Basic Stack Binary Exploitation Methodology
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
ELF Basic Info
Before start exploiting anything it's interesting to understand part of the structure of an ELF binary:
ELF Basic InformationExploiting Tools
Exploiting ToolsStack Overflow Methodology
With so many techniques it's good to have a scheme when each technique will be useful. Note that the same protections will affect different techniques. You can find ways to bypass the protections on each protection section but not in this methodology.
Controlling the Flow
There are different was you could end controlling the flow of a program:
Stack Overflows overwriting the return pointer from the stack or the EBP -> ESP -> EIP.
Might need to abuse an Integer Overflows to cause the overflow
Or via Arbitrary Writes + Write What Where to Execution
Format strings: Abuse
printf
to write arbitrary content in arbitrary addresses.Array Indexing: Abuse a poorly designed indexing to be able to control some arrays and get an arbitrary write.
Might need to abuse an Integer Overflows to cause the overflow
bof to WWW via ROP: Abuse a buffer overflow to construct a ROP and be able to get a WWW.
You can find the Write What Where to Execution techniques in:
Write What Where 2 ExecEternal Loops
Something to take into account is that usually just one exploitation of a vulnerability might not be enough to execute a successful exploit, specially some protections need to be bypassed. Therefore, it's interesting discuss some options to make a single vulnerability exploitable several times in the same execution of the binary:
Write in a ROP chain the address of the
main
function or to the address where the vulnerability is occurring.Controlling a proper ROP chain you might be able to perform all the actions in that chain
Write in the
exit
address in GOT (or any other function used by the binary before ending) the address to go back to the vulnerabilityAs explained in .fini_array, store 2 functions here, one to call the vuln again and another to call**
__libc_csu_fini
** which will call again the function from.fini_array
.
Exploitation Goals
Goal: Call an Existing function
ret2win: There is a function in the code you need to call (maybe with some specific params) in order to get the flag.
In a bof with PIE, you will need to bypass it
In a bof with canary, you will need to bypass it
Via a Write What Where you could abuse other vulns (not bof) to call the
win
function.
Pointers Redirecting: In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address.
Uninitialized vatiables: You never know.
Goal: RCE
Via shellcode, if nx disabled or mixing shellcode with ROP:
(Stack) Shellcode: This is useful to store a shellcode in the stack before of after overwriting the return pointer and then jump to it to execute it:
In any case, if there is a canary, in a regular bof you will need to bypass (leak) it
With ASLR you will need techniques such as ret2esp/ret2reg to jump to it
Via syscalls
Ret2syscall: Useful to call
execve
to run arbitrary commands. You need to be able to find the gadgets to call the specific syscall with the parameters.SROP can be useful to prepare the ret2execve
Via libc
Ret2lib: Useful to call a function from a library (usually from
libc
) likesystem
with some prepared arguments (e.g.'/bin/sh'
). You need the binary to load the library with the function you would like to call (libc usually).If statically compiled and no PIE, the address of
system
and/bin/sh
are not going to change, so it's possible to use them statically.Without ASLR and knowing the libc version loaded, the address of
system
and/bin/sh
are not going to change, so it's possible to use them statically.With ASLR but no PIE, knowing the libc and without the binary using the
system
:Use
ret2dlresolve
to resolve the address ofsystem
and call itBypass ASLR and calculate the address of
system
and'/bin/sh'
in memory.
Via EBP/RBP
Stack Pivoting / EBP2Ret / EBP Chaining: Control the ESP to control RET through the stored EBP in the stack.
Useful for off-by-one stack overflows
Useful as an alternate way to end controlling EIP while abusing EIP to construct the payload in memory and then jumping to it via EBP
Misc
Pointers Redirecting: In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address.
Uninitialized variables: You never know
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated