230709.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
Release v4.16717 - seven
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717 2023-06-26 13:10:45
Bootrom... Iceman/master/v4.16717 2023-06-26 13:10:45
OS........ Iceman/master/v4.16717 2023-06-26 13:10:45
Target.... RDV4
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
Iceman/master/v4.16717 2023-06-26 13:10:45 de506fd18
compiled with............. GCC 12.3.1 20230526
platform.................. Linux / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... present
Python script support..... absent
Lua SWIG support.......... present
Python SWIG support....... absent
[ PROXMARK3 ]
device.................... RDV4
firmware.................. RDV4
external flash............ present
smartcard reader.......... present
FPC USART for BT add-on... present
[ ARM ]
bootrom: Iceman/master/v4.16717 2023-06-26 13:10:45 de506fd18
os: Iceman/master/v4.16717 2023-06-26 13:10:45 de506fd18
compiled with GCC 10.3.1 20210824 (release)
[ FPGA ]
LF image 2s30vq100 2023-05-24 14:12:56
HF image 2s30vq100 2023-05-26 19:50:53
HF FeliCa image 2s30vq100 2023-05-24 14:12:58
HF 15 image 2s30vq100 2023-05-24 14:12:57
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 67% used )
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size............. 38708
[#] Available memory........ 38708
[#] Tracing
[#] tracing ................ 1
[#] traceLen ............... 0
[#] Current FPGA image
[#] mode.................... HF image 2s30vq100 2023-05-26 19:50:53
[#] Flash memory
[#] Baudrate................ 24 MHz
[#] Init.................... OK
[#] Memory size............. 2 mbits / 256 kb
[#] Unique ID (be).......... 0x26A6A5A782A867D5
[#] Smart card module (ISO 7816)
[#] version................. v2.06
[#] Outdated firmware. Please upgrade to v4.x or above.
[#] LF Sampling config
[#] [q] divisor............. 95 ( 125.00 kHz )
[#] [b] bits per sample..... 8
[#] [d] decimation.......... 1
[#] [a] averaging........... yes
[#] [t] trigger threshold... 0
[#] [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] long leading reference | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] leading zero | 29 | 17 | 15 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override.... std ( follow standard )
[#] [b] BCC override........ std ( follow standard )
[#] [2] CL2 override........ std ( follow standard )
[#] [3] CL3 override........ std ( follow standard )
[#] [r] RATS override....... std ( follow standard )
[#] Transfer Speed
[#] Sending packets to client...
[#] Time elapsed................... 500ms
[#] Bytes transferred.............. 290304
[#] Transfer Speed PM3 -> Client... 580608 bytes/s
[#] Various
[#] Max stack usage......... 4088 / 8480 bytes
[#] Debug log level......... 1 ( error )
[#] ToSendMax............... -1
[#] ToSend BUFFERSIZE....... 2308
[#] Slow clock.............. 29520 Hz
[#] Installed StandAlone Mode
[#] No standalone mode present
[#] Flash memory dictionary loaded
[#]
[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
🕛 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 66.47 V - 125.00 kHz
[+] LF antenna: 32.92 V - 134.83 kHz
[+] LF optimal: 66.47 V - 125.00 kHz
[+] Approx. Q factor (*): 11.6 by frequency bandwidth measurement
[+] Approx. Q factor (*): 11.6 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 41.45 V - 13.56 MHz
[+] Approx. Q factor (*): 7.2 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.
[usb] pm3 --> hf 14a sniff -c -r
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 630
[usb] pm3 --> trace list -t mf
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 630 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 2368 | Tag |44 00 | |
12336 | 18224 | Tag |88 04 4c 8f 4f | |
36368 | 39888 | Tag |04 da 17 | ok |
49552 | 55440 | Tag |ba a0 11 90 9b | |
73792 | 77376 | Tag |00 fe 51 | ok |
90288 | 129584 | Tag |4a 88 d9 08 97 98 26 f7 79 57 67 aa b8 aa 12 e8 4d 6f | |
| | |4f 31 a0 55 68 cf bd 81 85 d5 7d 79 31 52 b0 26 | ok |
149328 | 149328 | Tag |03 20 d1 01 1c 55 02 70 68 69 6c 69 70 73 2e 63 6f 6d | |
| | |2f 6e 66 63 62 72 75 73 68 68 65 61 64 74 61 70 fe 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 01 09 00 00 00 01 02 60 54 32 32 30 37 30 39 20 34 | |
| | |33 54 e5 61 02 01 00 00 04 00 ad 2f 7d 04 00 00 00 01 | |
| | |73 e0 | ok |
405456 | 410128 | Tag |b2 52 e9 66 | ok |
3235824 | 3238192 | Tag |44 00 | |
3248192 | 3254080 | Tag |88 04 4c 8f 4f | |
3272208 | 3275728 | Tag |04 da 17 | ok |
3285456 | 3291344 | Tag |ba a0 11 90 9b | |
3309712 | 3313296 | Tag |00 fe 51 | ok |
6133648 | 6136016 | Tag |44 00 | |
6146000 | 6151888 | Tag |88 04 4c 8f 4f | |
6170048 | 6173568 | Tag |04 da 17 | ok |
6183296 | 6189184 | Tag |ba a0 11 90 9b | |
6207536 | 6211120 | Tag |00 fe 51 | ok |
9031376 | 9033744 | Tag |44 00 | |
9043744 | 9049632 | Tag |88 04 4c 8f 4f | |
9067776 | 9071296 | Tag |04 da 17 | ok |
9081008 | 9086896 | Tag |ba a0 11 90 9b | |
9105216 | 9108800 | Tag |00 fe 51 | ok |
11930096 | 11932464 | Tag |44 00 | |
11942432 | 11948320 | Tag |88 04 4c 8f 4f | |
11966496 | 11970016 | Tag |04 da 17 | ok |
11979696 | 11985584 | Tag |ba a0 11 90 9b | |
12003968 | 12007552 | Tag |00 fe 51 | ok |
14828400 | 14830768 | Tag |44 00 | |
14840800 | 14846688 | Tag |88 04 4c 8f 4f | |
14864848 | 14868368 | Tag |04 da 17 | ok |
14878016 | 14883904 | Tag |ba a0 11 90 9b | |
17726624 | 17728608 | Tag |28! 20 | |
17738976 | 17739168 | Tag |01(0) | |
17800336 | 17800656 | Tag |03(1) | |
[usb] pm3 --> hf 14a sniff -c -r
[#] Starting to sniff. Press PM3 Button to stop.
[#] trace len = 1963
[usb] pm3 --> trace list -t mf
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 1963 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 1056 | Rdr |26(7) | | REQA
19791268 | 19793636 | Tag |44 00 | |
19803620 | 19809508 | Tag |88 04 4c 8f 4f | |
19827684 | 19831204 | Tag |04 da 17 | ok |
19840884 | 19846772 | Tag |ba a0 11 90 9b | |
19853392 | 19863856 | Rdr |95 70 ba a0 11 90 9b 0e dd | ok | SELECT_UID-2
19865108 | 19868692 | Tag |00 fe 51 | ok |
19882004 | 19921300 | Tag |4a 88 d9 08 97 98 26 f7 79 57 67 aa b8 aa 12 e8 4d 6f | |
| | |4f 31 a0 55 68 cf bd 81 85 d5 7d 79 31 52 b0 26 | ok |
19932736 | 19938656 | Rdr |3a 04 27 1d 62 | ok | READ RANGE (4-39)
19941492 | 19941492 | Tag |03 20 d1 01 1c 55 02 70 68 69 6c 69 70 73 2e 63 6f 6d | |
| | |2f 6e 66 63 62 72 75 73 68 68 65 61 64 74 61 70 fe 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 01 09 00 00 00 01 02 60 54 32 32 30 37 30 39 20 34 | |
| | |33 54 e5 61 02 01 00 00 04 00 ad 2f 7d 04 00 00 00 01 | |
| | |73 e0 | ok |
20134208 | 20142432 | Rdr |1b 9f d5 e9 a9 34 1f | ok | PWD-AUTH KEY: 0x9FD5E9A9
20198036 | 20202708 | Tag |b2 52 e9 66 | ok |
23026884 | 23029252 | Tag |44 00 | |
23039204 | 23045092 | Tag |88 04 4c 8f 4f | |
23063268 | 23066788 | Tag |04 da 17 | ok |
23072816 | 23073936 | Rdr |95! | | SELECT_XXX-2
23076468 | 23082356 | Tag |ba a0 11 90 9b | |
23100676 | 23104260 | Tag |00 fe 51 | ok |
25924612 | 25926980 | Tag |44 00 | |
25933360 | 25935824 | Rdr |93 20 | | ANTICOLL
25936996 | 25942884 | Tag |88 04 4c 8f 4f | |
25961044 | 25964564 | Tag |04 da 17 | ok |
25970608 | 25973072 | Rdr |95 20 | | ANTICOLL-2
25974244 | 25980132 | Tag |ba a0 11 90 9b | |
25998468 | 26002052 | Tag |00 fe 51 | ok |
28823412 | 28825780 | Tag |44 00 | |
28835796 | 28841684 | Tag |88 04 4c 8f 4f | |
28859844 | 28863364 | Tag |04 da 17 | ok |
28873028 | 28878916 | Tag |ba a0 11 90 9b | |
28897268 | 28900852 | Tag |00 fe 51 | ok |
31720836 | 31723204 | Tag |44 00 | |
31733268 | 31739156 | Tag |88 04 4c 8f 4f | |
31757284 | 31760804 | Tag |04 da 17 | ok |
31770484 | 31776372 | Tag |ba a0 11 90 9b | |
31794724 | 31798308 | Tag |00 fe 51 | ok |
34618932 | 34621300 | Tag |44 00 | |
34631300 | 34637188 | Tag |88 04 4c 8f 4f | |
34655364 | 34658884 | Tag |04 da 17 | ok |
34668596 | 34674484 | Tag |ba a0 11 90 9b | |
34692836 | 34696420 | Tag |00 fe 51 | ok |
37516404 | 37518772 | Tag |44 00 | |
37528804 | 37534692 | Tag |88 04 4c 8f 4f | |
37552836 | 37556356 | Tag |04 da 17 | ok |
37566068 | 37571956 | Tag |ba a0 11 90 9b | |
37590308 | 37593892 | Tag |00 fe 51 | ok |
40414212 | 40416580 | Tag |44 00 | |
40426644 | 40432532 | Tag |88 04 4c 8f 4f | |
40450660 | 40454180 | Tag |04 da 17 | ok |
40463876 | 40469764 | Tag |ba a0 11 90 9b | |
40488132 | 40491716 | Tag |00 fe 51 | ok |
43312100 | 43314468 | Tag |44 00 | |
43324484 | 43330372 | Tag |88 04 4c 8f 4f | |
43348532 | 43352052 | Tag |04 da 17 | ok |
43361684 | 43367572 | Tag |ba a0 11 90 9b | |
43385908 | 43389492 | Tag |00 fe 51 | ok |
46210036 | 46212404 | Tag |44 00 | |
46222404 | 46228292 | Tag |88 04 4c 8f 4f | |
46246436 | 46249956 | Tag |04 da 17 | ok |
46259652 | 46265540 | Tag |ba a0 11 90 9b | |
46283876 | 46287460 | Tag |00 fe 51 | ok |
49108500 | 49110868 | Tag |44 00 | |
49120836 | 49126724 | Tag |88 04 4c 8f 4f | |
49144868 | 49148388 | Tag |04 da 17 | ok |
49158052 | 49163940 | Tag |ba a0 11 90 9b | |
49182292 | 49185876 | Tag |00 fe 51 | ok |
52008164 | 52008356 | Tag |01(0) | |
52056404 | 52056596 | Tag |01(0) | |
94639540 | 94641908 | Tag |44 00 | |
94651924 | 94657812 | Tag |88 04 4c 8f 4f | |
94675956 | 94679476 | Tag |04 da 17 | ok |
94689092 | 94694980 | Tag |ba a0 11 90 9b | |
94713332 | 94716916 | Tag |00 fe 51 | ok |
94729940 | 94769236 | Tag |4a 88 d9 08 97 98 26 f7 79 57 67 aa b8 aa 12 e8 4d 6f | |
| | |4f 31 a0 55 68 cf bd 81 85 d5 7d 79 31 52 b0 26 | ok |
94788772 | 94788772 | Tag |03 20 d1 01 1c 55 02 70 68 69 6c 69 70 73 2e 63 6f 6d | |
| | |2f 6e 66 63 62 72 75 73 68 68 65 61 64 74 61 70 fe 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 01 09 00 00 00 01 02 60 54 32 32 30 37 30 39 20 34 | |
| | |33 54 e5 61 02 01 00 00 04 00 ad 2f 7d 04 00 00 00 01 | |
| | |73 e0 | ok |
95044692 | 95049364 | Tag |b2 52 e9 66 | ok |
97875892 | 97878260 | Tag |44 00 | |
97888260 | 97894148 | Tag |88 04 4c 8f 4f | |
97912276 | 97915796 | Tag |04 da 17 | ok |
97925476 | 97931364 | Tag |ba a0 11 90 9b | |
97949700 | 97953284 | Tag |00 fe 51 | ok |
100773732 | 100776100 | Tag |44 00 | |
100786132 | 100792020 | Tag |88 04 4c 8f 4f | |
100810180 | 100813700 | Tag |04 da 17 | ok |
100823348 | 100829236 | Tag |ba a0 11 90 9b | |
100847604 | 100851188 | Tag |00 fe 51 | ok |
103671252 | 103673620 | Tag |44 00 | |
103683620 | 103689508 | Tag |88 04 4c 8f 4f | |
103707716 | 103711236 | Tag |04 da 17 | ok |
103720900 | 103726788 | Tag |ba a0 11 90 9b | |
103745124 | 103748708 | Tag |00 fe 51 | ok |
155202628 | 155204996 | Tag |44 00 | |
155214980 | 155220868 | Tag |88 04 4c 8f 4f | |
155239028 | 155242548 | Tag |04 da 17 | ok |
155252228 | 155258116 | Tag |ba a0 11 90 9b | |
155276452 | 155280036 | Tag |00 fe 51 | ok |
155293044 | 155332340 | Tag |4a 88 d9 08 97 98 26 f7 79 57 67 aa b8 aa 12 e8 4d 6f | |
| | |4f 31 a0 55 68 cf bd 81 85 d5 7d 79 31 52 b0 26 | ok |
155351860 | 155351860 | Tag |03 20 d1 01 1c 55 02 70 68 69 6c 69 70 73 2e 63 6f 6d | |
| | |2f 6e 66 63 62 72 75 73 68 68 65 61 64 74 61 70 fe 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 01 09 00 00 00 01 02 60 54 32 32 30 37 30 39 20 34 | |
| | |33 54 e5 61 02 01 00 00 04 00 ad 2f 7d 04 00 00 00 01 | |
| | |73 e0 | ok |
155607892 | 155612564 | Tag |b2 52 e9 66 | ok |
207080432 | 207082896 | Rdr |93 20 | | ANTICOLL
207096400 | 207106928 | Rdr |93 70 88 04 4c 8f 4f 27 6d | ok | SELECT_UID
207117664 | 207120128 | Rdr |95 20 | | ANTICOLL-2
207133840 | 207144304 | Rdr |95 70 ba a0 11 90 9b 0e dd | ok | SELECT_UID-2
207156192 | 207160960 | Rdr |3c 00 a2 01 | ok | READ SIG
207418784 | 207419328 | Rdr |02(3) | |
210331888 | 210342416 | Rdr |93 70 88 04 4c 8f 4f 27 6d | ok | SELECT_UID
210353200 | 210355664 | Rdr |95 20 | | ANTICOLL-2
210372288 | 210372576 | Rdr |00(1) | |
210373952 | 210376672 | Rdr |cc! 4e! 00! | !! |
210379072 | 210379360 | Rdr |00(1) | |
[usb] pm3 --> trace save -f mfutracefile
*** buffer overflow detected ***: terminated
Aborted
pentoo ~ # proxmark3 /dev/ttyACM0
[=] Session log /root/.proxmark3/logs/log_20230709.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
Release v4.16717 - seven
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717 2023-06-26 13:10:45
Bootrom... Iceman/master/v4.16717 2023-06-26 13:10:45
OS........ Iceman/master/v4.16717 2023-06-26 13:10:45
Target.... RDV4
[usb] pm3 --> hf mfu info
[!] ⚠️ iso14443a card select failed
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: MIFARE Ultralight (MF0ICU1) ( magic )
[+] UID: 04 4C 8F BA A0 11 90
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 4F ( ok )
[+] BCC1: 9B ( ok )
[+] Internal: 48 ( default )
[+] Lock: FF FF - 1111111111111111
[+] OneTimePad: E1 10 12 00 - 11100001000100000001001000000000
[=] --- NDEF Message
[+] Capability Container: E1 10 12 00
[+] E1: NDEF Magic Number
[+] 10: version 0.1 supported by tag
[+] : Read access granted without any security / Write access granted without any security
[+] 12: Physical Memory Size: 144 bytes
[+] 12: NDEF Memory Size: 144 bytes
[+] 00: Additional feature information
[+] 00000000
[+] xxx..... - 00: RFU ( ok )
[+] ...x.... - 00: don't support special frame
[+] ....x... - 00: don't support lock block
[+] .....xx. - 00: RFU ( ok )
[+] .......x - 00: IC don't support multiple block reads
--- UL-C Configuration
Higher Lockbits [40/0x28]: 00 03 30 BD - 0000000000000011
Counter [41/0x29]: 04 00 00 10 - 0000010000000000
Auth0 [42/0x2A]: 43 00 00 00 auth byte is out-of-range
Auth1 [43/0x2B]: 00 00 00 00 read and write access restricted
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[#] Can't select card (RC:0)
[!] ⚠️ Failed reading card
[=] ------------------------------------------------------------
[!!] 🚨 Error: tag didn't answer to READ magic
[usb] pm3 --> hf mfu info
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[!] ⚠️ iso14443a card select failed
[usb] pm3 --> hf mfu info
[=] --- Tag Information --------------------------
[=] -------------------------------------------------------------
[+] TYPE: NTAG 213C 144bytes (NT2H1311C1DTL)
[+] UID: 04 4C 8F BA A0 11 90
[+] UID[0]: 04, NXP Semiconductors Germany
[+] BCC0: 4F ( ok )
[+] BCC1: 9B ( ok )
[+] Internal: 48 ( default )
[+] Lock: FF FF - 1111111111111111
[+] OneTimePad: E1 10 12 00 - 11100001000100000001001000000000
[=] --- NDEF Message
[+] Capability Container: E1 10 12 00
[+] E1: NDEF Magic Number
[+] 10: version 0.1 supported by tag
[+] : Read access granted without any security / Write access granted without any security
[+] 12: Physical Memory Size: 144 bytes
[+] 12: NDEF Memory Size: 144 bytes
[+] 00: Additional feature information
[+] 00000000
[+] xxx..... - 00: RFU ( ok )
[+] ...x.... - 00: don't support special frame
[+] ....x... - 00: don't support lock block
[+] .....xx. - 00: RFU ( ok )
[+] .......x - 00: IC don't support multiple block reads
[=] --- Tag Counter
[=] [02]: 00 00 00
[+] - 00 tearing ( fail )
[=] --- Tag Signature
[=] IC signature public key name: NXP Public key
[=] IC signature public key value: 04A748B6A632FBEE2C0897702B33BEA1C074998E17B84ACA04FF267E5D2C91F6DC
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 4A88D908979826F7795767AAB8AA12E84D6F4F31A05568CFBD8185D57D793152
[+] Signature verification ( successful )
[=] --- Tag Silicon Information
[=] Wafer Counter: 19018775 ( 0x1223417 )
[=] Wafer Coordinates: x 76, y 143 (0x4C, 0x8F)
[=] Test Site: 2
[=] --- Tag Version
[=] Raw bytes: 00 04 04 02 01 01 0F 03
[=] Vendor ID: 04, NXP Semiconductors Germany
[=] Product type: NTAG
[=] Product subtype: 02, 50pF
[=] Major version: 01
[=] Minor version: 01
[=] Size: 0F, (256 <-> 128 bytes)
[=] Protocol type: 03, ISO14443-3 Compliant
[=] --- Tag Configuration
[=] cfg0 [41/0x29]: 04 00 00 10
[=] - strong modulation mode disabled
[=] - page 16 and above need authentication
[=] cfg1 [42/0x2A]: 43 00 00 00
[=] - Max number of password attempts is 3
[=] - NFC counter disabled
[=] - NFC counter not protected
[=] - user configuration permanently locked
[=] - write access is protected with password
[=] - 00, Virtual Card Type Identifier is not default
[=] PWD [43/0x2B]: 00 00 00 00 - (cannot be read)
[=] PACK [44/0x2C]: 00 00 - (cannot be read)
[=] RFU [44/0x2C]: 00 00 - (cannot be read)
[?] Hint: try `hf mfu pwdgen -r` to get see known pwd gen algo suggestions
[=] ------------------------ Fingerprint -----------------------
[=] Reading tag memory...
[!] ⚠️ iso14443a card select failed
[=] ------------------------------------------------------------
[usb] pm3 --> hf mfu dump -k 9FD5E9A9
[+] TYPE: NTAG 213C 144bytes (NT2H1311C1DTL)
[+] Reading tag memory...
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[!] ⚠️ iso14443a card select failed
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[!] ⚠️ iso14443a card select failed
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[!] ⚠️ iso14443a card select failed
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... 00
[=] Max data page... 43 ( 176 bytes )
[=] Header size..... 56 bytes
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 4C 8F 4F | | .L.O
[=] 1/0x01 | BA A0 11 90 | | ....
[=] 2/0x02 | 9B 48 FF FF | | .H..
[=] 3/0x03 | E1 10 12 00 | 1 | ....
[=] 4/0x04 | 03 20 D1 01 | 1 | . ..
[=] 5/0x05 | 1C 55 02 70 | 1 | .U.p
[=] 6/0x06 | 68 69 6C 69 | 1 | hili
[=] 7/0x07 | 70 73 2E 63 | 1 | ps.c
[=] 8/0x08 | 6F 6D 2F 6E | 1 | om/n
[=] 9/0x09 | 66 63 62 72 | 1 | fcbr
[=] 10/0x0A | 75 73 68 68 | 1 | ushh
[=] 11/0x0B | 65 61 64 74 | 1 | eadt
[=] 12/0x0C | 61 70 FE 00 | 1 | ap..
[=] 13/0x0D | 00 00 00 00 | 1 | ....
[=] 14/0x0E | 00 00 00 00 | 1 | ....
[=] 15/0x0F | 00 00 00 00 | 1 | ....
[=] 16/0x10 | 00 00 00 00 | 0 | ....
[=] 17/0x11 | 00 00 00 00 | 0 | ....
[=] 18/0x12 | 00 00 00 00 | 0 | ....
[=] 19/0x13 | 00 00 00 00 | 0 | ....
[=] 20/0x14 | 00 00 00 00 | 0 | ....
[=] 21/0x15 | 00 00 00 00 | 0 | ....
[=] 22/0x16 | 00 00 00 00 | 0 | ....
[=] 23/0x17 | 00 00 00 00 | 0 | ....
[=] 24/0x18 | 00 00 00 00 | 0 | ....
[=] 25/0x19 | 00 00 00 00 | 0 | ....
[=] 26/0x1A | 00 00 00 00 | 0 | ....
[=] 27/0x1B | 00 00 00 00 | 0 | ....
[=] 28/0x1C | 00 00 00 00 | 0 | ....
[=] 29/0x1D | 00 00 00 00 | 0 | ....
[=] 30/0x1E | 00 00 00 00 | 0 | ....
[=] 31/0x1F | 00 01 09 00 | 0 | ....
[=] 32/0x20 | 00 00 01 02 | 0 | ....
[=] 33/0x21 | 60 54 32 32 | 0 | `T22
[=] 34/0x22 | 30 37 30 39 | 0 | 0709
[=] 35/0x23 | 20 34 33 54 | 0 | 43T
[=] 36/0x24 | E5 61 02 01 | 0 | .a..
[=] 37/0x25 | 00 00 04 00 | 0 | ....
[=] 38/0x26 | AD 2F 7D 04 | 0 | ./}.
[=] 39/0x27 | 00 00 00 01 | 0 | ....
[=] 40/0x28 | 00 03 30 BD | 0 | ..0.
[=] 41/0x29 | 04 00 00 10 | 0 | ....
[=] 42/0x2A | 43 00 00 00 | 0 | C...
[=] 43/0x2B | 9F D5 E9 A9 | 0 | ....
[=] 44/0x2C | B2 52 00 00 | 0 | .R..
[=] ---------------------------------
[=] Using UID as filename
*** buffer overflow detected ***: terminated
Aborted
pentoo ~ # proxmark3 /dev/ttyACM0
[=] Session log /root/.proxmark3/logs/log_20230709.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
Release v4.16717 - seven
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717 2023-06-26 13:10:45
Bootrom... Iceman/master/v4.16717 2023-06-26 13:10:45
OS........ Iceman/master/v4.16717 2023-06-26 13:10:45
Target.... RDV4
[usb] pm3 --> hf search
🕕 Searching for ISO14443-A tag...
[+] UID: 56 83 80 2B
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 4.2s | found 19/32 keys (56)
[=] running strategy 2
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 1 key type A -- found valid key [ 2A2C13CC242A ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] Found 1 key candidates
[+] Target block 0 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 0 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 4 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 5 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 6 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 7 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 8 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 9 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 10 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 11 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 12 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 13 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 14 key type A -- found valid key [ 00AE371F0EE8 ]
[+] target sector 15 key type A -- found valid key [ 00AE371F0EE8 ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | 00AE371F0EE8 | N | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 005 | 023 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 006 | 027 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 007 | 031 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 008 | 035 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 009 | 039 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 010 | 043 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 011 | 047 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 012 | 051 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 013 | 055 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 014 | 059 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] 015 | 063 | 00AE371F0EE8 | R | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
*** buffer overflow detected ***: terminated
Aborted
pentoo ~ #
so after bad readings / coupling with your toothbrush, the dump command wanted to use the UID, and then crashed.
[=] Using UID as filename
*** buffer overflow detected ***: terminated
Abortedand the second time it seems to be almost the same, with autopwn wanting to write files....
dperret
commented
1 year ago Yes, that is correct. I also tried unplugging and replugging the RDV4 to reset it, and running autopwn again against another MF Classic 1K card, and got the same result. I reproduced this behavior on a second machine running pentoo as well.
iceman1001
commented
1 year ago can you run gdb ?
dperret
commented
1 year ago Yes I can. Running proxmark3 in gdb and reproducing the autopwn crash ended with this output:
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff23046c0 (LWP 28564)]
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb)
and the backtrace:
(gdb) backtrace
#0 0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () from /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () from /lib64/libc.so.6
#3 0x00007ffff664b5b7 in ?? () from /lib64/libc.so.6
#4 0x00007ffff673ef3b in __fortify_fail () from /lib64/libc.so.6
#5 0x00007ffff673d766 in __chk_fail () from /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () from /lib64/libc.so.6
#7 0x00005555556c7ebe in snprintf (__fmt=0x55555582c675 "%.*s%s", __n=45, __s=0x7fffe803c546 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803aed0 "hf-mf-5683802B-key.bin", suffix=suffix@entry=0x55555581b07a ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:221
#9 0x00005555556c973c in createMfcKeyDump (preferredName=preferredName@entry=0x7fffe803aed0 "hf-mf-5683802B-key.bin", sectorsCnt=sectorsCnt@entry=16 '\020', e_sector=e_sector@entry=0x7fffe803ad40) at src/fileutils.c:777
#10 0x000055555563a098 in CmdHF14AMfAutoPWN (Cmd=<optimized out>) at src/cmdhfmf.c:3090
#11 0x00005555556a2f3c in CmdsParse (Commands=0x5555558d23a0 <CommandTable>, Cmd=0x7fffe801c4b6 "autopwn") at src/cmdparser.c:321
#12 0x00005555556a2f3c in CmdsParse (Commands=0x5555558ceb40 <CommandTable>, Cmd=0x7fffe801c4b3 "mf autopwn") at src/cmdparser.c:321
#13 0x00005555556a2f3c in CmdsParse (Commands=Commands@entry=0x5555558d6b40 <CommandTable>, Cmd=Cmd@entry=0x7fffe801c4b0 "hf mf autopwn") at src/cmdparser.c:321
#14 0x00005555556a1e02 in CommandReceived (Cmd=Cmd@entry=0x7fffe801c4b0 "hf mf autopwn") at src/cmdmain.c:365
#15 0x00005555556ed43c in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:404
#16 0x00007ffff6ca567f in ?? () from /usr/lib64/libQt5Core.so.5
#17 0x00007ffff66add14 in ?? () from /lib64/libc.so.6
#18 0x00007ffff672f010 in ?? () from /lib64/libc.so.6
(gdb)
Here's the crash and backtrace from the mfu dump command
[usb] pm3 --> hf mfu dump -k 9FD5E9A9
[+] TYPE: NTAG 213C 144bytes (NT2H1311C1DTL)
[+] Reading tag memory...
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[!] ⚠️ iso14443a card select failed
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... BD
[=] Max data page... 43 ( 176 bytes )
[=] Header size..... 56 bytes
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 4C 8F 4F | | .L.O
[=] 1/0x01 | BA A0 11 90 | | ....
[=] 2/0x02 | 9B 48 FF FF | | .H..
[=] 3/0x03 | E1 10 12 00 | 1 | ....
[=] 4/0x04 | 03 20 D1 01 | 1 | . ..
[=] 5/0x05 | 1C 55 02 70 | 1 | .U.p
[=] 6/0x06 | 68 69 6C 69 | 1 | hili
[=] 7/0x07 | 70 73 2E 63 | 1 | ps.c
[=] 8/0x08 | 6F 6D 2F 6E | 1 | om/n
[=] 9/0x09 | 66 63 62 72 | 1 | fcbr
[=] 10/0x0A | 75 73 68 68 | 1 | ushh
[=] 11/0x0B | 65 61 64 74 | 1 | eadt
[=] 12/0x0C | 61 70 FE 00 | 1 | ap..
[=] 13/0x0D | 00 00 00 00 | 1 | ....
[=] 14/0x0E | 00 00 00 00 | 1 | ....
[=] 15/0x0F | 00 00 00 00 | 1 | ....
[=] 16/0x10 | 00 00 00 00 | 0 | ....
[=] 17/0x11 | 00 00 00 00 | 0 | ....
[=] 18/0x12 | 00 00 00 00 | 0 | ....
[=] 19/0x13 | 00 00 00 00 | 0 | ....
[=] 20/0x14 | 00 00 00 00 | 0 | ....
[=] 21/0x15 | 00 00 00 00 | 0 | ....
[=] 22/0x16 | 00 00 00 00 | 0 | ....
[=] 23/0x17 | 00 00 00 00 | 0 | ....
[=] 24/0x18 | 00 00 00 00 | 0 | ....
[=] 25/0x19 | 00 00 00 00 | 0 | ....
[=] 26/0x1A | 00 00 00 00 | 0 | ....
[=] 27/0x1B | 00 00 00 00 | 0 | ....
[=] 28/0x1C | 00 00 00 00 | 0 | ....
[=] 29/0x1D | 00 00 00 00 | 0 | ....
[=] 30/0x1E | 00 00 00 00 | 0 | ....
[=] 31/0x1F | 00 01 09 00 | 0 | ....
[=] 32/0x20 | 00 00 01 02 | 0 | ....
[=] 33/0x21 | 60 54 32 32 | 0 | `T22
[=] 34/0x22 | 30 37 30 39 | 0 | 0709
[=] 35/0x23 | 20 34 33 54 | 0 | 43T
[=] 36/0x24 | E5 61 02 01 | 0 | .a..
[=] 37/0x25 | 00 00 04 00 | 0 | ....
[=] 38/0x26 | AD 2F 7D 04 | 0 | ./}.
[=] 39/0x27 | 00 00 00 01 | 0 | ....
[=] 40/0x28 | 00 03 30 BD | 0 | ..0.
[=] 41/0x29 | 04 00 00 10 | 0 | ....
[=] 42/0x2A | 43 00 00 00 | 0 | C...
[=] 43/0x2B | 9F D5 E9 A9 | 0 | ....
[=] 44/0x2C | B2 52 00 00 | 0 | .R..
[=] ---------------------------------
[=] Using UID as filename
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff23046c0 (LWP 29535)]
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () from /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () from /lib64/libc.so.6
#3 0x00007ffff664b5b7 in ?? () from /lib64/libc.so.6
#4 0x00007ffff673ef3b in __fortify_fail () from /lib64/libc.so.6
#5 0x00007ffff673d766 in __chk_fail () from /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () from /lib64/libc.so.6
#7 0x00005555556c7ebe in snprintf (__fmt=0x55555582c675 "%.*s%s", __n=53, __s=0x7fffe803d226 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7ffff2303010 "hf-mfu-044C8FBAA01190-dump", suffix=suffix@entry=0x55555581b07a ".bin", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:221
#9 0x00005555556c7f1b in newfilenamemcopy (preferredName=preferredName@entry=0x7ffff2303010 "hf-mfu-044C8FBAA01190-dump", suffix=suffix@entry=0x55555581b07a ".bin") at src/fileutils.c:185
#10 0x00005555556c7f49 in saveFile (preferredName=preferredName@entry=0x7ffff2303010 "hf-mfu-044C8FBAA01190-dump", suffix=suffix@entry=0x55555581b07a ".bin", data=data@entry=0x7ffff2302b97, datalen=datalen@entry=236) at src/fileutils.c:240
#11 0x00005555556cc230 in pm3_save_dump (fn=fn@entry=0x7ffff2303010 "hf-mfu-044C8FBAA01190-dump", d=d@entry=0x7ffff2302b97 "", n=236, jsft=jsft@entry=jsfMfuMemory, blocksize=blocksize@entry=4) at src/fileutils.c:2125
#12 0x000055555565d2ca in CmdHF14AMfUDump (Cmd=<optimized out>) at src/cmdhfmfu.c:2680
#13 0x00005555556a2f3c in CmdsParse (Commands=0x5555558d3360 <CommandTable>, Cmd=0x7fffe803ae27 "dump -k 9FD5E9A9") at src/cmdparser.c:321
#14 0x00005555556a2f3c in CmdsParse (Commands=0x5555558ceb40 <CommandTable>, Cmd=0x7fffe803ae23 "mfu dump -k 9FD5E9A9") at src/cmdparser.c:321
#15 0x00005555556a2f3c in CmdsParse (Commands=Commands@entry=0x5555558d6b40 <CommandTable>, Cmd=Cmd@entry=0x7fffe803ae20 "hf mfu dump -k 9FD5E9A9") at src/cmdparser.c:321
#16 0x00005555556a1e02 in CommandReceived (Cmd=Cmd@entry=0x7fffe803ae20 "hf mfu dump -k 9FD5E9A9") at src/cmdmain.c:365
#17 0x00005555556ed43c in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:404
#18 0x00007ffff6ca567f in ?? () from /usr/lib64/libQt5Core.so.5
#19 0x00007ffff66add14 in ?? () from /lib64/libc.so.6
#20 0x00007ffff672f010 in ?? () from /lib64/libc.so.6
(gdb)
One more with the backtrace from trying to save the trace file
[usb] pm3 --> trace save -f mfutracefile
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff23046c0 (LWP 29606)]
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () from /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () from /lib64/libc.so.6
#3 0x00007ffff664b5b7 in ?? () from /lib64/libc.so.6
#4 0x00007ffff673ef3b in __fortify_fail () from /lib64/libc.so.6
#5 0x00007ffff673d766 in __chk_fail () from /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () from /lib64/libc.so.6
#7 0x00005555556c7ebe in snprintf (__fmt=0x55555582c675 "%.*s%s", __n=41, __s=0x7fffe803ca76 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7ffff2303510 "mfutracefile", suffix=suffix@entry=0x55555581be30 ".trace", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:221
#9 0x00005555556c7f1b in newfilenamemcopy (preferredName=preferredName@entry=0x7ffff2303510 "mfutracefile", suffix=suffix@entry=0x55555581be30 ".trace") at src/fileutils.c:185
#10 0x00005555556c7f49 in saveFile (preferredName=preferredName@entry=0x7ffff2303510 "mfutracefile", suffix=suffix@entry=0x55555581be30 ".trace", data=0x7fffe803c400, datalen=1637) at src/fileutils.c:240
#11 0x00005555556a7f46 in CmdTraceSave (Cmd=<optimized out>) at src/cmdtrace.c:1129
#12 0x00005555556a2f3c in CmdsParse (Commands=0x5555558d7880 <CommandTable>, Cmd=0x7fffe803bd86 "save -f mfutracefile") at src/cmdparser.c:321
#13 0x00005555556a2f3c in CmdsParse (Commands=Commands@entry=0x5555558d6b40 <CommandTable>, Cmd=Cmd@entry=0x7fffe803bd80 "trace save -f mfutracefile") at src/cmdparser.c:321
#14 0x00005555556a1e02 in CommandReceived (Cmd=Cmd@entry=0x7fffe803bd80 "trace save -f mfutracefile") at src/cmdmain.c:365
#15 0x00005555556ed43c in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:404
#16 0x00007ffff6ca567f in ?? () from /usr/lib64/libQt5Core.so.5
#17 0x00007ffff66add14 in ?? () from /lib64/libc.so.6
#18 0x00007ffff672f010 in ?? () from /lib64/libc.so.6
(gdb)
Somewhere around there...
newfilenamemcopyEx (preferredName=preferredName@entry=0x7ffff2303010 "hf-mfu-044C8FBAA01190-dump", suffix=suffix@entry=0x55555581b07a ".bin", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:221I pushed a fix, if you pull latest, compile and test. Lets see if it still complains
dperret
commented
1 year ago Still crashing at least during autopwn
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230710.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 11595)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff33266c0 (LWP 11596)]
[Detaching after fork from child process 11597]
[New Thread 0x7ffff2b256c0 (LWP 11598)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff127c6c0 (LWP 11599)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-63-g17be2f6c3 2023-07-09 19:56:01
Bootrom... Iceman/master/v4.16717-63-g17be2f6c3 2023-07-09 19:55:56
OS........ Iceman/master/v4.16717-63-g17be2f6c3 2023-07-09 19:56:05
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] .
[=] Chunk 2.7s | found 31/32 keys (56)
[=] running strategy 2
[=] .
[=] Chunk 2.6s | found 28/32 keys (56)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ 2A2C13CC242A ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | 2A2C13CC242A | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff127c6c0 (LWP 11599)]
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in () at /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () at /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () at /lib64/libc.so.6
#3 0x00007ffff664b5b7 in () at /lib64/libc.so.6
#4 0x00007ffff673ef3b in () at /lib64/libc.so.6
#5 0x00007ffff673d766 in () at /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () at /lib64/libc.so.6
#7 0x00005555557250b1 in snprintf (__fmt=0x5555558facdb "%.*s%s", __n=50, __s=0x7fffe803c456 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803af40 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:221
#9 0x0000555555727141 in createMfcKeyDump (preferredName=preferredName@entry=0x7fffe803af40 "hf-mf-3631862B-key.bin", sectorsCnt=sectorsCnt@entry=16 '\020', e_sector=e_sector@entry=0x7fffe803adb0) at src/fileutils.c:777
#10 0x0000555555658567 in CmdHF14AMfAutoPWN (Cmd=<optimized out>) at src/cmdhfmf.c:3097
#11 0x00005555556ef25e in CmdsParse (Commands=0x5555559a82c0 <CommandTable>, Cmd=0x7fffe801c526 "autopwn") at src/cmdparser.c:321
#12 0x00005555556ef25e in CmdsParse (Commands=0x5555559a4b00 <CommandTable>, Cmd=0x7fffe801c523 "mf autopwn") at src/cmdparser.c:321
#13 0x00005555556ef25e in CmdsParse (Commands=Commands@entry=0x5555559ac920 <CommandTable>, Cmd=Cmd@entry=0x7fffe801c520 "hf mf autopwn") at src/cmdparser.c:321
#14 0x00005555556edd23 in CommandReceived (Cmd=Cmd@entry=0x7fffe801c520 "hf mf autopwn") at src/cmdmain.c:365
#15 0x000055555575dba5 in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:404
#16 0x00007ffff6ca567f in () at /usr/lib64/libQt5Core.so.5
#17 0x00007ffff66add14 in () at /lib64/libc.so.6
#18 0x00007ffff672f010 in () at /lib64/libc.so.6
(gdb)
And the mfu dump
[usb] pm3 --> hf mfu dump -k 9FD5E9A9
[+] TYPE: NTAG 213C 144bytes (NT2H1311C1DTL)
[+] Reading tag memory...
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[#] Cmd Error: card timeout. len: 0
[!] ⚠️ iso14443a card select failed
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[!] ⚠️ iso14443a card select failed
[#] Warning: HF field is off, ignoring TransmitFor14443a command
[=] MFU dump file information
[=] -------------------------------------------------------------
[=] Version..... 00 00 00 00 00 00 00 00
[=] TBD 0....... 00 00
[=] TBD 1....... 00
[=] Signature... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Counter 0... 00 00 00
[=] Tearing 0... 00
[=] Counter 1... 00 00 00
[=] Tearing 1... 00
[=] Counter 2... 00 00 00
[=] Tearing 2... BD
[=] Max data page... 43 ( 176 bytes )
[=] Header size..... 56 bytes
[=] -------------------------------------------------------------
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 4C 8F 4F | | .L.O
[=] 1/0x01 | BA A0 11 90 | | ....
[=] 2/0x02 | 9B 48 FF FF | | .H..
[=] 3/0x03 | E1 10 12 00 | 1 | ....
[=] 4/0x04 | 03 20 D1 01 | 1 | . ..
[=] 5/0x05 | 1C 55 02 70 | 1 | .U.p
[=] 6/0x06 | 68 69 6C 69 | 1 | hili
[=] 7/0x07 | 70 73 2E 63 | 1 | ps.c
[=] 8/0x08 | 6F 6D 2F 6E | 1 | om/n
[=] 9/0x09 | 66 63 62 72 | 1 | fcbr
[=] 10/0x0A | 75 73 68 68 | 1 | ushh
[=] 11/0x0B | 65 61 64 74 | 1 | eadt
[=] 12/0x0C | 61 70 FE 00 | 1 | ap..
[=] 13/0x0D | 00 00 00 00 | 1 | ....
[=] 14/0x0E | 00 00 00 00 | 1 | ....
[=] 15/0x0F | 00 00 00 00 | 1 | ....
[=] 16/0x10 | 00 00 00 00 | 0 | ....
[=] 17/0x11 | 00 00 00 00 | 0 | ....
[=] 18/0x12 | 00 00 00 00 | 0 | ....
[=] 19/0x13 | 00 00 00 00 | 0 | ....
[=] 20/0x14 | 00 00 00 00 | 0 | ....
[=] 21/0x15 | 00 00 00 00 | 0 | ....
[=] 22/0x16 | 00 00 00 00 | 0 | ....
[=] 23/0x17 | 00 00 00 00 | 0 | ....
[=] 24/0x18 | 00 00 00 00 | 0 | ....
[=] 25/0x19 | 00 00 00 00 | 0 | ....
[=] 26/0x1A | 00 00 00 00 | 0 | ....
[=] 27/0x1B | 00 00 00 00 | 0 | ....
[=] 28/0x1C | 00 00 00 00 | 0 | ....
[=] 29/0x1D | 00 00 00 00 | 0 | ....
[=] 30/0x1E | 00 00 00 00 | 0 | ....
[=] 31/0x1F | 00 01 09 00 | 0 | ....
[=] 32/0x20 | 00 00 01 02 | 0 | ....
[=] 33/0x21 | 60 54 32 32 | 0 | `T22
[=] 34/0x22 | 30 37 30 39 | 0 | 0709
[=] 35/0x23 | 20 34 33 54 | 0 | 43T
[=] 36/0x24 | E5 61 02 01 | 0 | .a..
[=] 37/0x25 | 00 00 04 00 | 0 | ....
[=] 38/0x26 | AD 2F 7D 04 | 0 | ./}.
[=] 39/0x27 | 00 00 00 01 | 0 | ....
[=] 40/0x28 | 00 03 30 BD | 0 | ..0.
[=] 41/0x29 | 04 00 00 10 | 0 | ....
[=] 42/0x2A | 43 00 00 00 | 0 | C...
[=] 43/0x2B | 9F D5 E9 A9 | 0 | ....
[=] 44/0x2C | 00 00 00 00 | 0 | ....
[=] ---------------------------------
[=] Using UID as filename
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff127c6c0 (LWP 11627)]
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in () at /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () at /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () at /lib64/libc.so.6
#3 0x00007ffff664b5b7 in () at /lib64/libc.so.6
#4 0x00007ffff673ef3b in () at /lib64/libc.so.6
#5 0x00007ffff673d766 in () at /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () at /lib64/libc.so.6
#7 0x00005555557250b1 in snprintf (__fmt=0x5555558facdb "%.*s%s", __n=58, __s=0x7fffe803ba96 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=0x7ffff127afa0 "hf-mfu-044C8FBAA01190-dump", preferredName@entry=0xec <error: Cannot access memory at address 0xec>, suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:221
#9 0x00005555557251bd in newfilenamemcopy (suffix=0x5555558e8fee ".bin", preferredName=0xec <error: Cannot access memory at address 0xec>) at src/fileutils.c:185
#10 saveFile (preferredName=preferredName@entry=0x7ffff127afa0 "hf-mfu-044C8FBAA01190-dump", suffix=suffix@entry=0x5555558e8fee ".bin", data=data@entry=0x7ffff127ab20, datalen=datalen@entry=236) at src/fileutils.c:240
#11 0x0000555555729c57 in pm3_save_dump (fn=fn@entry=0x7ffff127afa0 "hf-mfu-044C8FBAA01190-dump", d=d@entry=0x7ffff127ab20 "", n=236, jsft=jsft@entry=jsfMfuMemory, blocksize=blocksize@entry=4) at src/fileutils.c:2125
#12 0x000055555568f0cc in CmdHF14AMfUDump (Cmd=<optimized out>) at src/cmdhfmfu.c:2680
#13 0x00005555556ef25e in CmdsParse (Commands=0x5555559a9180 <CommandTable>, Cmd=0x7fffe803ba77 "dump -k 9FD5E9A9") at src/cmdparser.c:321
#14 0x00005555556ef25e in CmdsParse (Commands=0x5555559a4b00 <CommandTable>, Cmd=0x7fffe803ba73 "mfu dump -k 9FD5E9A9") at src/cmdparser.c:321
#15 0x00005555556ef25e in CmdsParse (Commands=Commands@entry=0x5555559ac920 <CommandTable>, Cmd=Cmd@entry=0x7fffe803ba70 "hf mfu dump -k 9FD5E9A9") at src/cmdparser.c:321
#16 0x00005555556edd23 in CommandReceived (Cmd=Cmd@entry=0x7fffe803ba70 "hf mfu dump -k 9FD5E9A9") at src/cmdmain.c:365
#17 0x000055555575dba5 in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:404
#18 0x00007ffff6ca567f in () at /usr/lib64/libQt5Core.so.5
#19 0x00007ffff66add14 in () at /lib64/libc.so.6
#20 0x00007ffff672f010 in () at /lib64/libc.so.6
(gdb)
I am curious, the reserved space should be more than enough now. What is your default paths set to?
pref show
dperret
commented
1 year ago [usb] pm3 --> pref show
[=] Using /root/.proxmark3/preferences.json
[=] Current settings
[=] emoji.................. emoji
[=] hints.................. on
[=] color.................. ansi
[=] Plot window............ X 10 Y 56 H 400 W 800
[=] Slider/Overlay window.. X 10 Y 490 H 200 W 800
[=] default save path...... /root
[=] dump save path......... /root
[=] trace save path........ /root
[=] client debug........... off
[=] show plot sliders...... on
[=] barmode................ value
[=] Cmd execution delay.... 0
[=] output................. normal
[usb] pm3 -->
I pushed another fix. Pull latest and compile. I am having a hard time seeing your values would have generated any overflows.
You would need to go into that frame when back tracking and look at variables.
dperret
commented
1 year ago Trying to step through to where it crashes:
~/source/proxmark3 $ sudo gdb ./client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./client/proxmark3...
(gdb) break newfilenamemcopyEx
Breakpoint 1 at 0x1d0f60: file src/fileutils.c, line 188.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230710.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 22323)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff33266c0 (LWP 22324)]
[Detaching after fork from child process 22325]
[New Thread 0x7ffff2b256c0 (LWP 22326)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff127c6c0 (LWP 22329)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:32
Bootrom... Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:27
OS........ Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:36
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ iso14443a card select failed
[usb] pm3 --> hf mf autopwn
[!] ⚠️ iso14443a card select failed
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1.0s | found 32/32 keys (56)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff127c6c0 (LWP 22329)]
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b120 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:188
188 char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePaths_t e_save_path) {
(gdb) s
189 if (preferredName == NULL || suffix == NULL) {
(gdb) s
200 char *fileName = (char *) calloc(len, sizeof(uint8_t));
(gdb) s
201 if (fileName == NULL) {
(gdb) s
208 int save_path_len = path_size(e_save_path);
(gdb) s
path_size (a=spDump) at src/fileutils.c:178
178 if (a == spItemCount) {
(gdb) s
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
208 int save_path_len = path_size(e_save_path);
(gdb) s
0x0000555555724fd3 in path_size (a=spDump) at src/fileutils.c:181
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b120 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:209
209 if (save_path_len) {
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) s
snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803b560 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) s
0x00005555557250df in snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803b560 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) s
0x00005555557250f2 in snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803b560 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b120 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:211
211 pfn += save_path_len + strlen(PATHSEP);
(gdb) s
214 uint16_t p_namelen = strlen(preferredName);
(gdb) s
215 if (str_endswith(preferredName, suffix)) {
(gdb) s
str_endswith (s=s@entry=0x7fffe803b120 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin") at src/util.c:1114
1114 bool str_endswith(const char *s, const char *suffix) {
(gdb) s
1115 size_t ls = strlen(s);
(gdb) s
1116 size_t lsuffix = strlen(suffix);
(gdb) s
1117 if (ls >= lsuffix) {
(gdb) s
1118 return strncmp(suffix, s + (ls - lsuffix), lsuffix) == 0;
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b120 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:216
216 p_namelen -= strlen(suffix);
(gdb) s
219 snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
(gdb) print pfn
$1 = 0x7fffe803b566 ""
(gdb) print len
$2 = 2000
(gdb) print p_namelen
$3 = 18
(gdb) print preferredName
$4 = 0x7fffe803b120 "hf-mf-3631862B-key.bin"
(gdb) print suffix
$5 = 0x5555558e8fee ".bin"
(gdb) s
0x0000555555725011 in snprintf (__fmt=<optimized out>, __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
219 snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
(gdb) s
snprintf (__fmt=0x5555558facdb "%.*s%s", __n=2000, __s=0x7fffe803b566 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
219 snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
(gdb) print pfn
$6 = 0x7fffe803b566 ""
(gdb) print len
$7 = 2000
(gdb) print p_namelen
$8 = 18
(gdb) print preferredName
$9 = 0x7fffe803b120 "hf-mf-3631862B-key.bin"
(gdb) print suffix
$10 = 0x5555558e8fee ".bin"
(gdb) s
0x0000555555725035 in snprintf (__fmt=0x5555558facdb "%.*s%s", __n=2000, __s=0x7fffe803b566 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) frame
#0 0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb)
Thanks, excellent debugging info.
the line 219, is meant to copy only preferedName without the extension.
snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);pfn is a pointer to fileName array. can you print it aswell.
dperret
commented
1 year ago pfn looks like it's pointing to an empty string
(gdb) print pfn
$6 = 0x7fffe803b566 ""Another run, stopping at line 219, before the crash
~/source/proxmark3 $ sudo gdb ./client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./client/proxmark3...
(gdb) break newfilenamemcopyEx
Breakpoint 1 at 0x1d0f60: file src/fileutils.c, line 188.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230710.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 22404)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff33266c0 (LWP 22405)]
[Detaching after fork from child process 22406]
[New Thread 0x7ffff2b256c0 (LWP 22407)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff127c6c0 (LWP 22408)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:32
Bootrom... Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:27
OS........ Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:36
Target.... RDV4
[usb] pm3 --> hf search
🕕 Searching for ISO14443-A tag...
[+] UID: 36 31 86 2B
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands
[+] Valid ISO 14443-A tag found
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1.2s | found 32/32 keys (56)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff127c6c0 (LWP 22408)]
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803bb70 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:188
188 char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePaths_t e_save_path) {
(gdb) s
189 if (preferredName == NULL || suffix == NULL) {
(gdb) s
200 char *fileName = (char *) calloc(len, sizeof(uint8_t));
(gdb) s
201 if (fileName == NULL) {
(gdb) s
208 int save_path_len = path_size(e_save_path);
(gdb) s
path_size (a=spDump) at src/fileutils.c:178
178 if (a == spItemCount) {
(gdb) s
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
208 int save_path_len = path_size(e_save_path);
(gdb) s
0x0000555555724fd3 in path_size (a=spDump) at src/fileutils.c:181
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803bb70 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:209
209 if (save_path_len) {
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) print pfn
$1 = 0x7fffe803c6d0 ""
(gdb) s
snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803c6d0 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) s
0x00005555557250df in snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803c6d0 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) s
0x00005555557250f2 in snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803c6d0 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803bb70 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:211
211 pfn += save_path_len + strlen(PATHSEP);
(gdb) s
214 uint16_t p_namelen = strlen(preferredName);
(gdb) s
215 if (str_endswith(preferredName, suffix)) {
(gdb) s
str_endswith (s=s@entry=0x7fffe803bb70 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin") at src/util.c:1114
1114 bool str_endswith(const char *s, const char *suffix) {
(gdb) s
1115 size_t ls = strlen(s);
(gdb) s
1116 size_t lsuffix = strlen(suffix);
(gdb) s
1117 if (ls >= lsuffix) {
(gdb) s
1118 return strncmp(suffix, s + (ls - lsuffix), lsuffix) == 0;
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803bb70 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:216
216 p_namelen -= strlen(suffix);
(gdb) s
219 snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
(gdb) print pfn
$2 = 0x7fffe803c6d6 ""
(gdb) print len
$3 = 2000
(gdb) print p_namelen
$4 = 18
(gdb) print preferredName
$5 = 0x7fffe803bb70 "hf-mf-3631862B-key.bin"
(gdb) print suffix
$6 = 0x5555558e8fee ".bin"
(gdb)
pfn is a pointer that jumps ahead in the fileName array.
so I am curious if it jumps one too far
in this step
pfn += save_path_len + strlen(PATHSEP);
dperret
commented
1 year ago Latest run with pfn from that step
~/source/proxmark3 $ sudo gdb ./client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./client/proxmark3...
(gdb) break newfilenamemcopyEx
Breakpoint 1 at 0x1d0f60: file src/fileutils.c, line 188.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230710.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 22448)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff33266c0 (LWP 22449)]
[Detaching after fork from child process 22450]
[New Thread 0x7ffff2b256c0 (LWP 22451)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff127c6c0 (LWP 22452)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:32
Bootrom... Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:27
OS........ Iceman/master/v4.16717-64-g588dea400 2023-07-10 02:49:36
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ No tag found.
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] Chunk 1.5s | found 32/32 keys (56)
[+] target sector 0 key type A -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 005 | 023 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 006 | 027 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 007 | 031 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 008 | 035 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 009 | 039 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 010 | 043 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 011 | 047 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 012 | 051 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 013 | 055 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 014 | 059 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 015 | 063 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff127c6c0 (LWP 22452)]
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x0, suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:188
188 char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePaths_t e_save_path) {
(gdb) s
189 if (preferredName == NULL || suffix == NULL) {
(gdb) s
createMfcKeyDump (preferredName=preferredName@entry=0x0, sectorsCnt=sectorsCnt@entry=16 '\020', e_sector=e_sector@entry=0x7fffe803afd0) at src/fileutils.c:777
777 if (fileName == NULL) return PM3_EMALLOC;
(gdb) s
CmdHF14AMfAutoPWN (Cmd=<optimized out>) at src/cmdhfmf.c:3098
3098 PrintAndLogEx(ERR, "Failed to save keys to file");
(gdb) s
PrintAndLogEx (level=level@entry=ERR, fmt=fmt@entry=0x5555558a7797 "Failed to save keys to file") at src/ui.c:194
194 void PrintAndLogEx(logLevel_t level, const char *fmt, ...) {
(gdb) s
197 if (g_debugMode == 0 && level == DEBUG)
(gdb) s
201 if (g_session.show_hints == false && level == HINT)
(gdb) s
204 char prefix[40] = {0};
(gdb) s
205 char buffer[MAX_PRINT_BUFFER] = {0};
(gdb) s
206 char buffer2[MAX_PRINT_BUFFER + sizeof(prefix)] = {0};
(gdb) s
208 char *tmp_ptr = NULL;
(gdb) s
210 const char *spinner[] = {_YELLOW_("[\\]"), _YELLOW_("[|]"), _YELLOW_("[/]"), _YELLOW_("[-]")};
(gdb) s
211 const char *spinner_emoji[] = {" :clock1: ", " :clock2: ", " :clock3: ", " :clock4: ", " :clock5: ", " :clock6: ",
(gdb) s
214 switch (level) {
(gdb) s
216 if (g_session.emoji_mode == EMO_EMOJI)
(gdb) s
217 strncpy(prefix, "[" _RED_("!!") "] :rotating_light: ", sizeof(prefix) - 1);
(gdb) s
strncpy (__len=39, __src=<synthetic pointer>, __dest=0x7ffff1278c10 "") at /usr/include/bits/string_fortified.h:95
95 return __builtin___strncpy_chk (__dest, __src, __len,
(gdb) s
PrintAndLogEx (level=level@entry=ERR, fmt=fmt@entry=0x5555558a7797 "Failed to save keys to file") at src/ui.c:220
220 stream = stderr;
(gdb) s
221 break;
(gdb) s
265 va_start(args, fmt);
(gdb) s
266 vsnprintf(buffer, sizeof(buffer), fmt, args);
(gdb) s
0x0000555555763b98 in vsnprintf (__ap=<optimized out>, __fmt=<optimized out>, __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:68
68 return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
266 vsnprintf(buffer, sizeof(buffer), fmt, args);
(gdb) s
0x0000555555763baa in vsnprintf (__ap=<optimized out>, __fmt=<optimized out>, __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:68
68 return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
266 vsnprintf(buffer, sizeof(buffer), fmt, args);
(gdb) s
0x0000555555763bbf in vsnprintf (__ap=<optimized out>, __fmt=<optimized out>, __n=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:68
68 return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
266 vsnprintf(buffer, sizeof(buffer), fmt, args);
(gdb) s
vsnprintf (__ap=0x7ffff1278b78, __fmt=0x5555558a7797 "Failed to save keys to file", __n=2048, __s=0x7ffff1278c40 "") at /usr/include/bits/stdio2.h:68
68 return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
PrintAndLogEx (level=level@entry=ERR, fmt=fmt@entry=0x5555558a7797 "Failed to save keys to file") at src/ui.c:275
275 if (strchr(buffer, '\n')) {
(gdb) s
298 snprintf(buffer2, sizeof(buffer2), "%s%s", prefix, buffer);
(gdb) s
snprintf (__fmt=0x555555881e11 "%s%s", __n=2088, __s=0x7ffff1279440 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
PrintAndLogEx (level=level@entry=ERR, fmt=fmt@entry=0x5555558a7797 "Failed to save keys to file") at src/ui.c:299
299 if (level == INPLACE) {
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) n
Program not restarted.
(gdb) c
Continuing.
[!!] 🚨 Failed to save keys to file
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] wrong response len 0 (expected 18)
[#] Cmd Error 05
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[-] ⛔ fast dump reported back failure w KEY A, swapping to KEY B
[#] wrong response len 0 (expected 18)
[#] Cmd Error 08
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[-] ⛔ fast dump reported back failure w KEY B
[-] ⛔ Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x7ffff127b3b0 "hf-mf-3631862B-dump", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:188
188 char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePaths_t e_save_path) {
(gdb) s
189 if (preferredName == NULL || suffix == NULL) {
(gdb) s
200 char *fileName = (char *) calloc(len, sizeof(uint8_t));
(gdb) s
201 if (fileName == NULL) {
(gdb) s
208 int save_path_len = path_size(e_save_path);
(gdb) s
path_size (a=spDefault) at src/fileutils.c:178
178 if (a == spItemCount) {
(gdb) s
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
208 int save_path_len = path_size(e_save_path);
(gdb) s
0x0000555555724fd3 in path_size (a=spDefault) at src/fileutils.c:181
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7ffff127b3b0 "hf-mf-3631862B-dump", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:209
209 if (save_path_len) {
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) print pfn
$1 = 0x7fffe803cdb0 ""
(gdb) print len
$2 = 2000
(gdb) print PATHSEP
No symbol "PATHSEP" in current context.
(gdb) s
snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803cdb0 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) print pfn
$3 = 0x7fffe803cdb0 ""
(gdb) print len
$4 = 2000
(gdb) print *pfn
$5 = 0 '\000'
(gdb) print &pfn
Address requested for identifier "pfn" which is in register $r12
(gdb) print pfn
$6 = 0x7fffe803cdb0 ""
(gdb) s
0x00005555557250df in snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803cdb0 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
210 snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) print pfn
$7 = 0x7fffe803cdb0 ""
(gdb) print len
$8 = 2000
(gdb) print e_save_path
$9 = spDefault
(gdb) s
0x00005555557250f2 in snprintf (__fmt=0x555555881e11 "%s%s", __n=2000, __s=0x7fffe803cdb0 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7ffff127b3b0 "hf-mf-3631862B-dump", suffix=suffix@entry=0x5555558e8fee ".bin", e_save_path=e_save_path@entry=spDefault) at src/fileutils.c:211
211 pfn += save_path_len + strlen(PATHSEP);
(gdb) print pfn
$10 = 0x7fffe803cdb0 "/root/"
(gdb) print save_path_len
$11 = <optimized out>
(gdb) print PATHSEP
No symbol "PATHSEP" in current context.
(gdb) s
214 uint16_t p_namelen = strlen(preferredName);
(gdb) print p_namelen
$12 = <optimized out>
(gdb) print preferredName
$13 = 0x7ffff127b3b0 "hf-mf-3631862B-dump"
(gdb) s
215 if (str_endswith(preferredName, suffix)) {
(gdb) s
str_endswith (s=s@entry=0x7ffff127b3b0 "hf-mf-3631862B-dump", suffix=suffix@entry=0x5555558e8fee ".bin") at src/util.c:1114
1114 bool str_endswith(const char *s, const char *suffix) {
(gdb) c
Continuing.
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) frame
#0 0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) print pfn
No symbol "pfn" in current context.
(gdb)
I cant replicate it.
The offending line is:
snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
It seem that on pentoo it doesnt like to append the pfn point despite it points to valid reserved memory
iceman1001
commented
1 year ago ping
dperret
commented
1 year ago It is definitely failing on that line of code, but I haven't figured out why yet. Possibly related to a compiler option? I have that line and the necessary variables pulled out into a minimum test case, and can reproduce the crash consistently.
pentoo ~ # cat test.c
#include <ctype.h>
#include <stdio.h>
#include <stdint.h>
int main()
{
char *pfn;
size_t len;
uint16_t p_namelen;
char *preferredName;
char *suffix;
pfn = "";
len = 1000;
p_namelen = 18;
preferredName = "hf-mf-3631862B-key.bin";
suffix = ".bin";
printf("pfn: %s \n", pfn);
printf("len: %lu \n", len);
printf("p_namelen: %u \n", p_namelen);
printf("preferredName: %s \n", preferredName);
printf("suffix: %s \n", suffix);
snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
return 0;
}
pentoo ~ # gcc -v -g -o test.out -Wall test.c
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/12/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-12.3.1_p20230526/work/gcc-12-20230526/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/12 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/12/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/12 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/12/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/12/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/12/include/g++-v12 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/12/python --enable-languages=c,c++,fortran --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --disable-libunwind-exceptions --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 12.3.1_p20230526 p2' --with-gcc-major-version-only --enable-libstdcxx-time --enable-lto --disable-libstdcxx-pch --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --enable-multilib --with-multilib-list=m32,m64 --disable-fixed-point --enable-targets=all --enable-libgomp --disable-libssp --disable-libada --enable-cet --disable-systemtap --disable-valgrind-annotations --disable-vtable-verify --disable-libvtv --with-zstd --without-isl --enable-default-pie --enable-default-ssp --with-build-config='bootstrap-lto bootstrap-cet'
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.3.1 20230526 (Gentoo Hardened 12.3.1_p20230526 p2)
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out-'
/usr/libexec/gcc/x86_64-pc-linux-gnu/12/cc1 -quiet -v test.c -quiet -dumpdir test.out- -dumpbase test.c -dumpbase-ext .c -mtune=generic -march=x86-64 -g -Wall -version -fcf-protection -o /tmp/ccJfpL2V.s
GNU C17 (Gentoo Hardened 12.3.1_p20230526 p2) version 12.3.1 20230526 (x86_64-pc-linux-gnu)
compiled by GNU C version 12.3.1 20230526, GMP version 6.2.1, MPFR version 4.2.0-p9, MPC version 1.3.1, isl version none
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory "/usr/local/include"
ignoring nonexistent directory "/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/usr/lib/gcc/x86_64-pc-linux-gnu/12/include
/usr/lib/gcc/x86_64-pc-linux-gnu/12/include-fixed
/usr/include
End of search list.
GNU C17 (Gentoo Hardened 12.3.1_p20230526 p2) version 12.3.1 20230526 (x86_64-pc-linux-gnu)
compiled by GNU C version 12.3.1 20230526, GMP version 6.2.1, MPFR version 4.2.0-p9, MPC version 1.3.1, isl version none
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: bc4b694fa98acf2817ad97cab61bc32f
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out-'
/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/bin/as -v --gdwarf-5 --64 -o /tmp/ccFLp2m6.o /tmp/ccJfpL2V.s
GNU assembler version 2.40.0 (x86_64-pc-linux-gnu) using BFD version (Gentoo 2.40 p5) 2.40.0
COMPILER_PATH=/usr/libexec/gcc/x86_64-pc-linux-gnu/12/:/usr/libexec/gcc/x86_64-pc-linux-gnu/12/:/usr/libexec/gcc/x86_64-pc-linux-gnu/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/:/usr/lib/gcc/x86_64-pc-linux-gnu/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/bin/
LIBRARY_PATH=/usr/lib/gcc/x86_64-pc-linux-gnu/12/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/lib/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out.'
/usr/libexec/gcc/x86_64-pc-linux-gnu/12/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/x86_64-pc-linux-gnu/12/lto-wrapper -plugin-opt=-fresolution=/tmp/ccnboGUh.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --eh-frame-hdr -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -o test.out /usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/Scrt1.o /usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/crti.o /usr/lib/gcc/x86_64-pc-linux-gnu/12/crtbeginS.o -L/usr/lib/gcc/x86_64-pc-linux-gnu/12 -L/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/lib -L/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../.. /tmp/ccFLp2m6.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-pc-linux-gnu/12/crtendS.o /usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/crtn.o
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out.'
pentoo ~ # ./test.out
pfn:
len: 1000
p_namelen: 18
preferredName: hf-mf-3631862B-key.bin
suffix: .bin
Segmentation fault
pentoo ~ # gdb test.out
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test.out...
(gdb) run
Starting program: /root/test.out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
pfn:
len: 1000
p_namelen: 18
preferredName: hf-mf-3631862B-key.bin
suffix: .bin
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e39618 in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff7e39618 in ?? () from /lib64/libc.so.6
#1 0x00007ffff7e14666 in snprintf () from /lib64/libc.so.6
#2 0x000055555555525a in main () at test.c:26
(gdb)
char *pfn; is empty, need to alloc mem for it to work..
dperret
commented
1 year ago Fixing the test program to allocate *pfn in the same way that newfilenamemcopyEx does a few lines earlier fixes the test program, but the proxmark3 client built from the latest in master still crashes on the same line.
test program
pentoo ~ # cat test.c
#include <ctype.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
int main()
{
size_t len;
uint16_t p_namelen;
char *preferredName;
char *suffix;
len = 1000;
p_namelen = 18;
preferredName = "hf-mf-3631862B-key.bin";
suffix = ".bin";
char *fileName = (char *) calloc(len, sizeof(uint8_t));
char *pfn = fileName;
printf("pfn: %s \n", pfn);
printf("len: %lu \n", len);
printf("p_namelen: %u \n", p_namelen);
printf("preferredName: %s \n", preferredName);
printf("suffix: %s \n", suffix);
snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
return 0;
}
pentoo ~ # gcc -v -g -o test.out -Wall test.c
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/12/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-12.3.1_p20230526/work/gcc-12-20230526/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/12 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/12/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/12 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/12/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/12/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/12/include/g++-v12 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/12/python --enable-languages=c,c++,fortran --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --disable-libunwind-exceptions --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 12.3.1_p20230526 p2' --with-gcc-major-version-only --enable-libstdcxx-time --enable-lto --disable-libstdcxx-pch --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --enable-multilib --with-multilib-list=m32,m64 --disable-fixed-point --enable-targets=all --enable-libgomp --disable-libssp --disable-libada --enable-cet --disable-systemtap --disable-valgrind-annotations --disable-vtable-verify --disable-libvtv --with-zstd --without-isl --enable-default-pie --enable-default-ssp --with-build-config='bootstrap-lto bootstrap-cet'
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.3.1 20230526 (Gentoo Hardened 12.3.1_p20230526 p2)
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out-'
/usr/libexec/gcc/x86_64-pc-linux-gnu/12/cc1 -quiet -v test.c -quiet -dumpdir test.out- -dumpbase test.c -dumpbase-ext .c -mtune=generic -march=x86-64 -g -Wall -version -fcf-protection -o /tmp/ccVU4NFH.s
GNU C17 (Gentoo Hardened 12.3.1_p20230526 p2) version 12.3.1 20230526 (x86_64-pc-linux-gnu)
compiled by GNU C version 12.3.1 20230526, GMP version 6.2.1, MPFR version 4.2.0-p9, MPC version 1.3.1, isl version none
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory "/usr/local/include"
ignoring nonexistent directory "/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/usr/lib/gcc/x86_64-pc-linux-gnu/12/include
/usr/lib/gcc/x86_64-pc-linux-gnu/12/include-fixed
/usr/include
End of search list.
GNU C17 (Gentoo Hardened 12.3.1_p20230526 p2) version 12.3.1 20230526 (x86_64-pc-linux-gnu)
compiled by GNU C version 12.3.1 20230526, GMP version 6.2.1, MPFR version 4.2.0-p9, MPC version 1.3.1, isl version none
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: bc4b694fa98acf2817ad97cab61bc32f
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out-'
/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/bin/as -v --gdwarf-5 --64 -o /tmp/cc9pDPY4.o /tmp/ccVU4NFH.s
GNU assembler version 2.40.0 (x86_64-pc-linux-gnu) using BFD version (Gentoo 2.40 p5) 2.40.0
COMPILER_PATH=/usr/libexec/gcc/x86_64-pc-linux-gnu/12/:/usr/libexec/gcc/x86_64-pc-linux-gnu/12/:/usr/libexec/gcc/x86_64-pc-linux-gnu/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/:/usr/lib/gcc/x86_64-pc-linux-gnu/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/bin/
LIBRARY_PATH=/usr/lib/gcc/x86_64-pc-linux-gnu/12/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/lib/:/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out.'
/usr/libexec/gcc/x86_64-pc-linux-gnu/12/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/12/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/x86_64-pc-linux-gnu/12/lto-wrapper -plugin-opt=-fresolution=/tmp/cc6Lx68G.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --eh-frame-hdr -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -pie -z now -o test.out /usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/Scrt1.o /usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/crti.o /usr/lib/gcc/x86_64-pc-linux-gnu/12/crtbeginS.o -L/usr/lib/gcc/x86_64-pc-linux-gnu/12 -L/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../x86_64-pc-linux-gnu/lib -L/usr/lib/gcc/x86_64-pc-linux-gnu/12/../../.. /tmp/cc9pDPY4.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-pc-linux-gnu/12/crtendS.o /usr/lib/gcc/x86_64-pc-linux-gnu/12/../../../../lib64/crtn.o
COLLECT_GCC_OPTIONS='-v' '-g' '-o' 'test.out' '-Wall' '-mtune=generic' '-march=x86-64' '-dumpdir' 'test.out.'
pentoo ~ # ./test.out
pfn:
len: 1000
p_namelen: 18
preferredName: hf-mf-3631862B-key.bin
suffix: .bin
pentoo ~ # proxmark3 client
~/source/proxmark3 $ sudo gdb ./client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./client/proxmark3...
(gdb) break src/fileutils.c:218
Breakpoint 1 at 0x1d8fdd: file src/fileutils.c, line 218.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230725.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 6878)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff32fa6c0 (LWP 6879)]
[Detaching after fork from child process 6880]
[New Thread 0x7ffff2af96c0 (LWP 6881)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff124f6c0 (LWP 6882)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-217-g1a4df13aa 2023-07-24 23:06:44
Bootrom... Iceman/master/v4.16717-217-g1a4df13aa 2023-07-24 23:06:39
OS........ Iceman/master/v4.16717-217-g1a4df13aa 2023-07-24 23:06:47
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[=] running strategy 2
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 1 key type A -- found valid key [ 2A2C13CC242A ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[New Thread 0x7ffff0a2d6c0 (LWP 6884)]
[New Thread 0x7fffe3fff6c0 (LWP 6885)]
[Thread 0x7ffff0a2d6c0 (LWP 6884) exited]
[Thread 0x7fffe3fff6c0 (LWP 6885) exited]
[+] Found 1 key candidates
[+] Target block 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 4 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 5 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 6 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 7 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 8 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 9 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 10 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 11 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 12 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 13 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 14 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 15 key type A -- found valid key [ 008DE5250EE8 ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | 008DE5250EE8 | N | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 005 | 023 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 006 | 027 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 007 | 031 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 008 | 035 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 009 | 039 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 010 | 043 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 011 | 047 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 012 | 051 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 013 | 055 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 014 | 059 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 015 | 063 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff124f6c0 (LWP 6882)]
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:218
218 snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix);
(gdb) print pfn
$1 = 0x7fffe803b826 ""
(gdb) print len
$2 = 1000
(gdb) print p_namelen
$3 = 18
(gdb) print preferredName
$4 = 0x7fffe803b0a0 "hf-mf-3631862B-key.bin"
(gdb) print suffix
$5 = 0x5555558f1fce ".bin"
(gdb) c
Continuing.
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in () at /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () at /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () at /lib64/libc.so.6
#3 0x00007ffff664b5b7 in () at /lib64/libc.so.6
#4 0x00007ffff673ef3b in () at /lib64/libc.so.6
#5 0x00007ffff673d766 in () at /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () at /lib64/libc.so.6
#7 0x000055555572d010 in snprintf (__fmt=0x55555590427b "%.*s%s", __n=1000, __s=0x7fffe803b826 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:218
#9 0x000055555572f0e1 in createMfcKeyDump (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", sectorsCnt=sectorsCnt@entry=16 '\020', e_sector=e_sector@entry=0x7fffe803af10) at src/fileutils.c:775
#10 0x000055555565d0a7 in CmdHF14AMfAutoPWN (Cmd=<optimized out>) at src/cmdhfmf.c:3105
#11 0x00005555556f55fe in CmdsParse (Commands=0x5555559b4560 <CommandTable>, Cmd=0x7fffe801c686 "autopwn") at src/cmdparser.c:321
#12 0x00005555556f55fe in CmdsParse (Commands=0x5555559b0b40 <CommandTable>, Cmd=0x7fffe801c683 "mf autopwn") at src/cmdparser.c:321
#13 0x00005555556f55fe in CmdsParse (Commands=Commands@entry=0x5555559b8c40 <CommandTable>, Cmd=Cmd@entry=0x7fffe801c680 "hf mf autopwn") at src/cmdparser.c:321
#14 0x00005555556f40c3 in CommandReceived (Cmd=Cmd@entry=0x7fffe801c680 "hf mf autopwn") at src/cmdmain.c:365
#15 0x0000555555765d65 in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:407
#16 0x00007ffff6ca59ff in () at /usr/lib64/libQt5Core.so.5
#17 0x00007ffff66add14 in () at /lib64/libc.so.6
#18 0x00007ffff672f010 in () at /lib64/libc.so.6
(gdb)
Lets see, try calling with with a prefered name without file extension in it. I have an idea. If that doesn't crash, then its related to the removal of the suffix before. I think it could be the p_namelen var. if suffix isn't zero term, then strlen will be wrong.
uint16_t p_namelen = strlen(preferredName);
if (str_endswith(preferredName, suffix)) {
p_namelen -= strlen(suffix);
}
// modify filename
snprintf(pfn, len, "%.*s%s", p_namelen, preferredName, suffix); // remove file extension if exist in name
size_t p_namelen = strlen(preferredName);
printf("p_namelen... %zu ", p_namelen);
if (str_endswith(preferredName, suffix)) {
printf("suffix len... %zu ", strlen(suffix));
p_namelen -= strlen(suffix);
printf("p_namelen after... %zu ", p_namelen);
}p_namelen was u16, strlen returns size_t which could be as large as 8bytes on some systems.Test program didn't crash with or without the file extension in the preferredName, and the latest is still crashing commit https://github.com/RfidResearchGroup/proxmark3/commit/cb9ee94ed6aa63be94a351793ba49ac38244f722
~/source/proxmark3 $ sudo gdb ./client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./client/proxmark3...
(gdb) break src/fileutils.c:219
Breakpoint 1 at 0x1d8fdd: file src/fileutils.c, line 219.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230725.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 14237)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff32fa6c0 (LWP 14238)]
[Detaching after fork from child process 14239]
[New Thread 0x7ffff2af96c0 (LWP 14240)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff124f6c0 (LWP 14241)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-218-gcb9ee94ed 2023-07-25 09:25:13
Bootrom... Iceman/master/v4.16717-218-gcb9ee94ed 2023-07-25 09:25:08
OS........ Iceman/master/v4.16717-218-gcb9ee94ed 2023-07-25 09:25:16
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[=] running strategy 2
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 1 key type A -- found valid key [ 2A2C13CC242A ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[New Thread 0x7ffff0a2d6c0 (LWP 14242)]
[New Thread 0x7fffe3fff6c0 (LWP 14243)]
[Thread 0x7ffff0a2d6c0 (LWP 14242) exited]
[Thread 0x7fffe3fff6c0 (LWP 14243) exited]
[+] Found 1 key candidates
[+] Target block 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 4 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 5 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 6 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 7 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 8 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 9 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 10 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 11 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 12 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 13 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 14 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 15 key type A -- found valid key [ 008DE5250EE8 ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | 008DE5250EE8 | N | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 005 | 023 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 006 | 027 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 007 | 031 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 008 | 035 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 009 | 039 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 010 | 043 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 011 | 047 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 012 | 051 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 013 | 055 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 014 | 059 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 015 | 063 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff124f6c0 (LWP 14241)]
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:219
219 snprintf(pfn, len, "%.*s%s", (int)p_namelen, preferredName, suffix);
(gdb) print pfn
$1 = 0x7fffe803b826 ""
(gdb) print len
$2 = 1000
(gdb) print p_namelen
$3 = 18
(gdb) print preferredName
$4 = 0x7fffe803b0a0 "hf-mf-3631862B-key.bin"
(gdb) print suffix
$5 = 0x5555558f1fce ".bin"
(gdb) c
Continuing.
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in () at /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () at /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () at /lib64/libc.so.6
#3 0x00007ffff664b5b7 in () at /lib64/libc.so.6
#4 0x00007ffff673ef3b in () at /lib64/libc.so.6
#5 0x00007ffff673d766 in () at /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () at /lib64/libc.so.6
#7 0x000055555572d00c in snprintf (__fmt=0x55555590427b "%.*s%s", __n=1000, __s=0x7fffe803b826 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:219
#9 0x000055555572f0e1 in createMfcKeyDump (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", sectorsCnt=sectorsCnt@entry=16 '\020', e_sector=e_sector@entry=0x7fffe803af10) at src/fileutils.c:776
#10 0x000055555565d0a7 in CmdHF14AMfAutoPWN (Cmd=<optimized out>) at src/cmdhfmf.c:3105
#11 0x00005555556f55fe in CmdsParse (Commands=0x5555559b4560 <CommandTable>, Cmd=0x7fffe801c686 "autopwn") at src/cmdparser.c:321
#12 0x00005555556f55fe in CmdsParse (Commands=0x5555559b0b40 <CommandTable>, Cmd=0x7fffe801c683 "mf autopwn") at src/cmdparser.c:321
#13 0x00005555556f55fe in CmdsParse (Commands=Commands@entry=0x5555559b8c40 <CommandTable>, Cmd=Cmd@entry=0x7fffe801c680 "hf mf autopwn") at src/cmdparser.c:321
#14 0x00005555556f40c3 in CommandReceived (Cmd=Cmd@entry=0x7fffe801c680 "hf mf autopwn") at src/cmdmain.c:365
#15 0x0000555555765d65 in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:407
#16 0x00007ffff6ca59ff in () at /usr/lib64/libQt5Core.so.5
#17 0x00007ffff66add14 in () at /lib64/libc.so.6
#18 0x00007ffff672f010 in () at /lib64/libc.so.6
(gdb)and stepping through with the extra print statements
diff --git a/client/src/fileutils.c b/client/src/fileutils.c
index 3de51f60f..559a781bc 100644
--- a/client/src/fileutils.c
+++ b/client/src/fileutils.c
@@ -212,8 +212,11 @@ char *newfilenamemcopyEx(const char *preferredName, const char *suffix, savePath
// remove file extension if exist in name
size_t p_namelen = strlen(preferredName);
+ printf("p_namelen... %zu ", p_namelen);
if (str_endswith(preferredName, suffix)) {
+ printf("suffix len... %zu ", strlen(suffix));
p_namelen -= strlen(suffix);
+ printf("p_namelen after... %zu ", p_namelen);
}
// modify filename
snprintf(pfn, len, "%.*s%s", (int)p_namelen, preferredName, suffix);
lines 1-16/16 (END)
pentoo ~/source/proxmark3 $ sudo gdb client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from client/proxmark3...
(gdb) break src/fileutils.c:214
Breakpoint 1 at 0x1d8fbf: file src/fileutils.c, line 214.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230725.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 18354)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff32fa6c0 (LWP 18355)]
[Detaching after fork from child process 18356]
[New Thread 0x7ffff2af96c0 (LWP 18357)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff124f6c0 (LWP 18358)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-218-gcb9ee94ed-dirty 2023-07-25 09:44:02
Bootrom... Iceman/master/v4.16717-218-gcb9ee94ed-dirty-unclean 2023-07-25 09:43:58
OS........ Iceman/master/v4.16717-218-gcb9ee94ed-dirty-unclean 2023-07-25 09:44:06
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[=] running strategy 2
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 1 key type A -- found valid key [ 2A2C13CC242A ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[New Thread 0x7ffff0a2d6c0 (LWP 18359)]
[New Thread 0x7fffe3fff6c0 (LWP 18360)]
[Thread 0x7ffff0a2d6c0 (LWP 18359) exited]
[Thread 0x7fffe3fff6c0 (LWP 18360) exited]
[+] Found 1 key candidates
[+] Target block 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 4 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 5 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 6 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 7 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 8 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 9 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 10 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 11 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 12 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 13 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 14 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 15 key type A -- found valid key [ 008DE5250EE8 ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | 008DE5250EE8 | N | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 005 | 023 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 006 | 027 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 007 | 031 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 008 | 035 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 009 | 039 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 010 | 043 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 011 | 047 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 012 | 051 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 013 | 055 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 014 | 059 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 015 | 063 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff124f6c0 (LWP 18358)]
Thread 5 "WorkerThread" hit Breakpoint 1, newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:214
214 size_t p_namelen = strlen(preferredName);
(gdb) print preferredName
$1 = 0x7fffe803b0a0 "hf-mf-3631862B-key.bin"
(gdb) print p_namelen
$2 = <optimized out>
(gdb) s
215 printf("p_namelen... %zu ", p_namelen);
(gdb) print p_namelen
$3 = <optimized out>
(gdb) s
0x000055555572cfc7 in printf (__fmt=<optimized out>) at /usr/include/bits/stdio2.h:86
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) s
215 printf("p_namelen... %zu ", p_namelen);
(gdb) s
printf (__fmt=0x55555590427b "p_namelen... %zu ") at /usr/include/bits/stdio2.h:86
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:216
216 if (str_endswith(preferredName, suffix)) {
(gdb) s
str_endswith (s=s@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin") at src/util.c:1114
1114 bool str_endswith(const char *s, const char *suffix) {
(gdb) s
1115 size_t ls = strlen(s);
(gdb) s
1116 size_t lsuffix = strlen(suffix);
(gdb) print ls
$4 = 22
(gdb) s
1117 if (ls >= lsuffix) {
(gdb) print lsuffix
$5 = 4
(gdb) s
1118 return strncmp(suffix, s + (ls - lsuffix), lsuffix) == 0;
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:217
217 printf("suffix len... %zu ", strlen(suffix));
(gdb) s
0x000055555572d0a8 in printf (__fmt=<optimized out>) at /usr/include/bits/stdio2.h:86
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) s
217 printf("suffix len... %zu ", strlen(suffix));
(gdb) print suffix
$6 = 0x5555558f1fce ".bin"
(gdb) s
printf (__fmt=0x55555590428d "suffix len... %zu ") at /usr/include/bits/stdio2.h:86
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:218
218 p_namelen -= strlen(suffix);
(gdb) print p_namelen
$7 = 22
(gdb) s
219 printf("p_namelen after... %zu ", p_namelen);
(gdb) s
0x000055555572d0c6 in printf (__fmt=<optimized out>) at /usr/include/bits/stdio2.h:86
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) s
219 printf("p_namelen after... %zu ", p_namelen);
(gdb) print p_namelen
$8 = 18
(gdb) s
printf (__fmt=0x5555559042a0 "p_namelen after... %zu ") at /usr/include/bits/stdio2.h:86
86 return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:222
222 snprintf(pfn, len, "%.*s%s", (int)p_namelen, preferredName, suffix);
(gdb) s
snprintf (__fmt=0x5555559042b8 "%.*s%s", __n=1000, __s=0x7fffe803b826 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
222 snprintf(pfn, len, "%.*s%s", (int)p_namelen, preferredName, suffix);
(gdb) s
0x000055555572d01d in snprintf (__fmt=0x5555559042b8 "%.*s%s", __n=1000, __s=0x7fffe803b826 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb) backtrace
#0 0x00007ffff66afa4c in () at /lib64/libc.so.6
#1 0x00007ffff6660d96 in raise () at /lib64/libc.so.6
#2 0x00007ffff664a87c in abort () at /lib64/libc.so.6
#3 0x00007ffff664b5b7 in () at /lib64/libc.so.6
#4 0x00007ffff673ef3b in () at /lib64/libc.so.6
#5 0x00007ffff673d766 in () at /lib64/libc.so.6
#6 0x00007ffff673d345 in __snprintf_chk () at /lib64/libc.so.6
#7 0x000055555572d022 in snprintf (__fmt=0x5555559042b8 "%.*s%s", __n=1000, __s=0x7fffe803b826 "") at /usr/include/bits/stdio2.h:54
#8 newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f1fce ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:222
#9 0x000055555572f121 in createMfcKeyDump (preferredName=preferredName@entry=0x7fffe803b0a0 "hf-mf-3631862B-key.bin", sectorsCnt=sectorsCnt@entry=16 '\020', e_sector=e_sector@entry=0x7fffe803af10) at src/fileutils.c:779
#10 0x000055555565d0a7 in CmdHF14AMfAutoPWN (Cmd=<optimized out>) at src/cmdhfmf.c:3105
#11 0x00005555556f55fe in CmdsParse (Commands=0x5555559b4560 <CommandTable>, Cmd=0x7fffe801c686 "autopwn") at src/cmdparser.c:321
#12 0x00005555556f55fe in CmdsParse (Commands=0x5555559b0b40 <CommandTable>, Cmd=0x7fffe801c683 "mf autopwn") at src/cmdparser.c:321
#13 0x00005555556f55fe in CmdsParse (Commands=Commands@entry=0x5555559b8c40 <CommandTable>, Cmd=Cmd@entry=0x7fffe801c680 "hf mf autopwn") at src/cmdparser.c:321
#14 0x00005555556f40c3 in CommandReceived (Cmd=Cmd@entry=0x7fffe801c680 "hf mf autopwn") at src/cmdmain.c:365
#15 0x0000555555765da5 in main_loop (script_cmds_file=<optimized out>, script_cmd=<optimized out>, stayInCommandLoop=true) at src/proxmark3.c:407
#16 0x00007ffff6ca59ff in () at /usr/lib64/libQt5Core.so.5
#17 0x00007ffff66add14 in () at /lib64/libc.so.6
#18 0x00007ffff672f010 in () at /lib64/libc.so.6
(gdb)
Good,
Its nothing to do with length of the strings then. Somehow pfn pointer doesn't point to valid memory anymore.
its down to track it:
char *pfn = fileName; <---- assigned
// user preference save paths
int save_path_len = path_size(e_save_path);
if (save_path_len) {
snprintf(pfn, len, "%s%s", g_session.defaultPaths[e_save_path], PATHSEP);
pfn += save_path_len + strlen(PATHSEP); <---- verify it doesn't point outside
}
<---- here make a test to see where PFN points at.
// remove file extension if exist in name
size_t p_namelen = strlen(preferredName);
if (str_endswith(preferredName, suffix)) {
p_namelen -= strlen(suffix);
}
pushed some more checks. Since I can't trigger it it is up to you to find a root cause and a fix
dperret
commented
1 year ago Ok, I'll keep looking at it. Here's gdb output, stepping through with the checks from last night
pentoo ~/source/proxmark3 $ sudo gdb ./client/proxmark3
GNU gdb (Gentoo 13.2 vanilla) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./client/proxmark3...
(gdb) break src/fileutils.c:207
Breakpoint 1 at 0x1d92ad: file src/fileutils.c, line 207.
(gdb) break src/fileutils.c:220
Breakpoint 2 at 0x1d9307: file src/fileutils.c, line 220.
(gdb) run /dev/ttyACM0
Starting program: /home/redbaron/source/proxmark3/client/proxmark3 /dev/ttyACM0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[=] Session log /root/.proxmark3/logs/log_20230727.txt
[+] loaded from JSON file `/root/.proxmark3/preferences.json`
[=] Using UART port /dev/ttyACM0
[New Thread 0x7ffff40d76c0 (LWP 12876)]
[=] Communicating with PM3 over USB-CDC
8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 "Y8888P" [ ☕ ]
[New Thread 0x7ffff32fa6c0 (LWP 12877)]
[Detaching after fork from child process 12878]
[New Thread 0x7ffff2af96c0 (LWP 12879)]
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
[New Thread 0x7ffff124f6c0 (LWP 12880)]
[ Proxmark3 RFID instrument ]
MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )
Client.... Iceman/master/v4.16717-236-g7f5590d94 2023-07-27 00:32:09
Bootrom... Iceman/master/v4.16717-236-g7f5590d94 2023-07-27 00:32:04
OS........ Iceman/master/v4.16717-236-g7f5590d94 2023-07-27 00:32:12
Target.... RDV4
[usb] pm3 --> hf mf autopwn
[!] ⚠️ no known key was supplied, key recovery might fail
[+] loaded 56 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[=] running strategy 2
[=] ..
[=] Chunk 4.1s | found 19/32 keys (56)
[+] target sector 0 key type B -- found valid key [ FFFFFFFFFFFF ] (used for nested / hardnested attack)
[+] target sector 1 key type A -- found valid key [ 2A2C13CC242A ]
[+] target sector 1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 5 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 6 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 7 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 8 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 9 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 10 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 11 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 12 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 13 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 14 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector 15 key type B -- found valid key [ FFFFFFFFFFFF ]
[New Thread 0x7ffff0a2d6c0 (LWP 12881)]
[New Thread 0x7fffe3fff6c0 (LWP 12882)]
[Thread 0x7fffe3fff6c0 (LWP 12882) exited]
[Thread 0x7ffff0a2d6c0 (LWP 12881) exited]
[+] Found 1 key candidates
[+] Target block 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 0 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 4 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 5 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 6 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 7 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 8 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 9 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 10 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 11 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 12 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 13 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 14 key type A -- found valid key [ 008DE5250EE8 ]
[+] target sector 15 key type A -- found valid key [ 008DE5250EE8 ]
[+] found keys:
[+] -----+-----+--------------+---+--------------+----
[+] Sec | Blk | key A |res| key B |res
[+] -----+-----+--------------+---+--------------+----
[+] 000 | 003 | 008DE5250EE8 | N | FFFFFFFFFFFF | D
[+] 001 | 007 | 2A2C13CC242A | D | FFFFFFFFFFFF | D
[+] 002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+] 004 | 019 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 005 | 023 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 006 | 027 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 007 | 031 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 008 | 035 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 009 | 039 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 010 | 043 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 011 | 047 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 012 | 051 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 013 | 055 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 014 | 059 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] 015 | 063 | 008DE5250EE8 | R | FFFFFFFFFFFF | D
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA )
[Switching to Thread 0x7ffff124f6c0 (LWP 12880)]
Thread 5 "WorkerThread" hit Breakpoint 1, path_size (a=spDump) at src/fileutils.c:178
178 if (a == spItemCount) {
(gdb) info locals
No locals.
(gdb) print spDump
$1 = spDump
(gdb) s
181 return strlen(g_session.defaultPaths[a]);
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b100 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f208e ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:208
208 if (save_path_len < FILE_PATH_SIZE ) {
(gdb) print save_path_len
$2 = 5
(gdb) s
209 snprintf(pfn, len, "%.*s%s", (int)save_path_len, g_session.defaultPaths[e_save_path], PATHSEP);
(gdb) print pfn
$3 = 0x7fffe803b880 ""
(gdb) print len
$4 = 1000
(gdb) print e_save_path
$5 = spDump
(gdb) print g_session.defaultPaths[e_save_path]
$6 = 0x555556088b60 "/root"
(gdb) s
snprintf (__fmt=0x55555590433b "%.*s%s", __n=1000, __s=0x7fffe803b880 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b100 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f208e ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:210
210 pfn += save_path_len + strlen(PATHSEP);
(gdb) s
214 size_t p_namelen = strlen(preferredName);
(gdb) s
215 if (str_endswith(preferredName, suffix)) {
(gdb) s
str_endswith (s=s@entry=0x7fffe803b100 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f208e ".bin") at src/util.c:1114
1114 bool str_endswith(const char *s, const char *suffix) {
(gdb) s
1115 size_t ls = strlen(s);
(gdb) s
1116 size_t lsuffix = strlen(suffix);
(gdb) s
1117 if (ls >= lsuffix) {
(gdb) s
1118 return strncmp(suffix, s + (ls - lsuffix), lsuffix) == 0;
(gdb) s
newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b100 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f208e ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:216
216 p_namelen -= strlen(suffix);
(gdb) s
Thread 5 "WorkerThread" hit Breakpoint 2, newfilenamemcopyEx (preferredName=preferredName@entry=0x7fffe803b100 "hf-mf-3631862B-key.bin", suffix=suffix@entry=0x5555558f208e ".bin", e_save_path=e_save_path@entry=spDump) at src/fileutils.c:220
220 snprintf(pfn, len, "%.*s%s", (int)p_namelen, preferredName, suffix);
(gdb) s
snprintf (__fmt=0x55555590433b "%.*s%s", __n=1000, __s=0x7fffe803b886 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
220 snprintf(pfn, len, "%.*s%s", (int)p_namelen, preferredName, suffix);
(gdb) print pfn
$7 = 0x7fffe803b886 ""
(gdb) print len
$8 = 1000
(gdb) print p_namelen
$9 = <optimized out>
(gdb) print preferredName
$10 = 0x7fffe803b100 "hf-mf-3631862B-key.bin"
(gdb) print suffix
$11 = 0x5555558f208e ".bin"
(gdb) s
0x000055555572d331 in snprintf (__fmt=0x55555590433b "%.*s%s", __n=1000, __s=0x7fffe803b886 "") at /usr/include/bits/stdio2.h:54
54 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
(gdb) s
*** buffer overflow detected ***: terminated
Thread 5 "WorkerThread" received signal SIGABRT, Aborted.
0x00007ffff66afa4c in ?? () from /lib64/libc.so.6
(gdb)
214 size_t p_namelen = strlen(preferredName);
can you print p_namelen after this line?
dperret
commented
1 year ago Looks like https://github.com/RfidResearchGroup/proxmark3/commit/19251645e15e5701fd0af09d7bcf93dee20a9c20 fixed it! I tested both the hf mf autopwn and hf mfu dump commands (on different cards), building from source from commit https://github.com/RfidResearchGroup/proxmark3/commit/97a1f97308fed7231170b0aed864ae2db82c294f and both are running successfully now. Thank you!
iceman1001
commented
1 year ago That took way longer to fix than I predicted. Those error messages could be a bit more informative.
Describe the bug A clear and concise description of what the bug is.
Writing to files is causing the proxmark3 client to crash on pentoo, with the error message
*** buffer overflow detected ***: terminated AbortedTo Reproduce Steps to reproduce the behavior:
Each of the 3 commands below caused the client to crash with the same error.
hf mfu dump -k <key>hf mf autopwntrace save -f <filename>Expected behavior A clear and concise description of what you expected to happen.
The rest of the commands seem to be working, just not writing the data to a file.
Desktop (please complete the following information):
Additional context Add any other context about the problem here.
When running the same commands on Windows using the prebuilt binaries from https://www.proxmarkbuilds.org/ the client software did not crash, and successfully wrote to files.