PWN methodology — LINUX

PWN methodology — LINUX

by Karol Mazurek


This is my current methodology for approaching targets during binary exploitation on Linux OS.

  • It is being maintained cheatsheet-like so that it is concise and not too long at the same time.
  • The methodology is being used for manual exploitation.
  • There are no tools such as AFL etc. being described.
  • I will update this article from time to time with new notes.

find / -perm -u=s -type f 2>/dev/null

1. Basic binary security checks and some bypasses:
a) ASLR — Partial Overwrite / Info Disclosure / Brute Force
b) DEP— mprotect() / re2libc() / ROP / Egghunter
c) RELRO — GOT overwrite / .fini_array overwrite / .dtors overwrite
d) PIE — Address leak / NOP Slide
e) Stack Canaries— Brute Force / Heap Overflows / Arbitrary Write
f) Architecture — OS 32/64 ?
g) Library linking — Dynamically / statically linked ?
h) Debugging info — Stripped / not stripped ?

Source: own study

2. Run the binary with:
a) no arguments

b) one argument
c) two and more arguments
d) data on stdin
e) buffer overflow string
f) format string
g) format string in a loop
h) remote format string or buffer overflow

Source: own study

3. Run the binary with:
a) ltrace — library call tracer
b) strace — system calls and signals tracer
c) gdb — The GNU Project Debugger

Source: own study

4. Decompile & disassembly of the binary:
a) using IDA Ghidra Hopper /Binary Ninja
b) disassembly text section
c) check sections
d) check functions addresses

Source: own study

5. Check available ROP gadgets in:
a) the binary itself

b) linked libraries (libc database)

Source: own study

6. TIPS & TRICKS:
a) Set breakpoint @ instruction after possible vuln():

Source: own study

b) Then check how the stack looks like:

Source: own study

c) You can check it also using pwntools with attached gdb:

Source: own study

d) Try with debug level using pwntools:

Source: own study

e) Sometimes child process could be easier to exploit — f.e. to get a non-null base code segment:

Source: own study

f) If you want to serve the binary using socat:

Source: own study

g) Turn ASLR / follow forks / set intel flavor in GDB

Source: own study

h) Run gdbserver to pwn binary remotely:

Source: own study

i) Ptrace operation not permitted”? Sure:

Source: own study

j) Debugging in pwntools:

Source: own study

h) Print shared object dependencies:

Source: own study

j) Some basic “instant-win” vulnerable functions:

• strncpy
• gets
• strcpy
• malloc / free

7. Static code analysis tools (for C):
a) cppcheck
b) semgrep
c) gcc

Source: own study

October 27, 2021
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013