Phase 4: Calling touch2 with Gadgets

For Phase 4, you will repeat the attack of Phase 2, arranging for your exploit to call touch2, but this time you will attack the program rtarget with gadgets from your gadget farm. You can construct your solution using, using only the first eight x86-64 registers (rax–rdi) and gadgets consisting of the following instruction types:

movq

The codes for using movq to copy data from one register to another are shown in the table Byte Encodings of movq Instructions.

popq

The codes for using popq to copy data from one register to another are shown in Byte Encodings of popq Instructions.

ret

This instruction is encoded by the single byte 0xc3.

nop

“No operation” or “nop” (pronounced “no op”) is encoded by the single byte 0x90. Its only effect is to cause the program counter to be incremented by 1.

Hints

• All the gadgets you need for this part can be found in the region of rtarget's code demarcated by the functions start_farm and mid_farm.
• You can do this attack with just two gadgets.

• When a gadget uses a popq instruction, it will pop data from the stack. As a result, your exploit string will contain a combination of gadget addresses and data.

• There is a -q flag to rtarget that stops the program from talking to the grading server.

• There is an -i file option to rtarget that tells it to read from a file named file instead of from stdin.

(When logged in, completion status appears here.)

Go to Parent Page Next Page