CSAPP attacklab
This is the writeup for CSAPP Attacklab
Tool: IDA/Ghidra, pwndbg, pwntools
Part I: Code Injection Attacks
Level 1
Simple stack overflow, without the protection of canary and ASLR. Debugger check the stack frame, find out that total 40 bytes offset away from the return address. So make a 40 bytes padding then follow the address of touch1. Done
Level 2
It checks the argument of touch2 to be the cookie that within the cookie.txt
file. The stack is executable, so inject a shellcode into the stack then return to the stack to execute the shellcode to make rdi
to be the correct cookie.
Level 3
Level 3 require a pointer to check, however, some part of the stack will be wiped out by the function hexmatch
and touch3
, so store the string in somewhere away from the place they wipe out will be fine.
Solution for Part I:
1 | #!/usr/bin/python3 |
Part II: Return-Oriented Programming
Level 4
Same with Level 2, but with random memory address. So we are unable to access the code that we inject to the stack. The core part on touch2
is to make rdi = cookie
. With the help of ROPgadgets, we can find from the farm.c
that there are two place to reach our goal:
1 | getval_280: |
Level 5
Same thing. Try to make [rdi] = cookie
. You may find a gadget in setval_350
that store rsp
to rax
. But the hard thing is that if we place where rsp
is pointing to be the cookie value, we are unable to further jump to other places because the cookie take the place that original used for another return address.
So, in order to bypass this issue, we can add an offset to rsp
by add_xy
function. So that it will point away from current position and we can store cookie string to other places.
Solution for Part II:
1 | #!/usr/bin/python3 |