killchain-compendium/Exploits/Binaries/Tips & Tricks.md

1.4 KiB

Tips & Tricks for Binary Exploitations

Toggle ASLR

State of ASLR can be switched via sysctl parameter randomize_va_space. Kernel.org documentation displays the states of the switch.

  • Take a look of the current stay via
sysctl kernel.randomize_va_space

Disable ASLR temporarily via

echo 0 | sudo tee /proc/sys/kernel.randomize_va_space

Disable it permanently via

echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf

Keep stdin open

Sometimes input of payloads via stdin pipes cannot be done directly. If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.

Therefore, the payload should be piped in the following way

(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary

Therein, it is important to use the parameters -e and -- depending on the binary -n -- for the input being interpeted raw and not as ascii values.

Debug the input via xxd

echo -e '\xde\xad\xc0\xde' | xxd

NULL bytes in Adresses

NULL bytes \x00 in an address stop the execution of the payload input as a whole. An exception is read(), it does not stop on NULL bytes