icon

Binary Exploitation

Last modified: 2023-08-14

Binary Exploitation is the process of finding vulnerabilities in the binary file.

Prerequisites

This post uses rizin for dynamic analysis.
And pwntools python package is useful for binary exploitation.


Investigation

Basic

file ./example
strings ./example

objdump -d ./example
# -M: type
objdump -M intel -d ./example

Security Properties

First check the executable properties.

checksec --file=./example
  • RELRO (stands for Relocation Read-Only)

    • Partial RELRO - We can read/write the global offset table.
    • Full RELRO - We can only read the global offset table. So we cannot overwrite GOT.
  • STACK CANARY

    • No canary found - It’s vulnerable to buffer overflow.
  • NX (stands for Non-eXecutable segments)

    • NX enabled - We cannot execute custom shellcode from the stack.
  • PIE (stands for Position Independent Executable)

    • No PIE - The binary always starts at same address.

Disabling ASLR (Address Space Layout Randomization)

ASLR is a security technique involved in preventing exploitation of memory corruption vulnerabilities.

cat /proc/sys/kernel/randomize_va_space
2
  • 0 - The address space is NOT randomized.
  • 1 - The address space is randomized.
  • 2 - The address space is randomized, and data segment as well.

To disable ASLR, run the following command.

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Debugging

1. Start Debugger

# Change permission for debugging
chmod +x example

# -d: Debug mode
rizin -d example

2. Analyzing

# Analyze all calls, references, emulation and applies signatures
[0x0000]> aaa

3. List functions

# List functions
[0x0000]> afl
[0x0000]> afl | grep main

4. Disassemble & Decompile Functions

# Disassemble the function
[0x0000]> pdf @ main
[0x0000]> pd @ main
# Disassemble the first 50 lines
[0x0000]> pd 50 @ main

# Decompile the function (the ghidra plugin required)
[0x0000]> pdg @ main

If you want to decompile using “pdg” command as above, you need to install the “rizin-plugin-ghidra” so install it by running the following command.

sudo apt install rizin-plugin-ghidra

Format String (Pointer)

./example

Type something:
>> %2$p

# output
0x555a18ae6365

Exploitation Examples

# Brute force pointer
for i in {20..-1}; do echo \%$i\$p | ./example; done

# Brute force pointer & cut & hexdump (reverse) & reverse
# cut -c 15-: Select only N characters (e.g. 15 characters)
# xxd -ps: Output in plain hexdump style
# xxd -r: Reverse operation. Convert hexdump into binary
# rev: Reverse lines characterwise
(for i in {11..6..-1}; do echo \%$i\$p | ./example; done) | grep "The result is" | cut -c 15- | xxd -ps -r | rev