PWN (Binary Exploitation)

PWNing is the subtle art of manipulating the execution of a given binary from what it originally intended, into something a little more devious.


Programs

  • GDB (GNU Debugger)
    GDB is an essential tool when attacking a binary.
    GDB allows you to step through each instruction executed during execution of the program.
    At the same time you can read/edit memory and execute any function.
    The only proper way to use GDB is with Peda, a plugin to make life easier.

  • Binary Ninja
    Visually seeing all the assembly code of a program and an expanded exeuction flow makes PWNing much easier.
    Although Binary Ninja costs money, there is a free trial and it is well worth the money.
    Radare is a free alternative to Binary Ninja that also has some functional overlap with GDB.

  • Ida Pro
    Ida Pro is the $16,000 (no joke) all-in-one "hey look I can do everything" tool.
    I'm just putting it here for the lolz.

Tools

  • Defuse Dis/Assembler
    Defuse is an online tool that allows you to assemble/disassemble assembly-code/hex bytes at will.
    This is very useful when working with writing shellcode.

  • Compiler Explorer
    Assembly code can seem very foreign at times. This site aims to alleviate some of that by showing exactly what each line of code translates to in assembly.
    You also have the option to translate to different architectures such as: x86, x86-64, mips, arm etc.

References

  • GDB Cheat Sheet
  • Shellcode
    Although beneficial for learning, most people do not write their own shellcode.
    Instead they use sites like this (also Shellstorm ).
    This site is a plethera of shellcode ranging from every specification you can think of.

  • amd64 Calling Conventions
    As you progress through pwning, many challenge creators will opt to use amd64 (64bit) over x86 (32bit).
    This changes much of pwning and this is a quick reference sheet for the calling conventions and register purposes.

  • Syscalls
    Syscalls are a way for a program to execute a kernel-level operation such as read, write, open, (and our favorite) execve.
    You will probably not see syscalls used during execution unless you are dealing with shellcode.

  • amd64 Syscalls
    When writing your own shellcode, setting up registes for syscalls can be a real pain.
    This site is a reference for each linux syscall and the setup necessary for proper execution.

  • Assembly Crash Course
    For anyone wanting to learn assembly on their own, this is a great starter guide
    The Compiler Explorer is also very helpful along the way.

Guides/Writeups

  • Live Overflow
    Live Overflow is a great site for learning PWNing and Reverse Engineering.
    There are many tutorials/videos that will go through the basics of assembly, vulnerabilities, and many more core concepts surrounding binaries.

  • Fuzz Security
    Fuzz Security provides loads of writeups over many different CTF PWN challenges as well as many other tutorials on exploitation.

  • hpx
    This site shows many writeups for high-level PWNing challenges.

Competitions

  • Pwnable.kr
    Pwnable is a Wargames site dedicated to just pwning.
    Several of our challenges have come straight from them because they are so well done.
    Pwnable does very well in giving you exposure to different attacks on programs as well as widening your problem solving skills.