Lyte's Blog

Bad code, bad humour and bad hair.

A Brief Look in to Exploiting Binaries on Modern Linux

Recently I’ve decided to start poking and prodding some security related CTFs (Capture The Flags).

Mainly I worked on the Stripe CTF (now closed) and I’m playing with Smash the Stack’s IO.

I’ve already learnt a few things along the way that I thought would have been useful to me in a cheat sheet like form, so here it is…


When compiling little snippets of C locally on my laptop I’ve found that quite often I’ve had to turn off a fair bit of protection to get the snippets to compile in just the right way.

To get 32 bit binaries (CTFs so far have been 32bit): $ gcc -m32 ... Note: you may need to install gcc-multilib on Ubuntu.

To turn off stack protection (are these canary values?): $ gcc -fno-stack-protector ...

To enable debugging symbols for use with GDB: $ gcc -ggdb ...

Normally GCC will produce binaries with stacks that are not executable, to enable executable stacks: $ execstack -s %binary_created_with_gcc%


Once you’ve figured out what shellcode is and why you need it, you’ll still need some way to store it in a string (probably a program argument), here’s the two main methods I’ve been using.

Using perl (seems to be a favourite amongst the community): $ /some/binary "$(perl -e 'printf "\x90" x 100')"

Straight from bash: $ /some/binary $'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'

objdump Figuring out a binaries format: $ objdump -t /foo/bar | grep 'file format' /foo/bar: file format elf32-i386

Getting the address of “main” from the symbol table: $ objdump -t /foo/bar | grep main 080483b4 g F .text 00000067 main