COS LAB ASSIGNMENT NAME: E.SUMASREE ROLL: s20180010052 SEC: B ATTACK LAB: PHASE:1 We need to overflow the stack with any string and change the return address of getbuf function to the address of touch’ function. First we will call the touch’ function run ctarget executable in gdb and set a breakpoint at getbuf b getbu: Then disassemble the getbuf function (gdb) b getbur Rae aeeCaets er atrY] at bur. erin rc ag Peer rr eee Perr)Getbuf disassembled code: Oey pore an) Coles ov Colne oUt rou) pour rou EOE In sub $0x28,sxsp, we can see that 40 (0x28) bytes of buffer is allocated for getbut. Now we know the buffer size and so we need to input 40 bytes of padding followed by the retum address of the touch address. To find the address of touch1, we need to get the disassembled code for ctarget executable file objdump -d rtarget > rt dump. This command will save the disassembled code in file rtarget_dump.txt. Now find the toucht function Disassembled code for touch1: a Cees bey G Cac! CAE eee Cr acre ny) CeCe Ceara Paes itey ites aaa Pee. ce Ce COEUR La CLIC aR Oa Ce RCai reece tes From this we can know touch1 address is : 0x401c0When we write in bytes, we need to consider the byte order. Since our system is a little-endian so the bytes go in reverse order. Now we need to create phase1 txt like: Phase1 txt: Now we need to take this file and run it through the program hex2raw, which will generate raw exploit strings ./nex2zaw < phasel.txt > raw-phase Finally, run the raw file -fctarget ~4< raw-phasel.txt cree kare i Hence this is our required output of phase1 We successfully cleared it. PHASE2: This phase involves injecting a small code and calling function touch2. And pass the cookie as an argument to touch2Touch2 disassembled code: From the given attack lab writeup in phase2 we have : "Recall that the first argument to a function is passed in register Yordi.” So we need to modify the %rdi register and store our cookie in there. So we have to write some assembly code for that task, first create a file called phase2.s Phase2.s with code: movq $Ox59b997fa,%rdi retq we need the byte representation of the code so compile it with gcc then dissassemble it 9 2.8 Opjdump -d phase2.0 > phase2.d Disassembled code of phase2.d: byte representationpine Pere areas CLM COS 0 Ca Area Sec ae LLY Se] The byte representation of the assembly code is « 9 Now we need to find the address of rsp register run ctarget through gdb yd ctarget set a breakpoint at getbuf run ctarget doing We getNow we need to run the code until the instruction just below < do Lie 0x401a40 So until *0x401 Then we need to type a random string...type a string longer than the buffer(40 characters in this case). Then do We get: ee cry et Ce ee eas i.e the random string we entered will be printed We need the address of the random string: ox: Now, create a text file named phase2.txt like: ==) x2raw < phase? > raw-phase2. tx Finally, run the raw file /etarget -q < raw-phase2.txt We add -q because because if not it shows running on a different machine to avoid it we do -q.. that is the reason why in the last it doesn't gives nice job!What the exploit does is that first it sets register rdi to our cookie value. It is transferred to Srsp register so after we enter our string and getbuf tries to return control to the calling function, we should point it to the rsp address so it will execute the code to set the cookie and finally we call touch2 after the cookie is set. Output PHASE3: Here we are trying to call the function touch3 and have to pass our cookie to it as string In the instruction, it tells that if we store the cookie in the buffer allocated for getbuf, the functions hexmatch and strcmp may overwrite it as they will be pushing data on to the stack, so we have to be careful where to store it. We will be storing the cookie after touch3. Touch3 disassembled code:So let's pass the address for the cookie to register $rdi The total bytes before the cookie are burrer 1 8 bytes for return address of rsp 4 8 bytes £ ouch3 x28 + 8 + 8 = 38 (56 Decimal) Grab the address for rsp from phase 2: 0x5561de78 Add 0x38 0x5: oxs5e1dcn0 Now we need this assembly code, same steps generating the byte representation like in phase2. 18 + 0x38 = Phase3.s Imovqg SOxS561dcbe,.%rdt retq eee re Now, grab the bytes from the above code and start constructing exploit string. Create a new file named phase3.txt like: Phase3.txt:In the last row , the cookie is in hex format, we get it by converting it into text format though online.i.e it gives equivalent ascii representation, generate the raw exploit string using the hex2raw program. /nex2zaw < phase > raw-phase3 Finally, run the raw file -/otarget a < ra -phase3.txt Output: ia of