kd❯ g

~ Linux Exploit Tips

Create Skeleton Exploit

• $ skel binary (private script)

Find Rop Gadget

• $ ropper --file binary --console
• $ (pivot/ELF/x86_64)> stack_pivot
• $ ropper --file binary
• $ ropper --file binary --search "pop rdi"
• $ ROPgadget --binary binary
• $ ROPgadget --binary binary --only "pop|ret"
• $ ROPgadget --binary binary >> gadgets.txt

Find Offset for EIP and More

• $ ./woollymammoth.py offset -t 127.0.0.1 -p 8080 --prefix "HELP "
• $ ./woollymammoth.py eip -e 33634132
• $ pattern 100 (private script)

Find String in Binary

• pwndbg> r (Cntl+C)
• pwndbg> search /bin/cat
• $ strings binary
• $ strings -tx libc.so | grep /bin/sh
• $ rabin2 -z binary
• $ objdump -s libc.so | less
• Use Pwntools
from pwn import * libc = ELF('libc.so') ... sh = base + next(libc.search('sh\x00')) binsh = base + next(libc.search('/bin/sh\x00'))

View Section the Binary

• pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x400000 0x401000 r-xp 1000 0 /home/pwn/Desktop/binary 0x600000 0x601000 r--p 1000 0 /home/pwn/Desktop/binary 0x601000 0x602000 rw-p 1000 1000 /home/pwn/Desktop/binary
• $ objdump -h binary (.data and .bss used for write data)

View Library

• $ ldd binary
linux-vdso.so.1 (0x00007ffe98b84000) libpivot.so => ./libpivot.so (0x00007f1748600000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f17483d8000) /lib64/ld-linux-x86-64.so.2 (0x00007f174897d000)

View Functions

• $ afl
• $ rabin2 -i binary
• $ readelf -s binary

Find specific function offset in libc

• $ readelf -s libc-2.19.so | grep system@
620 : 00040310 56 FUNC GLOBAL DEFAULT 12 __libc_system@@GLIBC_PRIVATE 1443: 00040310 56 FUNC WEAK DEFAULT 12 system@@GLIBC_2.0
• Use Pwntools
from pwn import * libc = ELF('libc.so') system_off = libc.symbols['system']

View Memory

• pwndbg> x/x $rbx (view hexa)
• pwndbg> x/10x $rbx (view 10 hexa)
• pwndbg> x/s $rbx (view string)
• pwndbg> x/10s $rbx (view 10 string)
• pwndbg> x/i $rbx (view assembly)
• pwndbg> x/10i $rbx (view 10 assembly)
• pwndbg> x/gx $rbx
• pwndbg> p/x $rbx (view pointer)

View PLT/GOT Table

• pwndbg> plt
• pwndbg> got

View HEAP

• pwndbg> mmap
• pwndbg> vis

Breakpoints

• pwndbg> b/break (Set breakpoint)
• pwndbg> disable (Disable breakpoint)
• pwndbg> del 1 (Delete breakpoint depending id)
• pwndbg> enable (Enable breakpoint)
• pwndbg> info breakpoints/ib (List breakpoints)
• pwndbg> watch (Break on access [read/write])

Running / Stepping

• pwndbg> r/run (Run program)
• pwndbg> s/si (Step over)
• pwndbg> n/ni (Step into)
• pwndbg> finish (Step to next return)
• pwndbg> u (Step to address)

Getting Information

• pwndbg> info registers (Show registers)
• pwndbg> info proc mappings (Show virtual memory map and permissions)
• pwndbg> print/p (Examine symbols)
• pwndbg> backtrace/bt (Stack backtrace)

Fork problem in gdb

• pwndbg> set follow-fork-mode parent
• pwndbg> set disassembly-flavor intel
• pwndbg> set follow-fork-mode child
• pwndbg> set detach-on-fork off
• pwndbg> info inferiors
• pwndbg> inferiors X

Techniques








Links

• Binary Exploitation Notes
• Information Security Lab
• ROP Emporium