$5$ Task $2$: Printing Out the Server Program$$s Memory

The objective of this task is to get the server to print out some data from its memory $($we will continue to

use $10\mathrm{.}9\mathrm{.}0\mathrm{.}5).$ The data will be printed out on the server side, so the attacker cannot see it$.$ Therefore,

this is not a meaningful attack, but the technique used in this task will be essential for the subsequent tasks.

$$ Task $2.$A: Stack Data. The goal is to print out the data on the stack. How many $\%$x format specifiers

do you need so you can get the server program to print out the first four bytes of your input? You

can put some unique numbers $(4$ bytes$)$ there, so when they are printed out, you can immediately tell.

This number will be essential for most of the subsequent tasks, so make sure you get it right.

$$ Task $2.$B: Heap Data There is a secret message $($a string$)$ stored in the heap area, and you can find the

address of this string from the server printout. Your job is to print out this secret message. To achieve

this goal, you need to place the address $($in the binary form$)$ of the secret message in the format string.

Most computers are small$-$endian machines, so to store an address $0$xAABBCCDD $($four bytes on a

$32-$bit machine$)$ in memory, the least significant byte $0$xDD is stored in the lower address, while the

most significant byte $0$xAA is stored in the higher address. Therefore, when we store the address in a

buffer, we need to save it using this order: $0$xDD$,0$xCC$,0$xBB$,$ and then $0$xAA. In Python, you can

do the following:

number $=0$xAABBCCDD

content$[0$:$4]=($number$).$to$\_$bytes$(4,$byteorder$=$little$)$

$6$ Task $3$: Modifying the Server Program$$s Memory

The objective of this task is to modify the value of the target variable that is defined in the server program

$($we will continue to use $10\mathrm{.}9\mathrm{.}0\mathrm{.}5).$ The original value of target is $0$x$11223344.$ Assume that this

variable holds an important value, which can affect the control flow of the program. If remote attackers can

change its value, they can change the behavior of this program. We have three sub$-$tasks.

$$ Task $3.$A: Change the value to a different value. In this sub$-$task, we need to change the content of

the target variable to something else. Your task is considered as a success if you can change it to a

different value, regardless of what value it may be$.$ The address of the target variable can be found

from the server printout.

$$ Task $3.$B: Change the value to $0$x$5000.$ In this sub$-$task, we need to change the content of the

target variable to a specific value $0$x$5000.$ Your task is considered as a success only if the vari$-$

able$$s value becomes $0$x$5000.\backslash$