Hey, let’s go back to binary exploitation after a quick hiatus. I’ll talk about sigreturn-oriented programming today or SROP in short. I managed to exploit a challenge using that technique today and this post will be more or less a summary of what the technique does and what I did learn along the challenge resolution. …
Hey, it’s me again. Let’s continue our last article. What I’ll try to do today is talk about the tls_dtor_list, which is that list of function getting executed during the exit mechanism of a glibc program. This quick article is kind of an issue report and not really an advancement but since I learned a …
Hey, let’s keep going on our exploitation journey by talking about off-by-one. I’ll quickly speak about stack-based off-by-one and heap-based off-by-one. It is a subject I understand but I never really scratched the surface, even if I already did exploit stack off-by-one vulnerabilities before. What is an off-by-one? An off-by-one, if I had to …
Yo, it’s me again. It’s been almost one full month since we started that initiative. Let’s continue our return-oriented programming exploitation. Today we will try to create our ropchain manually and exploit our same binary. Preparations I will recompile the binary using a static library to have a lot more gadgets using the -static …
This article should be pretty easy with what we learned last time but we could end up being surprised. I’ll try to exploit the same vulnerability, this time using ROP rather than ret-to-libc. What is Return-oriented Programming (or ROP) Return-oriented programming is an exploitation technique relying on the program’s own code to execute arbitrary …
Hi, here’s a follow-up of the previous article I wrote on ret-to-libc. I found a solution to the issue I was having last time and I am finishing my exploit today. Previous bug and follow-up solution Last time, I had an issue where I did overwrite the buffer, however, I was not able to …
Hi everybody, Let’s start our binary learning adventure with ret-to-libc. A reminder about current available protections on Linux Here I’ll list the different basic binary protections I know that could be difficult to bypass when exploiting a vulnerability. ASLR ASLR means Address space layout randomization and it is a security added in Linux. What it …
Alright. That is a category I definitely will have to get into seriously since it has always been something I wanted to learn, something I always see in online CTF/security challenges or that I could see in a real environment in my field of work. I will probably forward some of the articles I will …