## https://sploitus.com/exploit?id=CCE3F781-2E4B-59E2-9611-E68378B31EF1
# Binary Exploitation Framework
A comprehensive collection of tools and exploits for binary exploitation challenges, specifically targeting format string vulnerabilities, ROP chains, and stack-based attacks.
## What This Is
This repo contains all the exploitation tools and techniques I built while tackling a challenging CTF binary. The target was a 64-bit ELF with format string vulnerabilities, stack canaries, and some interesting protections that made exploitation non-trivial.
The project evolved through multiple phases as I discovered new defenses and had to adapt my approach. What started as a simple ROP chain turned into a deep dive into blind format string bugs, canary brute-forcing, and creative bypass techniques.
## Project Structure
```
.
โโโ phase1_stack_leak.py # Initial reconnaissance - leak detection
โโโ phase2_got_libc_leak.py # GOT/libc address extraction
โโโ phase3_libc_offset_calculator.py # Calculate offsets for ret2libc
โโโ phase4_rop_exploit.py # ROP chain construction
โโโ canary_brute_force.py # Byte-by-byte canary oracle attack
โโโ silent_fsb_detector.py # Detect blind format string bugs
โโโ analyze_behavior.py # Binary behavior analysis tool
โโโ docs/ # Documentation and guides
```
## Key Features
### Exploitation Tools
**Format String Analysis**
- `silent_fsb_detector.py` - Detects blind/silent format string bugs where output is suppressed
- `format_string_leak_full.py` - Comprehensive leak scanner for stack/libc/canary values
- `quick_fsb_test.py` - Fast format string vulnerability tester
- `test_fsb_variants.py` - Tests different format specifier variants
**Stack Canary Attacks**
- `canary_brute_force.py` - Implements byte-by-byte canary brute-forcing using crash oracle
- Expects ~1,792 connection attempts to recover 7-byte canary
- Uses connection termination as oracle signal
**ROP Chain Development**
- `phase4_rop_exploit.py` - Complete ROP chain builder with stack alignment
- `improved_rop_exploit.py` - Enhanced version with better reliability
- `phase4_advanced_rop.py` - Advanced techniques including ret2csu
**Memory Analysis**
- `analyze_behavior.py` - Interactive binary behavior analyzer
- `memory_structure_analysis.py` - Stack layout and memory structure mapper
- `analyze_libc.py` - Libc version detection and offset calculation
### Utilities
- `simple_overflow_test.py` - Finds exact crash points for buffer overflows
- `diagnostic_tool.py` - Raw format string response analyzer
- `binary_info.py` - Extracts binary metadata and security features
## Techniques Implemented
### 1. Format String Exploitation
The binary had a classic `sprintf(dest, user_input)` vulnerability. However, output was often suppressed (blind FSB), requiring different leak strategies.
**Detection**: Test format specifiers and check if values leak
```python
# Test if format strings work
payload = b"%x.%x.%x"
# Response: "39be5a20.20.14" -> Working FSB
```
**Leak Strategy**: Use sequential `%p` or `%x` to walk the stack since direct parameter access (`%$`) might not work.
### 2. Stack Canary Bypass
When canaries couldn't be leaked via format strings (blind FSB), implemented a brute-force oracle attack.
**Technique**: Test each canary byte individually
- Send overflow with known good bytes + candidate byte
- Connection closes = wrong byte (canary check failed)
- Connection stays open = correct byte
- Repeat for all 7 bytes (LSB is always 0x00)
**Time Complexity**: O(256 * 7) = ~1,792 attempts, takes 15-30 minutes
### 3. ROP Chain Construction
Built return-oriented programming chains to execute system("/bin/sh").
**Requirements**:
- Libc base address
- Stack canary value (if enabled)
- Gadgets: `pop rdi; ret`, `ret` (for alignment)
- Target offsets: `system()`, `/bin/sh` string
**Payload Structure**:
```
[72 bytes padding][8 byte canary][8 byte RBP][ROP chain...]
```
### 4. Blind Exploitation
When standard techniques failed, implemented blind exploitation methods:
- Timing-based attacks
- Crash oracle detection
- Response length analysis
- Connection state monitoring
## Technical Details
### Target Binary
```
File: nulled
Arch: x86-64 (64-bit)
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (base 0x400000)
```
### Libc Version
```
GLIBC 2.27 (Ubuntu 2.27-3ubuntu1.6)
```
### Critical Offsets
```
system(): 0x4f4e0
/bin/sh: 0x1b3d88
pop rdi; ret: 0x2155f
ret: 0x937
```
## Usage Examples
### Detect Blind FSB
```bash
python3 silent_fsb_detector.py
```
Tests 16 different format string payloads and analyzes responses to determine if output is being suppressed.
### Brute Force Canary
```bash
python3 canary_brute_force.py
```
Performs byte-by-byte canary recovery. Takes 15-30 minutes depending on network conditions.
### Analyze Binary Behavior
```bash
python3 analyze_behavior.py
```
Sends various payloads (format strings, command injection, shellcode patterns) to understand binary behavior.
### Quick Format String Test
```bash
python3 quick_fsb_test.py
```
Fast scan of format string offsets 1-15 to find interesting leaks (libc, canary, binary addresses).
## Documentation
- `FORMAT_STRING_GUIDE.md` - Complete guide to format string exploitation
- `PHASE4_ROP_GUIDE.md` - ROP chain construction methodology
- `EXPLOITATION_FLOW.txt` - Step-by-step exploitation workflow
- `BYPASS_TECHNIQUES.md` - Advanced bypass techniques for modern protections
## Lessons Learned
1. **Not All FSBs Are Equal** - Blind format string bugs require completely different exploitation strategies
2. **Canary Brute-Forcing Works** - When leaks fail, brute force is still viable for network services
3. **Stack Alignment Matters** - System calls often fail without proper 16-byte stack alignment
4. **Tool Iteration** - Built 40+ different exploit variants, each teaching something new
5. **Fallback Strategies** - Always have multiple exploitation paths (FSB leak, brute force, timing, etc)
## Future Improvements
- [ ] Add one-gadget RCE support
- [ ] Implement ret2dlresolve for cases with limited gadgets
- [ ] Add support for ASLR brute-forcing
- [ ] Create automated exploitation pipeline
- [ ] Add support for ARM/MIPS architectures
## Requirements
```bash
# Basic Python (no pwntools required)
python3
# Optional (for enhanced features)
pip3 install pwntools
```
All core exploits work with pure Python and standard library - no external dependencies required.
## Credits
Built during USCC CyberBowl 2025 CTF challenges.
## License
MIT - Use freely for educational purposes and CTF competitions.