Various

Checksec

Check executables and kernel properties

checksec --file=ch37.bin
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols        No    0               4               ch37.bin

RELRO:

Relocation Read-Only

Partial RELRO: - Default setting in GCC - Only forces the GOT to come before the BSS in memory, eliminating the risk of a buffer overflow on a global variable overwriting GOT entries

Full RELRO: - Makes GOT completely read-only. - Longer load time of binary

PIE:

Position Independent Executable - PIE binary and all of its dependencies are loaded into randomized locations within virtual memory. - Protect against ROP attacks - GDB disabled address randomization by default. Will relocate to 0x555555550000.

Linux System Call Table: https://faculty.nps.edu/cseagle/assembly/sys_call.html

Create Core dumps after crash:

Shellcodes

LogoShellcodes database for study casesshell-storm.org

setreuid(getuid(), getuid()) & execve("/bin/sh") / (for setuid binaries)

https://shell-storm.org/shellcode/files/shellcode-597.html

Store shellcode in environment variable:

Retrieve offset for environment variables:

Run shell code for applications with interactive CLI:

Compile code without security features

Command parameter

-no-pie -fno-pie

Disables Position Independent Executable (PIE) to prevent address randomization of the executable, making it run at a fixed address.

-fno-stack-protector

Turns off the generation of stack canaries, which are used to detect and prevent stack buffer overflow attacks.

-z execstack

Marks the stack as executable, allowing code execution from the stack, which is typically blocked to prevent certain types of exploits.

Disable ASLR: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Previousx86 assemblyNextELF Binaries

Last updated