What is Binary Exploitation?
Binary Exploitation, commonly known as binex or pwn, is the process of crafting inputs (payloads) that cause a program to behave in a way the original programmer did not intend.
In binary exploitation challenges, we are provided a source binary, an executable file, and it's our job to craft a payload to achieve a desired result. In the case of CTF competitions, this is usually to print a "flag", a string of text that serves as the solution to the challenge.
Flags are usually stored in a flag.txt file in the same directory as the binary. The format of the flag depends on the creator of the challenge; in our case, we will use:
There are three common scenarios that you will find in CTF competitions:
The binary has a function called
win()
, or something similar, that contains instructions to print the flag.The binary loads the flag into memory, and we must leak it.
The flag is never loaded into memory, nor is it ever read. In this instance, we aim to obtain a shell on the remote server and read the file ourselves.
One of the most challenging parts of binary exploitation is determining what vulnerability the binary has, which directly corresponds to the exploit technique we're going to use.
The chapters of these lecture notes are distinguished by the security measure (or the opposite, the vulnerability) that the binary has. This way, by first checking the security measures of the binary, we'll have a firm idea of our attack vector.
Debugger Notes
The notes use gdb
as the primary decompiler. All the notes are based on gdb
. However, I am currently migrating the use of radare2
output into the notes. To not make the notes more confusing, I will continue to reference the gdb
output with respect to addresses and offsets. I am doing my best to include command names for both within the notes themselves.
Last updated