binary exploitation

Binary exploitation is the process of manipulating programs to do what we want them to do. By exploiting a program, we turn it into a weird machine that provides unintended features.

Though binary exploitation and exploit development are getting harder these days due to more sophisticated mitigations (not that this is a bad thing), keep in mind that software is also getting more complex and as such is more prone to error. The adoption of innovative mitigations is always slower than the pace of software development, so we can always to expect there to be something to exploit :).

Notes

These are entry notes to each respective topic.

Basic knowledge

• endianness
• calling convention
• static analysis
• dynamic analysis

Memory Layout

• stack
• heap
• global offset table
• process linkage table

Common Attacks

• stack buffer overflow
• format string exploit
• heap exploitation
• return-oriented programming
  • ROPEmporium x86_64

Tools

• debuggers (e.g., gdb for Linux)
• radare2: terminal-based static analysis tool
• pwntools: write exploits for pwn challenges in Python with ease; official tutorial
• Ghidra: disassembler with a handy decompiler
• angr: symbolic execution library
• IDA freeware: disassembler
• Exploit-DB: shellcode and PoC’s
• Shell-Storm Shellcode Database

Learn

Background Knowledge

• Have basic familiarity with x86 assembly.
• Have basic familiarity with ELF and memory layout
• mytechnotalent/Reverse-Engineering: tutorial on basic x86(_64) & ARM (AArch32/64) assembly
• ARM assembly basics
• How a C++ compiler implements exception handling
• Computer systems: a programmer’s perspective

Exploitation techniques

• LiveOverflow pwn playlist
• Exploit programming: from buffer overflows to “weird machines” and theory of computation
• how-to-bypass-aslr-on-linux-x86_64
• Corelan has an (relatively old) exploit writing tutorial series: begin here
• GTech CS6265 InfoSecLab tutorial
• MIT 6.888 (labs could be a good learning material)
• ARM Heap Exploitation - Azeria
• pwn.college offer video tutorials (though I prefer text)
• Open Security Training - Vulnerability Hunting & Exploitation
• CTF Wiki (Chinese) - Pwn
• Red Team Notes - Binary Exploitation section

Further learning

• The art of software security assessment: identifying and preventing software vulnerabilities
• The IDA Pro book: the unofficial guide to the world’s most popular disassembler
• Weird machines, exploitability, and provable unexploitability
• Shell-Storm
• New exploit methods for glibc ptmalloc
• Guide on Learning Theory for Reverse Engineering

Practice

• ROPEmporium x86_64: practice return-oriented programming fundamentals
• Exploit Education - Phoenix : practice basic binary exploitation techniques
• Exploit Education - Fusion: practice bypassing protections
  • Fusion is pretty old and I decided to just use Nightmare instead.
• Nightmare: collection of pwn CTF challenges and writeups
• Pwnable.tw: set of pwn challenges
• Pwnable.kr
• pwn.college: apart from video lectures, the site also provides a wealth of practice challenges
• Malware Unicorn: malware analysis/development and RE
• reversing hero: free challenge with a paid walkthrough from the author

Roadmaps and Other Resources

• Learn exploit dev while self-isolating : ExploitDev
• Getting Started with Exploit Development
• Exploit Development Learning Roadmap : ExploitDev
• Reversing / Malware Analysis / Assembly Resources
• Working at Project Zero
  • Get good at coding.
  • Read about common vulnerabilities and exploits.
  • Analyze past vulnerabilities.
  • Play CTFs.
  • Help fix new vulnerabilities in open-source projects.
  • Talk to product security people at your company.
  • Report your own CVEs and/or write exploits.
• How to deal with dup2() calls messing up pwntools: see writeup by bronson113