diff options
Diffstat (limited to 'docs/posts/2023-10-05-attack-lab.html')
| -rw-r--r-- | docs/posts/2023-10-05-attack-lab.html | 71 |
1 files changed, 30 insertions, 41 deletions
diff --git a/docs/posts/2023-10-05-attack-lab.html b/docs/posts/2023-10-05-attack-lab.html index 82a02fe..d049a6b 100644 --- a/docs/posts/2023-10-05-attack-lab.html +++ b/docs/posts/2023-10-05-attack-lab.html @@ -49,7 +49,8 @@ <p>Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems</p> <blockquote> - <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.</p> + <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow. + <cite> Attack Lab Handout </cite></p> </blockquote> <p>Again, I like using objdump to disassemble the code. </p> @@ -113,11 +114,10 @@ NICE<span class="w"> </span>JOB! <h2>Phase 2</h2> <blockquote> - <p>Phase 2 involves injecting a small amount of code as part of your exploit string.</p> -</blockquote> - -<blockquote> - <p>Within the file ctarget there is code for a function touch2 having the following C representation:</p> + <p>Phase 2 involves injecting a small amount of code as part of your exploit string. + <br><br> + Within the file ctarget there is code for a function touch2 having the following C representation: + <cite>Attack Lab Handout</cite></p> </blockquote> <div class="codehilite"> @@ -138,11 +138,10 @@ NICE<span class="w"> </span>JOB! <blockquote> <p>Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case, - however, you must make it appear to touch2 as if you have passed your cookie as its argument.</p> -</blockquote> - -<blockquote> - <p>Recall that the first argument to a function is passed in register %rdi</p> + however, you must make it appear to touch2 as if you have passed your cookie as its argument. + <br><br> + Recall that the first argument to a function is passed in register %rdi + <cite>Attack Lab Handout</cite></p> </blockquote> <p>This hint tells us that we need to store the cookie in the rdi register</p> @@ -275,22 +274,17 @@ NICE<span class="w"> </span>JOB! <h2>Phase 3</h2> <blockquote> - <p>Phase 3 also involves a code injection attack, but passing a string as argument.</p> -</blockquote> - -<blockquote> - <p>You will need to include a string representation of your cookie in your exploit string. The string should - consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”</p> -</blockquote> - -<blockquote> - <p>Your injected code should set register %rdi to the address of this string</p> -</blockquote> - -<blockquote> - <p>When functions hexmatch and strncmp are called, they push data onto the stack, overwriting + <p>Phase 3 also involves a code injection attack, but passing a string as argument. + <br><br> + You will need to include a string representation of your cookie in your exploit string. The string should + consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.” + <br><br> + Your injected code should set register %rdi to the address of this string + <br><br> + When functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of memory that held the buffer used by getbuf. As a result, you will need to be careful - where you place the string representation of your cookie.</p> + where you place the string representation of your cookie. + <cite>Attack Lab Handout</cite></p> </blockquote> <p>Because <code>hexmatch</code> and <code>strncmp</code> might overwrite the buffer allocated for <code>getbuf</code> we will try to store the data after the function <code>touch3</code> itself.</p> @@ -390,21 +384,16 @@ NICE<span class="w"> </span>JOB! * movq * popq * ret - * nop</p> -</blockquote> - -<blockquote> - <p>All the gadgets you need can be found in the region of the code for rtarget demarcated by the - functions start<em>farm and mid</em>farm</p> -</blockquote> - -<blockquote> - <p>You can do this attack with just two gadgets</p> -</blockquote> - -<blockquote> - <p>When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit - string will contain a combination of gadget addresses and data.</p> + * nop + <br><br> + All the gadgets you need can be found in the region of the code for rtarget demarcated by the + functions start<em>farm and mid</em>farm + <br><br> + You can do this attack with just two gadgets + <br><br> + When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit + string will contain a combination of gadget addresses and data. + <cite>Attack Lab Handout</cite></p> </blockquote> <p>Let us check if we can find <code>popq %rdi</code> between <code>start_farm</code> and <code>end_farm</code></p> |