You must complete this lab on the CAEDM server, ssh.et.byu.edu
because it has the right configuration to allow stack execution exploits. Conveniently, this server is available through SSH from on or off campus. We recommend completing the task in the lab due to the availabilty of TAs but access from other locations is available.
In LearningSuite, click on the “Attack Programming Assignment” to download your target. It will be a .tar
file with a name like targetK.tar
where K
is a number. You must be in the lab or on the campus network for the download and scoreboard links to work.
Copy your target to your home directory. This directory is shared between the lab computers and the CAEDM server. So, if you download using a lab computer you can just drop the file where you want it.
Copying the file from a personal computer
If you are working from your own computer, use scp to transfer files. For example, to copy targetK from the current local directory to the server use this command:
scp targetK.tar username@ssh.et.byu.edu:~
Substitute your CADEM username for username
and the actual name of your target .tar file for targetK.tar
. The ~ tilde character at the end of the path indicates to copy into your home directory on the server. It will prompt you for your password.
In similar manner, you can use scp
to copy other files both ways between computers.
Connect to the CADEM server
Now, make an SSH connection to your server
ssh username@ssh.et.byu.edu
Now, you are ready to begin the lab.
Unpacking the package
On the server use the following command:
tar -xvf targetK.tar
(Substitute the actual name of your .tar
file.)
This will result in a folder called targetK
containing six files:
- README.txt: A file describing the contents of the directory.
- ctarget: The target executable program for Phases 1-3.
- rtarget: The target executable program for Phases 4-5.
- hex2raw: A utility to generate attack strings from hexadecimal source
- cookie.txt: The number of your specific cookie to be used in Phases 2 and up.
- farm.c: Source code to the “gadget farm” for uses in Phases 4 and 5.
Finding values for Phase 1
To solve Phase 1 you need to know the size of your buffer and the location of the touch1
function. You can find both of these values using objdump.
objdump -d ctarget > ctarget.txt
This will disassemble ctarget
and put the result in ctarget.txt
. In the text file it produced, look for the getbuf
function. The first instruction will subtract some value from register rsp
. This is to make room for local variables. Since the only local variable is the buffer, then the amount subtracted from rsp
is the size of your buffer.
Now, in ctarget.txt
look for the touch1
function. The disassembly will show the address of that function.
Finding the values using gdb
You can find these same two values using gdb
with the following commands:
gdb ctarget
disassemble getbuf
disassemble touch1
The first disassemble will give you the code for getbuf
from which you can deduce the size of the buffer by looking at how much is subtracted from rsp
.
The second disassemble will give you the address of touch1.
Hint: Jumping to addresses
All jumps in x86 machine code are relative. That is, the address in the jmp
command is added to the current rip
instruction pointer. A negative number will jump to a lower address and a positive number will jump to a higher address. This is done so that code can be relocated without having to change all of the jump commands.
Because of this, when you follow the tips in Appendix B to generate machine code, it’s hard to a jmp
that will go to an exact address. To do so, you need to know the address of where your code will land and then take the difference between the two addresses. An easy alternative is to push
the address you want on the stack and then use ret
to go to that address.
pushq $0xabcdefgh
retq
Solving the Phases
Follow the instructions to understand the challenges of the other Phases. For some of them, you’ll need to run the target under the gdb
debugger and set breakpoints to find the values and addresses you need.