killchain-compendium/Exploits/Binaries/Tips & Tricks.md

49 lines
1.5 KiB
Markdown
Raw Normal View History

2023-05-03 23:20:31 +02:00
# Tips & Tricks for Binary Exploitations
2023-05-12 19:15:13 +02:00
## Toggle ASLR
2023-05-03 23:20:31 +02:00
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
* Take a look of the current stay via
```sh
sysctl kernel.randomize_va_space
```
Disable ASLR temporarily via
```sh
echo 0 | sudo tee /proc/sys/kernel.randomize_va_space
```
Disable it permanently via
```sh
echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
```
## Keep stdin open
Sometimes input of payloads via stdin pipes cannot be done directly.
If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.
Therefore, the payload should be piped in the following way
```sh
(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary
```
Therein, it is important to use the parameters `-e` and -- depending on the binary `-n` -- for the input being interpeted raw and not as ascii values.
Debug the input via `xxd`
```sh
echo -e '\xde\xad\xc0\xde' | xxd
```
## NULL bytes in Adresses
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
2023-05-12 19:15:13 +02:00
## Read from running process
Read from a running process' stdout by attaching to the process via strace and read in the following way
```sh
strace -e read -p <ProcessId>
```