# Tips & Tricks for Binary Exploitations

## Toggle ASLR

State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.

* Take a look of the current stay via
```sh
sysctl kernel.randomize_va_space
```

Disable ASLR temporarily via 
```sh
echo 0 | sudo tee /proc/sys/kernel.randomize_va_space
```

Disable it permanently via
```sh
echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
```

## Keep stdin open

Sometimes input of payloads via stdin pipes cannot be done directly.
If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.

Therefore, the payload should be piped in the following way
```sh
(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary
```

Therein, it is important to use the parameters `-e` and -- depending on the binary `-n` -- for the input being interpeted raw and not as ascii values.

Debug the input via `xxd`
```sh
echo -e '\xde\xad\xc0\xde' | xxd
```

## NULL bytes in Adresses

NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes

## Read from running process

Read from a running process' stdout by attaching to the process via strace and read in the following way
```sh
strace -e read -p <ProcessId>
```