Share
## https://sploitus.com/exploit?id=CCE3F781-2E4B-59E2-9611-E68378B31EF1
# Binary Exploitation Framework

A comprehensive collection of tools and exploits for binary exploitation challenges, specifically targeting format string vulnerabilities, ROP chains, and stack-based attacks.

## What This Is

This repo contains all the exploitation tools and techniques I built while tackling a challenging CTF binary. The target was a 64-bit ELF with format string vulnerabilities, stack canaries, and some interesting protections that made exploitation non-trivial.

The project evolved through multiple phases as I discovered new defenses and had to adapt my approach. What started as a simple ROP chain turned into a deep dive into blind format string bugs, canary brute-forcing, and creative bypass techniques.

## Project Structure

```
.
โ”œโ”€โ”€ phase1_stack_leak.py              # Initial reconnaissance - leak detection
โ”œโ”€โ”€ phase2_got_libc_leak.py           # GOT/libc address extraction
โ”œโ”€โ”€ phase3_libc_offset_calculator.py  # Calculate offsets for ret2libc
โ”œโ”€โ”€ phase4_rop_exploit.py             # ROP chain construction
โ”œโ”€โ”€ canary_brute_force.py             # Byte-by-byte canary oracle attack
โ”œโ”€โ”€ silent_fsb_detector.py            # Detect blind format string bugs
โ”œโ”€โ”€ analyze_behavior.py               # Binary behavior analysis tool
โ””โ”€โ”€ docs/                             # Documentation and guides
```

## Key Features

### Exploitation Tools

**Format String Analysis**
- `silent_fsb_detector.py` - Detects blind/silent format string bugs where output is suppressed
- `format_string_leak_full.py` - Comprehensive leak scanner for stack/libc/canary values
- `quick_fsb_test.py` - Fast format string vulnerability tester
- `test_fsb_variants.py` - Tests different format specifier variants

**Stack Canary Attacks**
- `canary_brute_force.py` - Implements byte-by-byte canary brute-forcing using crash oracle
- Expects ~1,792 connection attempts to recover 7-byte canary
- Uses connection termination as oracle signal

**ROP Chain Development**
- `phase4_rop_exploit.py` - Complete ROP chain builder with stack alignment
- `improved_rop_exploit.py` - Enhanced version with better reliability
- `phase4_advanced_rop.py` - Advanced techniques including ret2csu

**Memory Analysis**
- `analyze_behavior.py` - Interactive binary behavior analyzer
- `memory_structure_analysis.py` - Stack layout and memory structure mapper
- `analyze_libc.py` - Libc version detection and offset calculation

### Utilities

- `simple_overflow_test.py` - Finds exact crash points for buffer overflows
- `diagnostic_tool.py` - Raw format string response analyzer
- `binary_info.py` - Extracts binary metadata and security features

## Techniques Implemented

### 1. Format String Exploitation

The binary had a classic `sprintf(dest, user_input)` vulnerability. However, output was often suppressed (blind FSB), requiring different leak strategies.

**Detection**: Test format specifiers and check if values leak
```python
# Test if format strings work
payload = b"%x.%x.%x"
# Response: "39be5a20.20.14" -> Working FSB
```

**Leak Strategy**: Use sequential `%p` or `%x` to walk the stack since direct parameter access (`%$`) might not work.

### 2. Stack Canary Bypass

When canaries couldn't be leaked via format strings (blind FSB), implemented a brute-force oracle attack.

**Technique**: Test each canary byte individually
- Send overflow with known good bytes + candidate byte
- Connection closes = wrong byte (canary check failed)
- Connection stays open = correct byte
- Repeat for all 7 bytes (LSB is always 0x00)

**Time Complexity**: O(256 * 7) = ~1,792 attempts, takes 15-30 minutes

### 3. ROP Chain Construction

Built return-oriented programming chains to execute system("/bin/sh").

**Requirements**:
- Libc base address
- Stack canary value (if enabled)
- Gadgets: `pop rdi; ret`, `ret` (for alignment)
- Target offsets: `system()`, `/bin/sh` string

**Payload Structure**:
```
[72 bytes padding][8 byte canary][8 byte RBP][ROP chain...]
```

### 4. Blind Exploitation

When standard techniques failed, implemented blind exploitation methods:
- Timing-based attacks
- Crash oracle detection
- Response length analysis
- Connection state monitoring

## Technical Details

### Target Binary

```
File: nulled
Arch: x86-64 (64-bit)
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (base 0x400000)
```

### Libc Version

```
GLIBC 2.27 (Ubuntu 2.27-3ubuntu1.6)
```

### Critical Offsets

```
system():     0x4f4e0
/bin/sh:      0x1b3d88
pop rdi; ret: 0x2155f
ret:          0x937
```

## Usage Examples

### Detect Blind FSB

```bash
python3 silent_fsb_detector.py
```

Tests 16 different format string payloads and analyzes responses to determine if output is being suppressed.

### Brute Force Canary

```bash
python3 canary_brute_force.py
```

Performs byte-by-byte canary recovery. Takes 15-30 minutes depending on network conditions.

### Analyze Binary Behavior

```bash
python3 analyze_behavior.py
```

Sends various payloads (format strings, command injection, shellcode patterns) to understand binary behavior.

### Quick Format String Test

```bash
python3 quick_fsb_test.py
```

Fast scan of format string offsets 1-15 to find interesting leaks (libc, canary, binary addresses).

## Documentation

- `FORMAT_STRING_GUIDE.md` - Complete guide to format string exploitation
- `PHASE4_ROP_GUIDE.md` - ROP chain construction methodology
- `EXPLOITATION_FLOW.txt` - Step-by-step exploitation workflow
- `BYPASS_TECHNIQUES.md` - Advanced bypass techniques for modern protections

## Lessons Learned

1. **Not All FSBs Are Equal** - Blind format string bugs require completely different exploitation strategies
2. **Canary Brute-Forcing Works** - When leaks fail, brute force is still viable for network services
3. **Stack Alignment Matters** - System calls often fail without proper 16-byte stack alignment
4. **Tool Iteration** - Built 40+ different exploit variants, each teaching something new
5. **Fallback Strategies** - Always have multiple exploitation paths (FSB leak, brute force, timing, etc)

## Future Improvements

- [ ] Add one-gadget RCE support
- [ ] Implement ret2dlresolve for cases with limited gadgets
- [ ] Add support for ASLR brute-forcing
- [ ] Create automated exploitation pipeline
- [ ] Add support for ARM/MIPS architectures

## Requirements

```bash
# Basic Python (no pwntools required)
python3

# Optional (for enhanced features)
pip3 install pwntools
```

All core exploits work with pure Python and standard library - no external dependencies required.

## Credits

Built during USCC CyberBowl 2025 CTF challenges.

## License

MIT - Use freely for educational purposes and CTF competitions.