push3ax / usbairborne Goto Github PK

我非常喜欢您这个开源项目。但是SendString()函数好像有些问题，如果作为一个badusb的hid攻击，SendString（）的第二个参数是字符串长度，如果这个参数大于输入的第二个参数会出现一些奇怪的问题。我认为是你的SendString（）函数中进行for循环的时候第二个如果参数过大会使得对s这个字符串的操作越位了，进行的操作的数据是这个字符串后面的内存空间的数据，是不可知的。并且我实验证实了这一猜测。

所以SendString（）的第二个参数及其重要，我觉得不应该让使用者来填写。应该在SendString（）函数中调用strlen()函数并且在得到的值加一得到for循环的次数。

I really like your open source project. But there seems to be something wrong with the SendString() function, if as a badusb hid attack, the second parameter of SendString() is the string length, and if this parameter is larger than the second parameter entered, there will be some strange problems. I think it's the second for loop in your SendString () function that makes the operation on the string s offside if the argument is too large, and the data that is performed is the memory space behind the string, which is unknowable. And my experiment confirmed this hypothesis.

So the second argument to SendString () is so important that I don't think it should be left to the user to fill in. The strlen() function should be called in the SendString () function and the resulting value should be added by one to get the number of for loops.

void SendString(UINT8 *s)
{
UINT8 i;
for(i=0;i<(strlen(s)+1);i++)
{
if( (s[i]>='a')&&(s[i]<='z')){
SendKey(KB_NULL,s[i]-'a'+KB_A);
}else if((s[i]>='A')&&(s[i]<='Z')){
SendKey(KB_LeftShift,s[i]-'A'+KB_A);
}else if((s[i]>='1')&&(s[i]<='9')){
SendKey(KB_NULL,s[i]-'1'+KB_1);
}else{

bad usb普遍能被360检测到
如果能，我想了解其中的原理