CSAPP-LAB3-Attack

最新推荐文章于 2024-08-27 18:22:45 发布

原创

最新推荐文章于 2024-08-27 18:22:45 发布 · 1.7k 阅读

5 ·

CC 4.0 BY-SA版权

文章标签：

#操作系统

本文详细介绍了CSAPP实验3（LAB3）的攻击部分，涉及代码注入和返回导向编程（ROP）。文章分为两部分，第一部分探讨了通过缓冲区溢出改变函数返回地址来实现code injection，包括phase_1至phase_3，逐步深入到栈帧的理解和利用。第二部分介绍了在栈随机化和NX位保护下，如何利用返回导向编程技术完成phase_4和phase_5的挑战，重点在于寻找和构造gadgets。

00 Prerequisite

听见课堂上老爷子说：

	But to be a good person you also know what the bet have to know what the bad people do, so part of it is to become more effective as a force for good.

Part 1: Code injection

关于Attack的，攻击两个c代码，分别是ctarget 和rtarget，前3个阶段是关于 ctarget 后面2个是关于rtarget的，Code injection and Return-oriented programming.

ctarget

void test()
{
   
   
    int val;
    val = getbuf();
    printf("No exploit. Getbuf returned 0x%x\n", val);
}

关于getbuf实际上是在模拟c语言的库函数gets，这类函数容易出现Overunning on buffer 的现象

1 unsigned getbuf()
2 {
   
   
3 char buf[BUFFER_SIZE];
4 Gets(buf);
5 return 1;
6 }

运用GDB调试 ctarget

执行命令

disas test

Dump of assembler code for function test:
   0x0000000000401968 <+0>:	sub    $0x8,%rsp // 分配栈帧
   0x000000000040196c <+4>:	mov    $0x0,%eax
   0x0000000000401971 <+9>:	callq  0x4017a8 <getbuf>
   0x0000000000401976 <+14>:	mov    %eax,%edx // 返回值 -> %edx
       // 准备调用 printf 函数
   0x0000000000401978 <+16>:	mov    $0x403188,%esi // 0x403188 -> %esi
   0x000000000040197d <+21>:	mov    $0x1,%edi // Load rdi ready to call fun print
   0x0000000000401982 <+26>:	mov    $0x0,%eax
   0x0000000000401987 <+31>:	callq  0x400df0 <__printf_chk@plt>
   0x000000000040198c <+36>:	add    $0x8,%rsp
   0x0000000000401990 <+40>:	retq

对于0x401388的地址check一下，是对应的printf输出的内容

(gdb) x/s 0x403188
0x403188:	"No exploit.  Getbuf returned 0x%x\n"

执行命令

(gdb) disas getbuf

Dump of assembler code for function getbuf:
   0x00000000004017a8 <+0>:	sub    $0x28,%rsp // 分配 40bytes的栈帧
   0x00000000004017ac <+4>:	mov    %rsp,%rdi
   0x00000000004017af <+7>:	callq  0x401a40 <Gets>
   0x00000000004017b4 <+12>:	mov    $0x1,%eax
   0x00000000004017b9 <+17>:	add    $0x28,%rsp
   0x00000000004017bd <+21>:	retq   
End of assembler dump.

disas Gets

Dump of assembler code for function Gets:
   0x0000000000401a40 <+0>:	push   %r12
   0x0000000000401a42 <+2>:	push   %rbp
   0x0000000000401a43 <+3>:	push   %rbx
   0x0000000000401a44 <+4>:	mov    %rdi,%r12
   0x0000000000401a47 <+7>:	movl   $0x0,0x2036b3(%rip)        # 0x605104 <gets_cnt>
   0x0000000000401a51 <+17>:	mov    %rdi,%rbx
   0x0000000000401a54 <+20>:	jmp    0x401a67 <Gets+39>
   0x0000000000401a56 <+22>:	lea    0x1(%rbx),%rbp
   0x0000000000401a5a <+26>:	mov    %al,(%rbx)
   0x0000000000401a5c <+28>:	movzbl %al,%edi
   0x0000000000401a5f <+31>:	callq  0x4019a0 <save_char>
   0x0000000000401a64 <+36>:	mov    %rbp,%rbx
   0x0000000000401a67 <+39>:	mov    0x202a62(%rip),%rdi        # 0x6044d0 <infile>
   0x0000000000401a6e <+46>:	callq  0x400dc0 <_IO_getc@plt>
   0x0000000000401a73 <+51>:	cmp    $0xffffffff,%eax
   0x0000000000401a76 <+54>:	je     0x401a7d <Gets+61>
   0x0000000000401a78 <