1.5 KiB
Tips & Tricks for Binary Exploitations
Toggle ASLR
State of ASLR can be switched via sysctl parameter randomize_va_space. Kernel.org documentation displays the states of the switch.
- Take a look of the current stay via
sysctl kernel.randomize_va_space
Disable ASLR temporarily via
echo 0 | sudo tee /proc/sys/kernel.randomize_va_space
Disable it permanently via
echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
Keep stdin open
Sometimes input of payloads via stdin pipes cannot be done directly. If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.
Therefore, the payload should be piped in the following way
(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary
Therein, it is important to use the parameters -e and -- depending on the binary -n -- for the input being interpeted raw and not as ascii values.
Debug the input via xxd
echo -e '\xde\xad\xc0\xde' | xxd
NULL bytes in Adresses
NULL bytes \x00 in an address stop the execution of the payload input as a whole. An exception is read(), it does not stop on NULL bytes
Read from running process
Read from a running process' stdout by attaching to the process via strace and read in the following way
strace -e read -p <ProcessId>