Binary Exploitation tips.
First things first, i am trustie_rity a student . I am learning binary exploitation and am not an expert in the field.However , as i am growing in this field i have made it a habit to learn some survival tactics with which i’ll share some with you.
1.Reversing
Reversing, by this i mean understand what the binary is doing by disassembling it into assembly code or c ,it entirely depends with what you like. There are many tools out there that can help with this …
examples are :
- ghidra
- cutter →radare gui
- radare
- ida pro
- Hopper
- gdb → Extensions : gef , pwndbg , gdb-peda
a) ghidra
b)radare
others are gdb ,although it gives the 1970s type of screen ,but dont worry there are sweet people out here who have made extensions for it which has made it cool and attractive to use ie gdb-peda and gef .This are the tools i like but there are many more…
2. Getting the vulnerability
After reversing ,identify some of the most common vulnerable functions used in it .There’s always something interesting or one that bugs you that you’ll find in binaries especially the one’s presented to you during ctfs.
Check the security of the binary .I mean which mitigations have been employed to protect the binary …
3. plotting your way in
Now having fully understood what the binary is doing ,the vulnerability to exploit .make your exploit and hack the world
GDB cheatsheet
Configure your gdb like a pro . Follow this link
GDB or GNU Debugger is GNU project which helps to debug software applications and analyze what is happening during program execution. It helps to:
- investigate improper behavior of your program.
- find cause of logical error which is hard to find just by looking at source code.
- analyze crash occurring in your application.
To launch gdb with an executable
gdb ./file -q
or
gdb -q
file ./file
Mostly i use -q switch because it is the option that launches gdb in quiet mode.After we have launched gdb there is a ton of things we can do as follows:
r or run ->execute the binary from start to end
(you can specify the command line arguments here)
start -> start the binary and break at the first instruction in main
c -> continue
break or b –> sets breakpoint on a particular line.
ni -> executes next line of code but dont follow function calls
si -> go to next instruction and follow function calls
finish -> execute remaining part
set {int}address = 0x41414141 -> this is for changing values memory
stored in memory.
disable -> disable a breakpoint.
enable –> enable a disabled breakpoint.
list or l –> displays the code.
print or p –> used to display the stored value.
quit or q –> exits out of gdb.
clear –> to clear all breakpoints.
info proc mappings -> handy command to check the memory layout of
the binary running
Radare cheatsheet
i will be updating this note as days goes by!
Pwntools Cheatsheet
Here’s some pro tips you may want to integrate into your pwntools scripts
payload = str(foo)
payload += pack(bar)
payload += baz
Can be collapsed down into a single statement with the flat()
function.
payload = flat(foo, bar, baz)
Integers are passed to pack, strings are untouched, and everything else gets __pack__()
invoked on it.
Additionally, if you’re like aligning your payload to a specific boundary. There is another routine, fit()
, which handles this automatically and makes the padding a valid cyclic()
offset. This way, if you mess up offsets, you will have e.g. "faab"
instead of "AAAA"
.
pad = cyclic_find("faab")
# 120
The way that this works with fit()
would look like:
payload = fit({
pad: "BBBB" # Overwriting saved RIP with BBBB
})
fit()
just calls flat()
on everything passed to it, so you can pass arrays of things to be set at a given offset.
payload = fit({
0: shellcode, # PLACING SHELLCODE IN BEGINNING OF BUFF
pad: [mov_rax_15_ret, # SET RAX TO SIGRETURN SYSCALL NUMBER
syscall_ret, # CALL SIGRETURN
frame, # PLACE FAKE FRAME ON STACK
leak] # RETURN2SHELLCODE
})
For attaching with GDB, you might want to look at the Pwntools function gdb.attach()
and gdb.debug()
!
Finally, a small nit: You don’t have to specify kernel=
for SigreturnFrame
unless the target arch is i386
. Foramd64
, this is unnecessary.