Recently I’ve decided to start poking and prodding some security related CTFs (Capture The Flags).
I’ve already learnt a few things along the way that I thought would have been useful to me in a cheat sheet like form, so here it is…
When compiling little snippets of C locally on my laptop I’ve found that quite often I’ve had to turn off a fair bit of protection to get the snippets to compile in just the right way.
To get 32 bit binaries (CTFs so far have been 32bit):
$ gcc -m32 ...
Note: you may need to install gcc-multilib on Ubuntu.
To turn off stack protection (are these canary values?):
$ gcc -fno-stack-protector ...
To enable debugging symbols for use with GDB:
$ gcc -ggdb ...
Normally GCC will produce binaries with stacks that are not executable, to enable executable stacks:
$ execstack -s %binary_created_with_gcc%
Once you’ve figured out what shellcode is and why you need it, you’ll still need some way to store it in a string (probably a program argument), here’s the two main methods I’ve been using.
Using perl (seems to be a favourite amongst the community):
$ /some/binary "$(perl -e 'printf "\x90" x 100')"
Straight from bash:
$ /some/binary $'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
Figuring out a binaries format:
$ objdump -t /foo/bar | grep 'file format'
/foo/bar: file format elf32-i386
Getting the address of “main” from the symbol table:
$ objdump -t /foo/bar | grep main
080483b4 g F .text 00000067 main