CSAPP Lab3 Attack Solution

date
Mar 22, 2023
slug
csapp-lab3-attack-sol
status
Published
tags
Program
Learn
type
Post
pin
0
summary
My solution for CSAPP Lab3 Attack
Full answer:
code/csapp/attack at master · BeautyyuYanli/code
Contribute to BeautyyuYanli/code development by creating an account on GitHub.
code/csapp/attack at master · BeautyyuYanli/code
https://github.com/BeautyyuYanli/code/tree/master/csapp/attack
code/csapp/attack at master · BeautyyuYanli/code

Lv 1

Overwrite 0x401976(the real ret addr) with 0x4017c0(the func touch1 addr).
The address can be examined with x 0x28+$rsp when the program is inside the function getbuf.

Lv 2

Use gdb to inspect the following address:
  • the address of cookie: 0x6044e4
  • the address of original ret address: 0x5561dca0
  • address of touch2: 0x4017ec
Then we need a piece of injection code to excute the call to touch2. The injection code should start from the bottom of the memory space for buf, with a sequence of nop. Then it comes to the setting of the argument and ret address for calling touch2.
Firstly overwrite the original ret address with <injection>'s address: [0x5561dca0, +4] = 0x5561dc78, which is the bottom of the memory space for buf.
Then set the address for calling <touch2>: [0x5561dc98, +8] = 0x4017ec0000000000, where is the top of the memory space for buf.
Then the injection code:
The stack should be like:

Lv 3

Similar to Lv2:
  • the value of cookie: 0x59b997fa
  • the corresponding little-endian value for the string '59b997fa': 0x6166373939623935
  • the address of original ret address: 0x5561dca0
  • address of touch3: 0x4018fa
Firstly overwrite the original ret address with <injection>'s address: [0x5561dca0, +4] = 0x5561dc78, which is the bottom of the memory space for buf.
Now we define the place start from the bottom of the memory space for buf (0x5561dc78) as the new start of stack.
Then the injection code:

Lv 4

const:
  • cookie value: 0x59b997fa
  • touch2: 0x4017ec
gadget:
  • popq %rax : 0x4019cc
  • movq %rax, %rdi: 0x4019c5
stack:

Lv 5

Use ChatGPT to form the byte sequence from farm:
notion image
notion image
Find a gadget to save %rsp:
grep -P '48 89 e[0-7] (90 )*c3' < dumpr.clean.d
get:
  • mov %rsp, %rax : 0x401a06
Find gadgets to add something:
grep -P '48 8d (.. ){0,4}c3' < dumpr.clean.d
get:
  • lea (%rdi, %rsi, 1), %rax : 0x4019d6
Find gadgets to move %rax:
grep -P '48 89 c[0-7] (.. ){0,4}c3' < dumpr.clean.d
get:
  • movq %rax, %rdi : 0x4019c5
Find gadgets to move something to %rsi:
grep -P '89 .[6e] (.. ){0,4}c3' < dumpr.clean.d
get:
  • movl %ecx, %esi : 0x401a13
Find gadgets to move something to %ecx:
grep -P '89 [c-f](1|9) (.. ){0,4}c3' < dumpr.clean.d
get:
  • movl %edx, %ecx : 0x401a34
Find gadgets to move something to %edx:
grep -P '89 [c-f](2|a) (.. ){0,4}c3' < dumpr.clean.d
get:
  • movl %eax, %edx : 0x4019dd
Finally, we can pop something to %eax:
  • popq %rax : 0x4019cc
The code be like:
  • the value of cookie: 0x59b997fa
  • the corresponding byte sequence encoding the string '59b997fa': 35 39 62 39 39 37 66 61
The stack should be like:
Use ChatGPT to convert it:
notion image
notion image
©️
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
notion image
 

© Beautyyu言醴 2022 - 2024