Binary Exploitation Cheatsheet

May 26, 2023

 



ELF INFO 

#Check protections 
rabin2 - I binary
checksec binary

#Hex to Decimal
printf "%d\n" 0x18

#Get ELF headers
readelf -h hello_world

#Get Program Headers - 9 Headers
readelf --wide -l hello_world

#Get Sections from ean ELF
readelf --wide -S hello_world

#Get the contents of a section 
readelf -x .rodata hello_world

#get the hex data of any section from a binary file 
readelf -x .text hello_world
readelf -x .rodata hello_world

#get a specific function using readelf
readelf -a /usr/lib32/libc-2.31.so | grep mprotect 

#Listing Functions 
rabin2 -i binary
nm -u binary
rabin2 -qs <binary> | grep -ve imp -e ' 0 '

#List Strings
rabin2 -z split

#Print Symbols from a binary 
objdump --wide -t symbol

#Object Dump 
objdump -D hello_world

#get shellcode from the binary
for i in $(objdump -d ./Hello_stack |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo


#Generate assembly instructions  - it will generate Hello.S file
gcc -S hello.c

#Linking a file; will generate linke file 0 hello.o  
gcc -c hello.c

#Compile a file 
gcc hello.c -o hello

Make sure to set a breakpoint and run the program before running below commands when trying from GDB 


#Search for system or any function address from a binary using objdump or from 
# gdb- using `p system`
objdump -M intel -D vuln | grep 'system' -A 3 

#Get PLT/GOT function names after disassembling all sections 
objdump -d vuln | grep ">:"

#Display the dynamic relocation entries in the file
#address of functions in the GOT
objdump -R vuln

# Find system address
p system 
xinfo system 

#Find Exit address 
p exit 

#Chek if libc is being used or not - copy libc to current working directory for ease of use. 
# Copy Libc base address 
# Default path = /lib/x86_64-linux-gnu/libc-2.27.so
vmmap libc 

#Find JMP RSP or JMP RAX or any other instruction 
# if you are unable to find an instruction in your vuln binary, search for the string in libc 
ropper 
file ./vuln or file ./libc
search jmp rsp 

#if you are unable to find JMP instruction try CALL 
search call rsp 

#Finding "/bin/sh"
find "/bin/sh"            # peda
search-pattern "sh"       # gef
strings -a -t x libc-2.27.so | grep "/bin/sh"
ropper --file libc-2.27.so --string '/bin/sh'

# Search for ret instruction, look for a single ret without any other instructions. 
ropper --file libc-2.27.so --search "ret"
0x00000000000008aa: ret; 

#When you take an address from libc externally or using ropper, you need to add libc base address that you got from `vmmap libc` first address with the address that you got from ropper or strings. - its the same with any other instructions.  

#Change ropper search depth - 
# 1 - 1 level down, /2/ - 2 levels down
# better to pick a gadget that ends with ret for ret2libc
ropper
> file ./vuln_file or file ./libc
> search /1/ pop rdi 


#Keep the STDIN open 
(cat payload;cat ) | ./vuln


# if we are unable to find the exact instruction 
- Ex; we are looking for `pop rdx; ret;` but found `pop rdx; pop r12; ret;` - after we pass the argument for pop rdx- send some dummy data into pop r12 as shown below
- buffer += pack("<Q",0x414141414141)  #Dummy for pop r12 


#Get Base address of Stack
- set a breakpoint at main and run the program, take the first address of the stack
- you can check if the stack is executable or not here 
vmmap stack 

#Get Base address of LIBC 
vmmap libc 

# When trying any Return2 Exploits 
- better to add extra "ret" address before pop rdi, ret instructions
- this is to avoid 16-bit alignment issues 
Radare2 

radare2 binary

#list functions/symbols 
s.sym.

#disassebmy 
pdd

#disassemble a function 
s.sym.main
pdd 




Process

#Check protections 
rabin2 - I binary 
checksec binary

#Get Function names
rabin2 -i <binary>
nm -u <binary>

#get approx list of user defined functions
rabin2 -qs <binary> | grep -ve imp -e ' 0 '

#Get strings
rabin2 -z split <binary>
rabin2 -Z <binary>
Windows - Immunity Debugger/MONA

#Create pattern
!mona pattern_create 2500
!mona pc 2500

#Find Offset 
!mona pattern_offset 0x42424242
!mona po 0x42424242

#Find modules with ASLR & Rebase turned off
!mona modules -cm aslr-false,rebase=false

#find JMP ESP address using mona in a set of DLL's
!mona jmp -r esp -m a.exe,b.dll,c.dll,d.dll

#Find an address using oppcode - \xe4\xff is JMP ESP 
#Generate the oppcodes using nasm_shell.rb from MSF
!mona find -s "\xe4\xff" -m slmfc.dll

#Create a rob_chain and rop.txt
!mona rop -m a.exe,b.dll,c.dll,d.dll

#Find addresses with write permissions 
#Choose dlls where ASLR is disabled
!mona rop -m a.dll,v.dll,b.dll



,
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment