Binary Exploitation Cheatsheet
2023-5-26 05:21:0 Author:查看原文) 阅读量:15 收藏

Make sure to set a breakpoint and run the program before running below commands when trying from GDB 

# Find system address
p system 
xinfo system 

#Find Exit address 
p exit 

#Chek if libc is being used or not - copy libc to current working directory for ease of use. 
# Copy Libc base address 
# Default path = /lib/x86_64-linux-gnu/
vmmap libc 

#Find JMP RSP or JMP RAX or any other instruction 
# if you are unable to find an instruction in your vuln binary, search for the string in libc 
file ./vuln or file ./libc
search jmp rsp 

#if you are unable to find JMP instruction try CALL 
 search call rsp 

#Finding "/bin/sh"
find "/bin/sh"
strings -a -t x | grep "/bin/sh"
ropper --file --string '/bin/sh'

# Search for ret instruction, look for a single ret without any other instructions. 
ropper --file --search "ret"
0x00000000000008aa: ret; 

#When you take an address from libc externally or using ropper, you need to add libc base address that you got from `vmmap libc` first address with the address that you got from ropper or strings. - its the same with any other instructions.  

#Change ropper serach depth - 
# 1 - 1 level down, /2/ - 2 levels down
# better to pick a gadget that ends with ret for ret2libc
> file ./vuln_file or file ./libc
> search /1/ pop rdi 

#Keep the STDIN open 
(cat payload;cat ) | ./vuln