Binary Exploitation

Binary exploitation, also known as pwn, is the art of exploiting vulnerable programs. This means that given a program, often running on a remote server, an attacker is able to take control of the execution flow of the program only using limited user input. The goal of the attacker is usually to get a shell on the remote server, but it sometimes not necessary to compromise the server.

Exploit types

Different types of exploit exists, the most common are:

Exploit mitigations

But some security techniques exists and can make exploitation harder:

• ASLR Randomization of the memory addresses of the program and the libraries. Solution: Leak an address and calculate the offset between the leaked address and the address of the function you want to call.

• NX No execution of the stack.

• Stack canaries A random value is stored on the stack and checked before returning from a function. Solution: Leak the canary and overwrite it with the correct value.

  • 9-bypassing_canaries

• PIE Randomization of the memory addresses of the program. Solution: Leak an address

  • 7-leak_pie_ret2libc

Tools

Common tools to exploit binaries:

• gdb - Wikipedia

  Most popular debugger for dynamic analysis. See Reverse Engineering for more info.

  • Reverse Engineering

• Ghidra - Website

  Decompiler for binary files, useful for static analysis. See Reverse Engineering for more info.

  • Reverse Engineering

Common attacks

• ---x--x--x root root

  To exfiltrate or read a binary when you only have execution rights, you can load it with a library and use the library to read it.

  This needs that the binary is dynamically linked, and is easier if you know the name of the function you want to extract.

  Code for this library is provided here.

  CTF time WU DGHack 2022 WU

  • exec_only_dumper