# Raven's Blog

zhang.xingrui@foxmail.com

0%

csapp lab系列：

## 0. 背景知识

1. 程序的内存分布,,内存分布https://www.ravenxrz.ink/archives/2567fa35.html
2. 函数调用的过程, 主要要知道call和ret指令各自的工作.
3. gdb调试,objdump反汇编
4. Buffer Overflow以及常用的阻止buffer overflow的方法
5. ROP攻击

## 1. Phase 1

For Phase 1, you will not inject new code. Instead, your exploit string will redirect the program to execute an existing procedure. Function getbuf is called within CTARGET by a function test having the following C code:

When getbuf executes its return statement (line 5 of getbuf), the program ordinarily resumes execution within function test (at line 5 of this function). We want to change this behavior. Within the file ctarget, there is code for a function touch1 having the following C representation:

Your task is to get CTARGET to execute the code for touch1 when getbuf executes its return statement, rather than returning to test. Note that your exploit string may also corrupt parts of the stack not directly related to this stage, but this will not cause a problem, since touch1 causes the program to exit directly.

1. 单元格中存放的是起始起始,一个内存单元8个字节
2. buffer由低到高写入

40 = 0x28

## 2. Phase 2

Phase 2 involves injecting a small amount of code as part of your exploit string. Within the file ctarget there is code for a function touch2 having the following C representation:

Your task is to get CTARGET to execute the code for touch2 rather than returning to test. In this case, however, you must make it appear to touch2 as if you have passed your cookie as its argument.

2. rdi寄存器保存函数的第一个参数.

2. 跳转到touch2即可.

1. call, %rsp-1, push当前执行指令的指令到%rsp所指的内存空间, 设置%rip为要跳转的函数的第一条指令地址.
2. ret, pop %rsp指向的内存空间的内容到 %rip, %rsp+1.

$$cookie_value_address = rsp + offset$$