PWN methodology — LINUX
--
This is my current methodology for approaching targets during binary exploitation on Linux OS.
- It is being maintained cheatsheet-like so that it is concise and not too long at the same time.
- The methodology is being used for manual exploitation.
There are no tools such as AFL etc. being described. - I will update this article from time to time with new notes.
0. Find suid targets:find / -perm -u=s -type f 2>/dev/null
1. Basic binary security checks and some bypasses:
a) ASLR — Partial Overwrite / Info Disclosure / Brute Force
b) DEP— mprotect() / re2libc() / ROP / Egghunter
c) RELRO — GOT overwrite / .fini_array overwrite / .dtors overwrite
d) PIE — Address leak / NOP Slide
e) Stack Canaries — Brute Force / Heap Overflows / Arbitrary Write
f) Architecture — OS 32/64 ?
g) Library linking — Dynamically / statically linked ?
h) Debugging info — Stripped / not stripped ?
2. Run the binary with:
a) no arguments
b) one argument
c) two and more arguments
d) data on stdin
e) buffer overflow string
f) format string
g) format string in a loop
h) remote format string or buffer overflow
3. Run the binary with:
a) ltrace — library call tracer
b) strace — system calls and signals tracer
c) gdb — The GNU Project Debugger
4. Decompile & disassembly of the binary:
a) using IDA / Ghidra / Hopper / Binary Ninja
b) disassembly text section
c) check sections
d) check…