github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fixed buffer overflow and swapped parameter to "suffix" since its not a output file name

Browse source
This commit is contained in:
iceman1001 2025-01-05 13:12:34 +01:00
commit 2585a77403
5 changed files with 81 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

31
client/src/cmdhfmf.c
View file

@ -2439,7 +2439,10 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
CLIParserInit(&ctx, "hf mf autopwn", CLIParserInit(&ctx, "hf mf autopwn",
"This command automates the key recovery process on MIFARE Classic cards.\n" "This command automates the key recovery process on MIFARE Classic cards.\n"
"It uses the fchk, chk, darkside, nested, hardnested and staticnested to recover keys.\n" "It uses the fchk, chk, darkside, nested, hardnested and staticnested to recover keys.\n"
"If all keys are found, it try dumping card content both to file and emulator memory.", "If all keys are found, it try dumping card content both to file and emulator memory.\n"
"\n"
"default file name template is `hf-mf-<uid>-<dump|key>.`\n"
"using suffix the template becomes `hf-mf-<uid>-<dump|key>-<suffix>.` \n",
"hf mf autopwn\n" "hf mf autopwn\n"
"hf mf autopwn -s 0 -a -k FFFFFFFFFFFF --> target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'\n" "hf mf autopwn -s 0 -a -k FFFFFFFFFFFF --> target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'\n"
"hf mf autopwn --1k -f mfc_default_keys --> target MFC 1K card, default dictionary\n" "hf mf autopwn --1k -f mfc_default_keys --> target MFC 1K card, default dictionary\n"
@ -2449,15 +2452,15 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
void *argtable[] = { void *argtable[] = {
arg_param_begin, arg_param_begin,
arg_strx0("k", "key", "<hex>", "Known key, 12 hex bytes"), arg_strx0("k", "key", "<hex>", "Known key, 12 hex bytes"),
arg_int0("s", "sector", "<dec>", "Input sector number"), arg_int0("s", "sector", "<dec>", "Input sector number"),
arg_lit0("a", NULL, "Input key A (def)"), arg_lit0("a", NULL, "Input key A (def)"),
arg_lit0("b", NULL, "Input key B"), arg_lit0("b", NULL, "Input key B"),
arg_str0("f", "file", "<fn>", "filename of dictionary"), arg_str0("f", "file", "<fn>", "filename of dictionary"),
arg_str0("o", NULL, "<fn>", "filename suffix for dump and key files"), arg_str0(NULL, "suffix", "<txt>", "Add this suffix to generated files"),
arg_lit0(NULL, "slow", "Slower acquisition (required by some non standard cards)"), arg_lit0(NULL, "slow", "Slower acquisition (required by some non standard cards)"),
arg_lit0("l", "legacy", "legacy mode (use the slow `hf mf chk`)"), arg_lit0("l", "legacy", "legacy mode (use the slow `hf mf chk`)"),
arg_lit0("v", "verbose", "verbose output"), arg_lit0("v", "verbose", "verbose output"),
arg_lit0(NULL, "ns", "No save to file"), arg_lit0(NULL, "ns", "No save to file"),
@ -2503,8 +2506,8 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
CLIParamStrToBuf(arg_get_str(ctx, 5), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); CLIParamStrToBuf(arg_get_str(ctx, 5), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
int outfnlen = 0; int outfnlen = 0;
char outfilename[FILE_PATH_SIZE] = {0}; char outfilename[127] = {0};
CLIParamStrToBuf(arg_get_str(ctx, 6), (uint8_t *)outfilename, FILE_PATH_SIZE, &outfnlen); CLIParamStrToBuf(arg_get_str(ctx, 6), (uint8_t *)outfilename, 127, &outfnlen);
bool slow = arg_get_lit(ctx, 7); bool slow = arg_get_lit(ctx, 7);
@ -2699,7 +2702,7 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
// read uid to generate a filename for the key file // read uid to generate a filename for the key file
char suffix[FILE_PATH_SIZE]; char suffix[FILE_PATH_SIZE];
if (outfnlen) { if (outfnlen) {
snprintf(suffix, sizeof(suffix), "-key-%s.bin", outfilename); snprintf(suffix, sizeof(suffix) - strlen(outfilename), "-key-%s.bin", outfilename);
} else { } else {
snprintf(suffix, sizeof(suffix), "-key.bin"); snprintf(suffix, sizeof(suffix), "-key.bin");
} }
@ -3231,7 +3234,7 @@ all_found:
} }
free(fptr); free(fptr);
if (outfnlen) { if (outfnlen) {
snprintf(suffix, sizeof(suffix), "-dump-%s", outfilename); snprintf(suffix, sizeof(suffix), "-dump-%s", outfilename);
} else { } else {

2
client/src/cmdhfmfdes.c
View file

@ -772,7 +772,7 @@ static int CmdHF14ADesInfo(const char *Cmd) {
if (cardtype == DESFIRE_EV2 || cardtype == DESFIRE_EV2_XL || if (cardtype == DESFIRE_EV2 || cardtype == DESFIRE_EV2_XL ||
cardtype == DESFIRE_LIGHT || cardtype == DESFIRE_LIGHT ||
cardtype == DESFIRE_EV3 || cardtype == DESFIRE_EV3 ||
cardtype == NTAG413DNA || cardtype == NTAG413DNA ||
cardtype == DUOX) { cardtype == DUOX) {
// Signature originality check // Signature originality check
uint8_t signature[250] = {0}; // must be 56 uint8_t signature[250] = {0}; // must be 56

2
client/src/pm3line_vocabulary.h
View file

@ -279,6 +279,7 @@ const static vocabulary_t vocabulary[] = {
{ 1, "hf iclass view" }, { 1, "hf iclass view" },
{ 0, "hf iclass wrbl" }, { 0, "hf iclass wrbl" },
{ 0, "hf iclass creditepurse" }, { 0, "hf iclass creditepurse" },
{ 0, "hf iclass trbl" },
{ 0, "hf iclass chk" }, { 0, "hf iclass chk" },
{ 1, "hf iclass loclass" }, { 1, "hf iclass loclass" },
{ 1, "hf iclass lookup" }, { 1, "hf iclass lookup" },
@ -679,6 +680,7 @@ const static vocabulary_t vocabulary[] = {
{ 0, "lf hitag hts reader" }, { 0, "lf hitag hts reader" },
{ 0, "lf hitag hts rdbl" }, { 0, "lf hitag hts rdbl" },
{ 0, "lf hitag hts dump" }, { 0, "lf hitag hts dump" },
{ 0, "lf hitag hts restore" },
{ 0, "lf hitag hts wrbl" }, { 0, "lf hitag hts wrbl" },
{ 0, "lf hitag hts sim" }, { 0, "lf hitag hts sim" },
{ 1, "lf idteck help" }, { 1, "lf idteck help" },

88
doc/commands.json
View file

@ -3684,6 +3684,32 @@
], ],
"usage": "hf iclass sniff [-hj]" "usage": "hf iclass sniff [-hj]"
}, },
"hf iclass trbl": {
"command": "hf iclass trbl",
"description": "Tear off an iCLASS tag block",
"notes": [
"hf iclass trbl --blk 10 -d AAAAAAAAAAAAAAAA -k 001122334455667B --tdb 100 --tde 150",
"hf iclass trbl --blk 10 -d AAAAAAAAAAAAAAAA --ki 0 --tdb 100 --tde 150"
],
"offline": false,
"options": [
"-h, --help This help",
"-k, --key <hex> Access key as 8 hex bytes",
"--ki <dec> Key index to select key from memory 'hf iclass managekeys'",
"--blk <dec> block number",
"-d, --data <hex> data to write as 8 hex bytes",
"-m, --mac <hex> replay mac data (4 hex bytes)",
"--credit key is assumed to be the credit key",
"--elite elite computations applied to key",
"--raw no computations applied to key",
"--nr replay of NR/MAC",
"-v, --verbose verbose output",
"--shallow use shallow (ASK) reader modulation instead of OOK",
"--tdb <dec> tearoff delay start in ms",
"--tde <dec> tearoff delay end in ms"
],
"usage": "hf iclass trbl [-hv] [-k <hex>] [--ki <dec>] --blk <dec> -d <hex> [-m <hex>] [--credit] [--elite] [--raw] [--nr] [--shallow] --tdb <dec> --tde <dec>"
},
"hf iclass unhash": { "hf iclass unhash": {
"command": "hf iclass unhash", "command": "hf iclass unhash",
"description": "Reverses the hash0 function used generate iclass diversified keys after DES encryption, Function returns the DES crypted CSN. Next step bruteforcing.", "description": "Reverses the hash0 function used generate iclass diversified keys after DES encryption, Function returns the DES crypted CSN. Next step bruteforcing.",
@ -4314,7 +4340,7 @@
}, },
"hf mf autopwn": { "hf mf autopwn": {
"command": "hf mf autopwn", "command": "hf mf autopwn",
"description": "This command automates the key recovery process on MIFARE Classic cards. It uses the fchk, chk, darkside, nested, hardnested and staticnested to recover keys. If all keys are found, it try dumping card content both to file and emulator memory.", "description": "This command automates the key recovery process on MIFARE Classic cards. It uses the fchk, chk, darkside, nested, hardnested and staticnested to recover keys. If all keys are found, it try dumping card content both to file and emulator memory. default file name template is `hf-mf-<uid>-<dump|key>.` using suffix the template becomes `hf-mf-<uid>-<dump|key>-<suffix>.`",
"notes": [ "notes": [
"hf mf autopwn", "hf mf autopwn",
"hf mf autopwn -s 0 -a -k FFFFFFFFFFFF -> target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'", "hf mf autopwn -s 0 -a -k FFFFFFFFFFFF -> target MFC 1K card, Sector 0 with known key A 'FFFFFFFFFFFF'",
@ -4330,6 +4356,7 @@
"-a Input key A (def)", "-a Input key A (def)",
"-b Input key B", "-b Input key B",
"-f, --file <fn> filename of dictionary", "-f, --file <fn> filename of dictionary",
"--suffix <txt> Add this suffix to generated files",
"--slow Slower acquisition (required by some non standard cards)", "--slow Slower acquisition (required by some non standard cards)",
"-l, --legacy legacy mode (use the slow `hf mf chk`)", "-l, --legacy legacy mode (use the slow `hf mf chk`)",
"-v, --verbose verbose output", "-v, --verbose verbose output",
@ -4345,7 +4372,7 @@
"--i2 AVX2", "--i2 AVX2",
"--i5 AVX512" "--i5 AVX512"
], ],
"usage": "hf mf autopwn [-hablv] [-k <hex>]... [-s <dec>] [-f <fn>] [--slow] [--ns] [--mini] [--1k] [--2k] [--4k] [--in] [--im] [--is] [--ia] [--i2] [--i5]" "usage": "hf mf autopwn [-hablv] [-k <hex>]... [-s <dec>] [-f <fn>] [--suffix <txt>] [--slow] [--ns] [--mini] [--1k] [--2k] [--4k] [--in] [--im] [--is] [--ia] [--i2] [--i5]"
}, },
"hf mf brute": { "hf mf brute": {
"command": "hf mf brute", "command": "hf mf brute",
@ -8709,18 +8736,18 @@
}, },
"lf em 410x sim": { "lf em 410x sim": {
"command": "lf em 410x sim", "command": "lf em 410x sim",
"description": "Enables simulation of EM 410x card. Simulation runs until the button is pressed or another USB command is issued.", "description": "Enables simulation of EM 410x card. Simulation runs until the button is pressed or another USB command is issued. Most common readers expects the code to be sent in loop without a break (i.e. --gap 0). For other, more advanced readers there might be a need to set a non-zero gap value.",
"notes": [ "notes": [
"lf em 410x sim --id 0F0368568B", "lf em 410x sim --id 0F0368568B",
"lf em 410x sim --id 0F0368568B --clk 32", "lf em 410x sim --id 0F0368568B --clk 32",
"lf em 410x sim --id 0F0368568B --gap 0" "lf em 410x sim --id 0F0368568B --gap 20"
], ],
"offline": false, "offline": false,
"options": [ "options": [
"-h, --help This help", "-h, --help This help",
"--clk <dec> <32|64> clock (default 64)", "--clk <dec> <32|64> clock (default 64)",
"--id <hex> EM Tag ID number (5 hex bytes)", "--id <hex> EM Tag ID number (5 hex bytes)",
"--gap <dec> gap (0's) between ID repeats (default 20)" "--gap <dec> gap (0's) between ID repeats (default 0)"
], ],
"usage": "lf em 410x sim [-h] [--clk <dec>] --id <hex> [--gap <dec>]" "usage": "lf em 410x sim [-h] [--clk <dec>] --id <hex> [--gap <dec>]"
}, },
@ -9820,6 +9847,7 @@
"command": "lf hitag hts dump", "command": "lf hitag hts dump",
"description": "Read all Hitag S memory and save to file Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399", "description": "Read all Hitag S memory and save to file Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
"notes": [ "notes": [
"lf hitag hts dump --82xx -> use def pwd",
"lf hitag hts dump --82xx -k BBDD3399 -> pwd mode", "lf hitag hts dump --82xx -k BBDD3399 -> pwd mode",
"lf hitag hts dump --crypto -> use def crypto", "lf hitag hts dump --crypto -> use def crypto",
"lf hitag hts dump -k 4F4E4D494B52 -> crypto mode", "lf hitag hts dump -k 4F4E4D494B52 -> crypto mode",
@ -9838,27 +9866,6 @@
], ],
"usage": "lf hitag hts dump [-h8] [--nrar <hex>] [--crypto] [-k <hex>] [-m <dec>] [-f <fn>] [--ns]" "usage": "lf hitag hts dump [-h8] [--nrar <hex>] [--crypto] [-k <hex>] [-m <dec>] [-f <fn>] [--ns]"
}, },
"lf hitag hts restore": {
"command": "lf hitag hts restore",
"description": "Restore a dump file onto Hitag S tag Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
"notes": [
"lf hitag hts restore -f myfile --82xx -k BBDD3399 -> pwd mode",
"lf hitag hts restore -f myfile --crypto -> use def crypto",
"lf hitag hts restore -f myfile -k 4F4E4D494B52 -> crypto mode",
"lf hitag hts restore -f myfile --nrar 0102030411223344"
],
"offline": false,
"options": [
"-h, --help This help",
"-8, --82xx 8268/8310 mode",
"--nrar <hex> nonce / answer writer, 8 hex bytes",
"--crypto crypto mode",
"-k, --key <hex> pwd or key, 4 or 6 hex bytes",
"-m, --mode <dec> response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3)",
"-f, --file <fn> specify file name"
],
"usage": "lf hitag hts restore [-h8] [--nrar <hex>] [--crypto] [-k <hex>] [-m <dec>] [-f <fn>]"
},
"lf hitag hts help": { "lf hitag hts help": {
"command": "lf hitag hts help", "command": "lf hitag hts help",
"description": "help This help list List Hitag S trace history --------------------------------------------------------------------------------------- lf hitag hts list available offline: yes Alias of `trace list -t hitags` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol", "description": "help This help list List Hitag S trace history --------------------------------------------------------------------------------------- lf hitag hts list available offline: yes Alias of `trace list -t hitags` with selected protocol data to annotate trace buffer You can load a trace from file (see `trace load -h`) or it be downloaded from device by default It accepts all other arguments of `trace list`. Note that some might not be relevant for this specific protocol",
@ -9917,6 +9924,28 @@
], ],
"usage": "lf hitag hts reader [-h@]" "usage": "lf hitag hts reader [-h@]"
}, },
"lf hitag hts restore": {
"command": "lf hitag hts restore",
"description": "Restore a dump file onto Hitag S tag Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
"notes": [
"lf hitag hts restore -f myfile --82xx -> use def pwd",
"lf hitag hts restore -f myfile --82xx -k BBDD3399 -> pwd mode",
"lf hitag hts restore -f myfile --crypto -> use def crypto",
"lf hitag hts restore -f myfile -k 4F4E4D494B52 -> crypto mode",
"lf hitag hts restore -f myfile --nrar 0102030411223344"
],
"offline": false,
"options": [
"-h, --help This help",
"-8, --82xx 8268/8310 mode",
"--nrar <hex> nonce / answer writer, 8 hex bytes",
"--crypto crypto mode",
"-k, --key <hex> pwd or key, 4 or 6 hex bytes",
"-m, --mode <dec> response protocol mode. 0 (Standard 00110), 1 (Advanced 11000), 2 (Advanced 11001), 3 (Fast Advanced 11010) (def: 3)",
"-f, --file <fn> specify file name"
],
"usage": "lf hitag hts restore [-h8] [--nrar <hex>] [--crypto] [-k <hex>] [-m <dec>] [-f <fn>]"
},
"lf hitag hts sim": { "lf hitag hts sim": {
"command": "lf hitag hts sim", "command": "lf hitag hts sim",
"description": "Simulate Hitag S transponder You need to `lf hitag hts eload` first", "description": "Simulate Hitag S transponder You need to `lf hitag hts eload` first",
@ -9936,6 +9965,7 @@
"description": "Write a page in Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399", "description": "Write a page in Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
"notes": [ "notes": [
"lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode", "lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode",
"lf hitag hts wrbl -p 6 -d 01020304 --82xx -> use def pwd",
"lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode", "lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode",
"lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode", "lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode",
"lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key", "lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key",
@ -11819,7 +11849,7 @@
}, },
"mem load": { "mem load": {
"command": "mem load", "command": "mem load",
"description": "Loads binary file into flash memory on device Warning: mem area to be written must have been wiped first ( this is already taken care when loading dictionaries )", "description": "Loads binary file into flash memory on device Warning: mem area to be written must have been wiped first ( dictionaries are serviced as files in spiffs so no wipe is needed )",
"notes": [ "notes": [
"mem load -f myfile -> upload file myfile values at default offset 0", "mem load -f myfile -> upload file myfile values at default offset 0",
"mem load -f myfile -o 1024 -> upload file myfile values at offset 1024", "mem load -f myfile -o 1024 -> upload file myfile values at offset 1024",
@ -13063,8 +13093,8 @@
} }
}, },
"metadata": { "metadata": {
"commands_extracted": 751, "commands_extracted": 753,
"extracted_by": "PM3Help2JSON v1.00", "extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-12-09T14:16:07" "extracted_on": "2025-01-05T12:10:45"
} }
} }

3
doc/commands.md
View file

@ -402,6 +402,7 @@ Check column "offline" for their availability.
|`hf iclass view `|Y |`Display content from tag dump file` |`hf iclass view `|Y |`Display content from tag dump file`
|`hf iclass wrbl `|N |`Write Picopass / iCLASS block` |`hf iclass wrbl `|N |`Write Picopass / iCLASS block`
|`hf iclass creditepurse `|N |`Credit epurse value` |`hf iclass creditepurse `|N |`Credit epurse value`
|`hf iclass trbl `|N |`Performs tearoff attack on iClass block`
|`hf iclass chk `|N |`Check keys` |`hf iclass chk `|N |`Check keys`
|`hf iclass loclass `|Y |`Use loclass to perform bruteforce reader attack` |`hf iclass loclass `|Y |`Use loclass to perform bruteforce reader attack`
|`hf iclass lookup `|Y |`Uses authentication trace to check for key in dictionary file` |`hf iclass lookup `|Y |`Uses authentication trace to check for key in dictionary file`
@ -1083,8 +1084,8 @@ Check column "offline" for their availability.
|`lf hitag hts reader `|N |`Act like a Hitag S reader` |`lf hitag hts reader `|N |`Act like a Hitag S reader`
|`lf hitag hts rdbl `|N |`Read Hitag S page` |`lf hitag hts rdbl `|N |`Read Hitag S page`
|`lf hitag hts dump `|N |`Dump Hitag S pages to a file` |`lf hitag hts dump `|N |`Dump Hitag S pages to a file`
|`lf hitag hts restore `|N |`Restore Hitag S memory from dump file`
|`lf hitag hts wrbl `|N |`Write Hitag S page` |`lf hitag hts wrbl `|N |`Write Hitag S page`
|`lf hitag hts restore `|N |`Restore Hitag S memory from a dump file`
|`lf hitag hts sim `|N |`Simulate Hitag S transponder` |`lf hitag hts sim `|N |`Simulate Hitag S transponder`