PWN methodology — LINUX
by Karol Mazurek
This is my current methodology for approaching targets during binary exploitation on Linux OS.
- It is being maintained cheatsheet-like so that it is concise and not too long at the same time.
- The methodology is being used for manual exploitation.
- There are no tools such as AFL etc. being described.
- I will update this article from time to time with new notes.
find / -perm -u=s -type f 2>/dev/null
1. Basic binary security checks and some bypasses:
a) ASLR — Partial Overwrite / Info Disclosure / Brute Force
b) DEP— mprotect() / re2libc() / ROP / Egghunter
c) RELRO — GOT overwrite / .fini_array overwrite / .dtors overwrite
d) PIE — Address leak / NOP Slide
e) Stack Canaries— Brute Force / Heap Overflows / Arbitrary Write
f) Architecture — OS 32/64 ?
g) Library linking — Dynamically / statically linked ?
h) Debugging info — Stripped / not stripped ?
Source: own study
2. Run the binary with:
a) no arguments
b) one argument
c) two and more arguments
d) data on stdin
e) buffer overflow string
f) format string
g) format string in a loop
h) remote format string or buffer overflow
Source: own study
3. Run the binary with:
a) ltrace — library call tracer
b) strace — system calls and signals tracer
c) gdb — The GNU Project Debugger
Source: own study
4. Decompile & disassembly of the binary:
a) using IDA / Ghidra / Hopper /Binary Ninja
b) disassembly text section
c) check sections
d) check functions addresses
Source: own study
5. Check available ROP gadgets in:
a) the binary itself
b) linked libraries (libc database)
Source: own study
6. TIPS & TRICKS:
a) Set breakpoint @ instruction after possible vuln():
Source: own study
b) Then check how the stack looks like:
Source: own study
c) You can check it also using pwntools with attached gdb:
Source: own study
d) Try with debug level using pwntools:
Source: own study
e) Sometimes child process could be easier to exploit — f.e. to get a non-null base code segment:
Source: own study
f) If you want to serve the binary using socat:
Source: own study
g) Turn ASLR / follow forks / set intel flavor in GDB
Source: own study
h) Run gdbserver to pwn binary remotely:
Source: own study
i) “Ptrace operation not permitted”? Sure:
Source: own study
j) Debugging in pwntools:
Source: own study
h) Print shared object dependencies:
Source: own study
j) Some basic “instant-win” vulnerable functions:
• strncpy
• gets
• strcpy
• malloc / free
7. Static code analysis tools (for C):
a) cppcheck
b) semgrep
c) gcc
Source: own study
That’s it for the moment. As time goes by, I will try to add new notes to this article and soon I will start a series of walkthroughs for various challenges and machines from hack the box using the methodology and tips described above. I hope you learned something here.
The post was originally published at: https://karol-mazurek95.medium.com/pwn-methodolodgy-linux-5c8355a8c9c2
