From 4c44fe1cde34cfa270798381e46dfcd9430fd655 Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Sat, 21 Oct 2023 00:58:00 -0600 Subject: re-add manifest and update css --- Content/posts/2023-10-04-bomb-lab.md | 9 ++++---- Content/posts/2023-10-05-attack-lab.md | 40 +++++++++++++++++++--------------- 2 files changed, 28 insertions(+), 21 deletions(-) (limited to 'Content') diff --git a/Content/posts/2023-10-04-bomb-lab.md b/Content/posts/2023-10-04-bomb-lab.md index c805279..8205765 100644 --- a/Content/posts/2023-10-04-bomb-lab.md +++ b/Content/posts/2023-10-04-bomb-lab.md @@ -1,7 +1,7 @@ --- date: 2023-10-04 13:12 description: Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2 -tags: gdb, reverse-engineering, c++, csci2400, assembly +tags: gdb, Reverse-Engineering, C++, CSCI2400, Assembly --- # Bomb Lab @@ -11,8 +11,9 @@ tags: gdb, reverse-engineering, c++, csci2400, assembly Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems > The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused. - -> There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad! +

+There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad! +Bomb Lab Handout I like using objdump to disassemble the code and get a broad overview of what is happening before I start. @@ -1044,4 +1045,4 @@ Your instructor has been notified and will verify your solution. [Inferior 1 (process 1754) exited normally] ``` -But, what about the secret phase? \ No newline at end of file +But, what about the secret phase? diff --git a/Content/posts/2023-10-05-attack-lab.md b/Content/posts/2023-10-05-attack-lab.md index bd92f0e..a173ab8 100644 --- a/Content/posts/2023-10-05-attack-lab.md +++ b/Content/posts/2023-10-05-attack-lab.md @@ -1,7 +1,7 @@ --- date: 2023-10-05 20:01 description: Walkthrough of Attack Lab Phases 1-4 for CSCI 2400 Computer Systems -tags: gdb, reverse-engineering, c++, csci2400, assembly +tags: gdb, Reverse-Engineering, C++, CSCI2400, Assembly draft: false --- @@ -12,6 +12,8 @@ draft: false Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems > This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow. + Attack Lab Handout + Again, I like using objdump to disassemble the code. @@ -75,8 +77,9 @@ NICE JOB! ## Phase 2 > Phase 2 involves injecting a small amount of code as part of your exploit string. - -> Within the file ctarget there is code for a function touch2 having the following C representation: +

+Within the file ctarget there is code for a function touch2 having the following C representation: +Attack Lab Handout ```c void touch2(unsigned val) @@ -95,8 +98,9 @@ void touch2(unsigned val) > Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case, however, you must make it appear to touch2 as if you have passed your cookie as its argument. - -> Recall that the first argument to a function is passed in register %rdi +

+Recall that the first argument to a function is passed in register %rdi +Attack Lab Handout This hint tells us that we need to store the cookie in the rdi register @@ -226,15 +230,16 @@ NICE JOB! ## Phase 3 > Phase 3 also involves a code injection attack, but passing a string as argument. - -> You will need to include a string representation of your cookie in your exploit string. The string should +

+You will need to include a string representation of your cookie in your exploit string. The string should consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.” - -> Your injected code should set register %rdi to the address of this string - -> When functions hexmatch and strncmp are called, they push data onto the stack, overwriting +

+Your injected code should set register %rdi to the address of this string +

+When functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of memory that held the buffer used by getbuf. As a result, you will need to be careful where you place the string representation of your cookie. +Attack Lab Handout Because `hexmatch` and `strncmp` might overwrite the buffer allocated for `getbuf` we will try to store the data after the function `touch3` itself. @@ -329,14 +334,15 @@ and using only the first eight x86-64 registers (%rax–%rdi). * popq * ret * nop - -> All the gadgets you need can be found in the region of the code for rtarget demarcated by the +

+All the gadgets you need can be found in the region of the code for rtarget demarcated by the functions start_farm and mid_farm - -> You can do this attack with just two gadgets - -> When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit +

+You can do this attack with just two gadgets +

+When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit string will contain a combination of gadget addresses and data. +Attack Lab Handout Let us check if we can find `popq %rdi` between `start_farm` and `end_farm` -- cgit v1.2.3