CSAPP 六个重要实验 lab3

               In this lab, you will gain firsthand experience with one of the methods commonly used to exploit security weaknesses in operating systems and network servers. Our purpose is to help you learn about the runtime operation of programs and to understand the nature of this form of security weakness so that you can avoid it when you write system code. We do not condone the use of these or any other form of attack to gain unauthorized access to any system resources. There are criminal statutes governing such activities.





The Exploits

               There are three functions that you must exploit for this lab. The exploits increase in difficulty. For those of you looking for a challenge, there is a fourth function you can exploit for extra credit.

Level 0: Candle

              When getbuf() executes its return statement, the program ordinarily resumes execution within function test(). Within the file bufbomb, there is a function smoke():

void smoke()
entry_check(0); /* Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");

              Your task is to get bufbomb to execute the code for smoke() when getbuf() executes its return statement, rather than returning to test().You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf() with the address of the first instruction in smoke. Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, because smoke() causes the program to exit directly.


      • All the information you need to devise your exploit string for this level can be determined by examining a disassembled version of bufbomb.

      • Be careful about byte ordering.
      • You might want to use gdb to step the program through the last few instructions of getbuf() to make sure it is doing the right thing.
      • The placement of buf within the stack frame for getbuf() depends on which version of gcc was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.
      • Check the line endings if your smoke.txt with hexdump -C smoke.txt.





00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 01 02 03 04 05 06 07 08 c0 10 40 00 00 00 00 00


这里一共0x28byt + 8 byte +8byte+8byte == 0x40byte

第一个0x28byte 是由于64bits的机器字节对齐导致的36byte的数组被扩展到0x28byte. 

而第一个+的8byte应该某个寄存器值(但是我一直没搞明白究竟什么寄存器... 而且也没看到明显的压栈操作. 换而言之,我觉得更可能这里不是一个寄存器,而本来就是buf数组对齐到了0x30字节)

而后的8byte是之前 push %rbp 寄存器的value

最后的8byte是return address,也就是我们要”攻击“的地方!



00 00 00 00 00 40 10 c0


 c0 10 40 00 00 00 00 00


接着把该文件作为输入就是啦~ : )

Level 1: Sparkler


/* $begin fizz-c */
void fizz(int arg1, char arg2, long arg3, char* arg4, short arg5, short arg6, unsigned long long val)
  entry_check(1);  /* Make sure entered this function properly */
  if (val == cookie) {
	printf("Fizz!: You called fizz(0x%llx)\n", val);
  } else {
	printf("Misfire: You called fizz(0x%llx)\n", val);
/* $end fizz-c */

               Similar to Level 0, your task is to get bufbomb to execute the code for fizz() rather than returning to test.In this case, however, you must make it appear to fizz as if you have passed your cookie as its argument. You can do this by encoding your cookie in the appropriate place within your exploit string.


Note that in x86-­64, the first six arguments are passed into registers and additional arguments are passed through the stack. Your exploit code needs to write to the appropriate place within the stack.

You can use gdb to get the information you need to construct your exploit string. Set a breakpoint within getbuf() and run to this breakpoint. Determine parameters such as the address of global_value and the location of the buffer.

在破坏原来test()调用getbuf push的return address之后,跳转到fizz,此时看到题目要求是要把cookie作为fizz的参数输入,根据反汇编得到的信息,我们可以看见这里

cmp 0x201296(%rip) %rsi


由于之前rsp寄存器的值没有被破坏,于是我们反推,如果”攻击rsp“的值,使得0x10(%rsp)指向 cookie




cmp 0x201296(%rip) %rsi

死死的扣住这句不放,这里吧0x201296(%rip) 地址处的值和%rsi的值比较








00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 20 23 60 00 00 00 00 00 70 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 46 c1 21 48 ca 33 39

             细心的人会发现,我这里在return address之上还多填了8byte的空间,接着才填充我们的答案.

这是因为return addres之上还有什么我这里确实不清楚,不过我这里这么做是根据反汇编的结果测试并计算出来的.

有心人可以一起讨论这里跳转到fizz之后之前寄存器的变化 : ) jasonleaster@gmail.com


Level 2: Firecracker


                A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine instructions. The exploit string then overwrites the return pointer with the starting address of these instructions. When the calling function (in this case getbuf) executes its ret instruction, the program will start executing the instructions on the stack rather than returning. With this form of attack, you can get the program to do almost anything. The code you place on the stack is called the exploit code. This style of attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the start of this code.

              For level 2, you will need to run your exploit within gdb for it to succeed. (attu has special memory protection that prevents execution of memory locations in the stack. Since gdb works a little differently, it will allow the exploit to succeed.)

             Similar to Levels 0 and 1, your task is to get bufbomb to execute the code for bang() rather than returning to test(). Before this, however, you must set global variable global_value to your cookie. Your exploit code should set global_value, push the address of bang() on the stack, and then execute a retq instruction to cause a jump to the code for bang().

            Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You can let tools do all of the work by writing an assembly code file containing the instructions and data you want to put on the stack. Assemble this file with gcc and disassemble it with objdump. You should be able to get the exact byte sequence that you will type at the prompt. (A brief example of how to do this is included in the Generating Byte Codes section above.)

            Keep in mind that your exploit string depends on your machine, your compiler, and even your cookie. Make sure your exploit string works on attu or your VM, and make sure you include your UWNetID on the command line to bufbomb.

           Watch your use of address modes when writing assembly code. Note that movq $0x4, %rax moves the value
0x0000000000000004 into register %rax; whereas movq 0x4, %rax moves the value at memory location
0x0000000000000004 into %rax. Because that memory location is usually undefined, the second instruction will
cause a segmentation fault!

           Do not attempt to use either a jmp or a call instruction to jump to the code for bang(). These instructions use PC­ relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack and use the retq instruction.

首先观察发现这里cmp 相等就会跳转并安全结束.


cookie的值在我们输入的时候就定了. 这里能改的就是global_value处(即0x602308处)的值了。




接着把这段代码gcc -c 编译成obj。然后objdump去看相应的机器码


mov	$0x3933ca4821c146c2 ,%rax
mov	$0x602308  ,%rbx
mov	%rax	   ,(%rbx)
push    $0x401020

mov 0x602330,%rax 就对应的机器码就是

48 8b 04 25 20 23 60



pushq $0x401020



试想一下这里如果我覆盖的reture address是只想buffer头的,那么在buffer处的这些指令就得以执行.


pushq $0x401020


这步就可以跳转到0x401020(bang函数头)。执行 bang函数,我们已经在攻击代码里面修改了global_value,那么cmp的结构就是0,je跳转,程序安全结束.


48 b8 c2 46 c1 21 48 ca 33 39 48 c7 c3 08 23 60 00 48 89 03 68 20 10 40 00 c3 31 32 32 31 32 33 34 35 36 37 38 31 32 33 34 35 36 37 38 00 00 00 02 03 04 20 23 60 00 00 b0 b6 ff ff ff 7f 00 00

这里一定要注意中间空缺的位置不要填充00 我这里填充的31 32 ... 如果填充00 会导致segment fault(悲催,为这个bug纠结好久!)

Extra Credit – Level 3: Dynamite

                  For level 3, you will need to run your exploit within gdb for it to succeed. Our preceding attacks have all caused the program to jump to the code for some other function, which then causes the program to exit. As a result, it was acceptable to use exploit strings that corrupt the stack, overwriting the saved value of register %rbp and the return pointer.

                   The most sophisticated form of buffer overflow attack causes the program to execute some exploit code that patches up the stack and makes the program return to the original calling function (test() in this case). The calling function is oblivious to the attack. This style of attack is tricky, though, since you must: (1) get machine code onto the stack, (2) set the return pointer to the start of this code, and (3) undo the corruptions made to the stack state.

               Your job for this level is to supply an exploit string that will cause getbuf() to return your cookie back to test(), rather than the value 1. You can see in the code for test() that this will cause the program to go "Boom!". Your exploit code should set your cookie as the return value, restore any corrupted state, push the correct return location on the stack, and execute a ret instruction to really return to test().

                In order to overwrite the return pointer, you must also overwrite the saved value of %rbp. However, it is important that this value is correctly restored before you return to test(). You can do this by either (1) making sure that your exploit string contains the correct value of the saved %rbp in the correct position, so that it never gets corrupted, or (2) restore the correct value as part of your exploit code. You'll see that the code for test() has some explicit tests to check for a corrupted stack.

                You can use gdb to get the information you need to construct your exploit string. Set a breakpoint within getbuf() and run to this breakpoint. Determine parameters such as the saved return address and the saved value of %rbp.
                Again, let tools such as gcc and objdump do all of the work of generating a byte encoding of the instructions.

                Keep in mind that your exploit string depends on your machine, your compiler, and even your cookie. Again, again make sure your exploit string works on attu or the VM, and make sure you include your UWNetID on the command line to bufbomb.

                Reflect on what you have accomplished. You caused a program to execute machine code of your own design. You have done so in a sufficiently stealthy way that the program did not realize that anything was amiss.
execve is system call that replaces the currently running program with another program inheriting all the open file descriptors.

                 What are the limitations the exploits you have preformed so far? How could calling execve allow you to circumvent this limitation? If you have time, try writing an additional exploit that uses execve and another program to print a message.



mov	$0x3933ca4821c146c2 ,%rax //the first value is the cookie
mov	$0x7fffffffb710 ,%rbp     //the first value is the %rbp of <test>
push    $0x400ef3		  //make the return address point to the next instruction of getbuf()

利用sendstring 做成输入参数

48 b8 c2 46 c1 21 48 ca 33 39 48 bd 10 b7 ff ff ff 7f 00 00 68 f3 0e 40 00 c3 31 32 32 31 32 33 34 35 36 37 38 31 32 33 34 35 36 37 38 00 00 00 d8 b6 ff ff ff 7f 00 00 b0 b6 ff ff ff 7f 00 00


OK~ lab3 finished!



2015.05.29 update

遇到有童鞋提出问题, 这个地方我之前也有点不明白,而且现在的gcc模仿函数getbuf编译出来的汇编代码和实验提供的汇编代码关于压栈的部分不一致, 所以很困惑。



