summaryrefslogtreecommitdiff
path: root/docs/posts/2023-10-05-attack-lab.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/posts/2023-10-05-attack-lab.html')
-rw-r--r--docs/posts/2023-10-05-attack-lab.html71
1 files changed, 30 insertions, 41 deletions
diff --git a/docs/posts/2023-10-05-attack-lab.html b/docs/posts/2023-10-05-attack-lab.html
index 82a02fe..d049a6b 100644
--- a/docs/posts/2023-10-05-attack-lab.html
+++ b/docs/posts/2023-10-05-attack-lab.html
@@ -49,7 +49,8 @@
<p>Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems</p>
<blockquote>
- <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.</p>
+ <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.
+ <cite> Attack Lab Handout </cite></p>
</blockquote>
<p>Again, I like using objdump to disassemble the code. </p>
@@ -113,11 +114,10 @@ NICE<span class="w"> </span>JOB!
<h2>Phase 2</h2>
<blockquote>
- <p>Phase 2 involves injecting a small amount of code as part of your exploit string.</p>
-</blockquote>
-
-<blockquote>
- <p>Within the file ctarget there is code for a function touch2 having the following C representation:</p>
+ <p>Phase 2 involves injecting a small amount of code as part of your exploit string.
+ <br><br>
+ Within the file ctarget there is code for a function touch2 having the following C representation:
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<div class="codehilite">
@@ -138,11 +138,10 @@ NICE<span class="w"> </span>JOB!
<blockquote>
<p>Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case,
- however, you must make it appear to touch2 as if you have passed your cookie as its argument.</p>
-</blockquote>
-
-<blockquote>
- <p>Recall that the first argument to a function is passed in register %rdi</p>
+ however, you must make it appear to touch2 as if you have passed your cookie as its argument.
+ <br><br>
+ Recall that the first argument to a function is passed in register %rdi
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<p>This hint tells us that we need to store the cookie in the rdi register</p>
@@ -275,22 +274,17 @@ NICE<span class="w"> </span>JOB!
<h2>Phase 3</h2>
<blockquote>
- <p>Phase 3 also involves a code injection attack, but passing a string as argument.</p>
-</blockquote>
-
-<blockquote>
- <p>You will need to include a string representation of your cookie in your exploit string. The string should
- consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”</p>
-</blockquote>
-
-<blockquote>
- <p>Your injected code should set register %rdi to the address of this string</p>
-</blockquote>
-
-<blockquote>
- <p>When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
+ <p>Phase 3 also involves a code injection attack, but passing a string as argument.
+ <br><br>
+ You will need to include a string representation of your cookie in your exploit string. The string should
+ consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”
+ <br><br>
+ Your injected code should set register %rdi to the address of this string
+ <br><br>
+ When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
portions of memory that held the buffer used by getbuf. As a result, you will need to be careful
- where you place the string representation of your cookie.</p>
+ where you place the string representation of your cookie.
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<p>Because <code>hexmatch</code> and <code>strncmp</code> might overwrite the buffer allocated for <code>getbuf</code> we will try to store the data after the function <code>touch3</code> itself.</p>
@@ -390,21 +384,16 @@ NICE<span class="w"> </span>JOB!
* movq
* popq
* ret
- * nop</p>
-</blockquote>
-
-<blockquote>
- <p>All the gadgets you need can be found in the region of the code for rtarget demarcated by the
- functions start<em>farm and mid</em>farm</p>
-</blockquote>
-
-<blockquote>
- <p>You can do this attack with just two gadgets</p>
-</blockquote>
-
-<blockquote>
- <p>When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
- string will contain a combination of gadget addresses and data.</p>
+ * nop
+ <br><br>
+ All the gadgets you need can be found in the region of the code for rtarget demarcated by the
+ functions start<em>farm and mid</em>farm
+ <br><br>
+ You can do this attack with just two gadgets
+ <br><br>
+ When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
+ string will contain a combination of gadget addresses and data.
+ <cite>Attack Lab Handout</cite></p>
</blockquote>
<p>Let us check if we can find <code>popq %rdi</code> between <code>start_farm</code> and <code>end_farm</code></p>