Phase 5: Calling touch3 with Gadgets and a String Argument (Optional)

In Phase 2 and Phase 3, you caused a program to execute machine code of your own design. If ctarget had been a network server, you could have injected your own code into a distant machine.

In Phase 4, you circumvented two of the main devices modern systems use to thwart buffer-overflow attacks. Although you did not inject your own code, you were able to inject a type of program that operates by stitching together sequences of existing code.

Down on the Farm

To solve Phase 5, you can use gadgets in the region of the code in rtarget demarcated by the functions start_farm and end_farm. In addition to the gadgets used in Phase 4, this expanded farm includes the encodings of different movl instructions, as shown in the table Byte Encodings of movl Instructions.

The byte sequences in this part of the farm also contain 2-byte instructions that serve as functional nops; that is, they do not change any register or memory values. These include instructions such as andb %al,%al, that operate on the low-order bytes of some of the registers but do not change their values. Consult the table Byte Encodings of nop Instructions for more options.

Hints

• You'll want to review the effect a movl instruction has on the upper 4 bytes of a register, as described in Section 3.4.2 (Data Movement Instructions) of the textbook.

• The official solution requires eight gadgets (not all of which are unique).

• There is a -q flag to rtarget that stops the program from talking to the grading server.

• There is an -i file option to rtarget that tells it to read from a file named file instead of from stdin.

(When logged in, completion status appears here.)

Previous Page Go to Parent Page