search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

[BUG] Device605_TCP_TxTlp sends too much data #26

Closed fishilico closed 6 years ago

fishilico commented 6 years ago

Hello, in function Device605_TCP_TxTlp in pcileech/device605_tcp.c, the number of bytes to send (cbTx) is computed with the following formula:

https://github.com/ufrisk/pcileech/blob/4d4397084d4374cbbcf7c54e2e52d1f0136e10fa/pcileech/device605_tcp.c#L160

As each item in pbTlp is 4-byte long when it is inserted into a PCIE_CTL structure, the expression should rather be:

cbTx = sizeof(PCIE_CTL) * cbTlp / 4;

Currently Device605_TCP_TxTlp() is sending garbage with every TLP, which is quite annoying when this garbage has some control flags set. Could you please fix this?

Anyway, thank you for adding the support of this TCP/IP device in the last release! It makes it possible to easily relay DMA commands through the network, which is a feature that I needed.

ufrisk commented 6 years ago

Thanks for this excellent bug report :+1: I'll fix this and also another bug related to the sp605_tcp. I expect to push the changes to Github in a new release on Monday/Tuesday next week.

I can see it's very useful over the network, but unfortunately this implementation is very slow as you might have noticed already. The bug fix won't fix the speed issue

If speed is an issue I recommend the FT601 USB3 addon board (only works if pcileech runs on windows at the moment though).

ufrisk commented 6 years ago

This (and another) bug should now be resolved. Once again thank you for the excellent bug report.

I noticed it's still a bit unstable. I think it's the FPGA-side that's not entirely stable, but still - it's quite useful depending on the scenario.

fishilico commented 6 years ago

Thanks for your reply! To give more details on my use-case, I have been working on a side project where I use an unsupported device to perform a DMA attack. I only have network access to it, with a SSH-like command line, and I have added commands to read and write its host memory. The CPU it uses is quite slow (dumping the whole memory takes a few weeks). Thanks to pcileech's KMD and shellcodes, it is nonetheless possible to demonstrate spectacular attacks like logging in without a password (wx64_unlock). In order to use pcileech, I implemented a relay script in Python which translates TCP-encapsulated PCIe TLP (for SP605/TCP device) to the SSH-like commands I have, and now that this bug is fixed, it works really well :)

Thank you!