What does the pop-up manual tell us?
This lock is attached the the LockIT Pro HSM-2.
We have updated the lock firmware to connect with this hardware
security module.
So far so good. What’s written in the details section?
…
This is Software Revision 01. The firmware has been updated to
connect with the new hardware security module. We have removed the
function to unlock the door from the LockIT Pro firmware.
So what’s the main difference between HSM-1 and HSM-2?
If you have a look in the manual, you will see that the interface to HSM-2 (INT 0x7E) only takes the password to test as argument.
So there is no chance for us to overwrite a flag like in HSM-1. Have a look in the manual again (INT 0x7D):
“Takes two arguments. The first argument is the password to test, the second is the location of a flag to overwrite if the password is correct.”
However, there seems no very easy solution by just jumping to a unlock_door function. It’s removed! (see above)
Let’s have a look at the login function:
The function conditional_unlock_door looks interesting. Let’s inspect it:
Nothing to exploit here? Let’s start the debugger…
Entering around 100 A’s when asked for the password, I notice that the program is not terminating as expected. It is stuck.
Looking at the Register State I see following:
Nice. Do you see where the pc is? At 4141! Since we entered a lot of A‘s (in hex: 41), we overwrote most probably a return address and returned to 0x4141.
This smells like an equivalent solution to Cusco. We have to do tiny changes to our entered password, because the address where our password is stored and the address of function INT is different.
TL;DR: Solution is