POC code for J1939 Transport Vulnerabilities. Please consult the included paper to further info.
- Run the binary in one terminal as
build/main vcan 0; replace "vcan" with CAN or whatever. The second argument is the index of the interface. - In another terminal run
prlimit -d100 -p <pid>; This will restrict the process's data size segment's size to 100 bytes. One can do a prlimit at 256 kbytes to replicate an embedded device. The process' PID can be found by runningps aux| grep "build/main" - Now run
./exploit_vuln1.sh <src as in conf.h> <sleep between every sent message>; I typically use a sleep of 0.1 to eat heap up before they are unallocated; - Program will crash after a while
- Run the binary as
valgrind --tool=massif build/main vcan 0; Replace VCAN and 0 as before - Now run
./exploit_vuln1.sh <src as in conf.h> <sleep between every sent message>; I typically use a sleep of 0.1 to eat heap up before they are unallocated; - Kill the program with cntrl+c
- massif output is produced in the same directory
- read it using
ms_print massif.out<some number>. It will show a steady increase in heap usage
- Run the binary with Valgrind in one terminal as
valgrind --leak-check=yes build/main vcan 0; replace "vcan" with CAN or whatever. The second argument is the index of the interface. - Run test script as
./test_send_conn.sh <src as in conf.h> <sleep between every sent message> - Quit with ctrl+c
- Valgrind will keep quite; Report no leaks.
- Run the binary with Valgrind in one terminal as
valgrind --leak-check=yes build/main vcan 0; replace "vcan" with CAN or whatever. The second argument is the index of the interface. - Run test script as
./exploit_vuln2.sh <src as in conf.h> <sleep between every sent message> - Watch Valgrind shout on the first terminal
- Quit with ctrl+c if required.
This one is straight forward and its effect can be seen clearly on the network. Please refer to the paper. Hence this code is not supposed to be a POC for vuln. 3.