From fc6e82f8f35bc178fc01c01f75bd3fc090d22a99 Mon Sep 17 00:00:00 2001
From: Navan Chauhan <navanchauhan@gmail.com>
Date: Wed, 18 Oct 2023 20:00:35 -0600
Subject: add link to tags

---
 docs/posts/2023-10-05-attack-lab.html | 71 +++++++++++++++--------------------
 1 file changed, 30 insertions(+), 41 deletions(-)

(limited to 'docs/posts/2023-10-05-attack-lab.html')

diff --git a/docs/posts/2023-10-05-attack-lab.html b/docs/posts/2023-10-05-attack-lab.html
index 82a02fe..d049a6b 100644
--- a/docs/posts/2023-10-05-attack-lab.html
+++ b/docs/posts/2023-10-05-attack-lab.html
@@ -49,7 +49,8 @@
 <p>Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems</p>
 
 <blockquote>
-  <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities.  The directions for this lab are detailed but not difficult to follow.</p>
+  <p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities.  The directions for this lab are detailed but not difficult to follow.
+  <cite> Attack Lab Handout </cite></p>
 </blockquote>
 
 <p>Again, I like using objdump to disassemble the code. </p>
@@ -113,11 +114,10 @@ NICE<span class="w"> </span>JOB!
 <h2>Phase 2</h2>
 
 <blockquote>
-  <p>Phase 2 involves injecting a small amount of code as part of your exploit string.</p>
-</blockquote>
-
-<blockquote>
-  <p>Within the file ctarget there is code for a function touch2 having the following C representation:</p>
+  <p>Phase 2 involves injecting a small amount of code as part of your exploit string.
+  <br><br>
+  Within the file ctarget there is code for a function touch2 having the following C representation:
+  <cite>Attack Lab Handout</cite></p>
 </blockquote>
 
 <div class="codehilite">
@@ -138,11 +138,10 @@ NICE<span class="w"> </span>JOB!
 
 <blockquote>
   <p>Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case, 
-  however, you must make it appear to touch2 as if you have passed your cookie as its argument.</p>
-</blockquote>
-
-<blockquote>
-  <p>Recall that the first argument to a function is passed in register %rdi</p>
+  however, you must make it appear to touch2 as if you have passed your cookie as its argument.
+  <br><br>
+  Recall that the first argument to a function is passed in register %rdi
+  <cite>Attack Lab Handout</cite></p>
 </blockquote>
 
 <p>This hint tells us that we need to store the cookie in the rdi register</p>
@@ -275,22 +274,17 @@ NICE<span class="w"> </span>JOB!
 <h2>Phase 3</h2>
 
 <blockquote>
-  <p>Phase 3 also involves a code injection attack, but passing a string as argument.</p>
-</blockquote>
-
-<blockquote>
-  <p>You will need to include a string representation of your cookie in your exploit string. The string should
-  consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”</p>
-</blockquote>
-
-<blockquote>
-  <p>Your injected code should set register %rdi to the address of this string</p>
-</blockquote>
-
-<blockquote>
-  <p>When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
+  <p>Phase 3 also involves a code injection attack, but passing a string as argument.
+  <br><br>
+  You will need to include a string representation of your cookie in your exploit string. The string should
+  consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”
+  <br><br>
+  Your injected code should set register %rdi to the address of this string
+  <br><br>
+  When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
   portions of memory that held the buffer used by getbuf. As a result, you will need to be careful
-  where you place the string representation of your cookie.</p>
+  where you place the string representation of your cookie.
+  <cite>Attack Lab Handout</cite></p>
 </blockquote>
 
 <p>Because <code>hexmatch</code> and <code>strncmp</code> might overwrite the buffer allocated for <code>getbuf</code> we will try to store the data after the function <code>touch3</code> itself.</p>
@@ -390,21 +384,16 @@ NICE<span class="w"> </span>JOB!
   * movq
   * popq
   * ret
-  * nop</p>
-</blockquote>
-
-<blockquote>
-  <p>All the gadgets you need can be found in the region of the code for rtarget demarcated by the
-  functions start<em>farm and mid</em>farm</p>
-</blockquote>
-
-<blockquote>
-  <p>You can do this attack with just two gadgets</p>
-</blockquote>
-
-<blockquote>
-  <p>When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
-  string will contain a combination of gadget addresses and data.</p>
+  * nop
+  <br><br>
+  All the gadgets you need can be found in the region of the code for rtarget demarcated by the
+  functions start<em>farm and mid</em>farm
+  <br><br>
+  You can do this attack with just two gadgets
+  <br><br>
+  When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
+  string will contain a combination of gadget addresses and data.
+  <cite>Attack Lab Handout</cite></p>
 </blockquote>
 
 <p>Let us check if we can find <code>popq %rdi</code> between <code>start_farm</code> and <code>end_farm</code></p>
-- 
cgit v1.2.3