🔧Exploit Development Tools

Hello.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main() {
	char *ptr = malloc(30);
	strncpy(ptr, "Hello World", 11);
	printf("%s - ", ptr);
	free(ptr);
	puts("First Program");
	return 0;
}

gcc hello.c -o hello

./hello

Tool: ldd

The ldd tool displays the shared libraries loaded by programs at runtime.

These libraries have the suffix .so (shared object) and consist of individual files that contain a list of functions.

Attack opportunities range from finding weak file permissions and using rpath to replace a shared library with an evil one, to being able to leak an address of a loaded library, and even abusing its interesting gadgets to achieve execution flow control with ROP/JOP code-reuse attack techniques.

Tool: objdump

We can use objdump as a command-line disassembler and also to get important information about executable files and objects.

Getting the Global Offset Table (GOT) and Procedure Linkage Table (PLT)

With the -R option, you can display the list of functions in the GOT:

Now let’s use objdump to locate the address that will be called in the PLT to get to the puts() function:

• -M intel tells objdump to use Intel syntax mode instead of the default (AT&T).

• -d is short for --disassemble.

• -j .plt specifies the section we want to display (PLT).

Now we will use -j .text to find the call to puts in the program we are analyzing:

Finding References to Constant Strings

Step 1: Using strings

• -tx (-t is for radix, x is for hexadecimal) prints the offset within the file at the beginning of each string.

Step 2: Using objdump

Tool: strace

The strace command-line utility is useful when we need to trace system calls and signals.

It uses the ptrace system call to inspect and manipulate the target program, and besides allowing us to better understand the program’s behavior.

Install strace

Run strace

Trace/Filter Specific System Call

Program behavior if write function is not implemented

Inject Error EAGAIN

Injecting Delays

Let’s inject a delay of 1 second before the read function executes (delay_enter) and a delay 1 second after the write function executes (delay_exit). By default, the expected time precision is microseconds:

Reference

Modern strace

Tool: ltrace

The main purpose of the ltrace utility is to trace calls to shared libraries and their responses, but it can also be used to trace system calls.

Install ltrace

Run ltrace

Display System Calls

Tool: checksec

The checksec shell script parses a program’s ELF header to determine which compile-time mitigation technologies are being used, such as RELRO, NX, Stack Canaries, ASLR, and PIE.

Install checksec

Run checksec

Compile hello.c with security mitigations

Run hello-stronger

libc-database

Sometimes you manage to find and exploit an information leak vulnerability, but it is impossible to calculate the offset to the libc base or other functions unless you know the libc version being used on the remote host. The libc-database downloads a list of configured libc versions, extracts the symbol offsets, and allows you to query the function name and leaked address in order to identify the libc version being used.

Clone libc-database

Download libc version for Kali

Find libc versions

Get puts offset

Find script

Online Database

Online Database

Tool: patchelf

The patchelf command-line utility allows us to modify the libraries of an ELF executable. It is very useful when we are doing heap analysis on a different libc version than the one being used by the remote system, or when we don’t have access to the source code and want to run multiple libc versions on the same system.

Install patchelf

Patching hello binary

We first create the lib folder and copy the system’s ld-linux.so and libc:

Patch Hello binary

Tool: one_gadget

One_gadgets are found in libc and provide a simple way of getting a shell by jumping to a single gadget to execute execve("/bin/sh", NULL, NULL)

We can find these magical gadgets in one of two ways: by manually using strings and objdump or by using the one_gadget tool.

Manually Using Strings and objdump

Getting offeset address using strings

Look for references using objdump

Using the one_gadget Tool

Install one_gadget

Run one_gadget

Tool: Ropper

Ropper is a useful tool for generating ROP chains and finding code reuse gadgets. It is capable of loading ELF, PE, and Mach-O binary file formats, and it supports multiple architectures (x86, x86_64, MIPS, MIPS64, ARM/Thumb, ARM64, PowerPC, and Sparc) using the Capstone disassembly framework

Install Ropper

GitHub

Create a ROP Chain

ROP chain that calls mprotect() to enable executable permission on an arbitrary address:

Extending gdb with Python

Support for extending gdb with Python was added in version 7. This feature is only available if gdb was compiled with the configuration option --with-python.

GDB Scripts

• Gef: GDB enhanced features for exploit developers and reverse engineers

• Pwndbg: Exploit development and reverse engineering with GDB Made Easy

• PEDA: Python Exploit Development Assistance for GDB

Pwntools CTF Framework and Exploit Development Library

Pwntools is a capture the flag (CTF) and exploit development library that’s excellent for the rapid prototyping of exploits. It saves you significant time and effort when writing common exploitation tasks, letting you focus on the logics of your exploit, as well as provides a vast set of useful features.

Install pwntools

Summary of Features

Packing and Unpacking Strings

Assemble and Dissamble Code

ELF symbol resolver

Other features include functions to assist with common exploitation primitives and techniques, such as building ROP chains, shellcodes and SROP structures, dynamic memory leak helpers, format string exploitation, cyclic pattern generation, and more.

leak-bof.c

leak-bof.c

leak-bof-exploit.py

HeapME (Heap Made Easy) Heap Analysis and Collaboration Tool

Install HeapME

heapme_demo.c

Register and Login

HeapME

Debug ./heapme_demo