Exploit Development
These commands are useful for finding vulnerabilities and speeding up the exploit development process.
format-string-helper
The format string helper is a tool for detecting format string vulnerabilities. It adds breakpoints at the start of printf and similar functions. If a potentially vulnerable format string is found, the breakpoint will trigger.
We use the 0x241 - format binary for this example.
gef➤ format-string-helper [+] Enabled 5 FormatString breakpoints
If we continue the program, we see there is a potential format string bug:
────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0xf7c57a90 → printf() [#1] 0x80491fb → main() ────────────────────────────────────────────────────────────────────────────────────────────────────── extra ──── [*] Format string helper Possible insecure format string: printf('[sp + 0x4]' → 0xffffd57c: 'AAAA\n') Reason: Call to 'printf()' with format string argument in position #0 is in page 0xfffdd000 ([stack]) that has write permission ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
The best course is to use finish to reach the end of the printf command since the helper puts the breakpoint inside the function. We can then check the disassembly to see if there is truly a format string bug.
0x80491f2 <main+76> lea eax, [ebp-0x6c] 0x80491f5 <main+79> push eax 0x80491f6 <main+80> call 0x8049050 <printf@plt>
From here, we see there is a format string bug!
search-pattern
search-pattern alters the original find command by making it more user-friendly. search-pattern looks across all memory segments in all loaded files for the pattern.
gef➤ search-pattern "/bin/cat flag.txt" [+] Searching '/bin/cat flag.txt' in memory [+] In '/ironforge/split'(0x601000-0x602000), permission=rw- 0x601060 - 0x601071 → "/bin/cat flag.txt" gef➤ search-pattern "/bin/sh" [+] Searching '/bin/sh' in memory [+] In '/usr/lib/x86_64-linux-gnu/libc.so.6'(0x7ffff7dbd000-0x7ffff7e15000), permission=r-- 0x7ffff7dd8698 - 0x7ffff7dd869f → "/bin/sh"
You can still specify a memory range to search in:
gef➤ search-pattern "/bin/cat flag.txt" little 0x600000-0x602000 [+] Searching '/bin/cat flag.txt' in 0x600000-0x602000 [+] In '/ironforge/split'(0x600000-0x601000), permission=r-- 0x601060 - 0x601071 → "/bin/cat flag.txt" gef➤ search-pattern "/bin/sh" little libc [+] Searching '/bin/sh' in libc [+] In '/usr/lib/x86_64-linux-gnu/libc.so.6'(0x7ffff7dbd000-0x7ffff7e15000), permission=r-- 0x7ffff7dd8698 - 0x7ffff7dd869f → "/bin/sh"
search-pattern can only be used during runtime.shellcode
This command provides a command-line interface for the Shellstorm Database. It allows you to search for shellcode and download it directly into the debugged process. There are two subcommands: search and get.
gef➤ shellcode search linux x86-64 [+] Showing matching shellcodes [+] Id Platform Description 907 Linux/x86-64 Dynamic null-free reverse TCP shell - 65 bytes 905 Linux/x86-64 execveat("/bin//sh") - 29 bytes 896 Linux/x86-64 Add map in /etc/hosts file - 110 bytes 895 Linux/x86-64 Connect Back Shellcode - 139 bytes 894 Linux/x86-64 access() Egghunter - 49 bytes 892 Linux/x86-64 Shutdown - 64 bytes 891 Linux/x86-64 Read password - 105 bytes 890 Linux/x86-64 Password Protected Reverse Shell - 136 bytes 889 Linux/x86-64 Password Protected Bind Shell - 147 bytes 888 Linux/x86-64 Add root - Polymorphic - 273 bytes 884 Linux/x86-64 Bind TCP stager with egghunter - 157 bytes 880 Linux/x86-64 Add user and password with open,write,close - 358 bytes 879 Linux/x86-64 Add user and password with echo cmd - 273 bytes 878 Linux/x86-64 Read /etc/passwd - 82 bytes 877 Linux/x86-64 shutdown -h now - 65 bytes 873 Linux/x86-64 TCP Bind 4444 with password - 173 bytes 871 Linux/x86-64 TCP reverse shell with password - 138 bytes 870 Linux/x86-64 TCP bind shell with password - 175 bytes 867 Linux/x86-64 Reads data from /etc/passwd to /tmp/outfile - 118 bytes 859 Linux/x86-64 shell bind TCP random port - 57 bytes 858 Linux/x86-64 TCP bind shell - 150 bytes 857 Linux/x86-64 Reverse TCP shell - 118 bytes 801 Linux/x86-64 add user with passwd - 189 bytes 683 Linux/x86-64 execve(/sbin/iptables, [/sbin/iptables, -F], NULL) - 49 bytes 806 Linux/x86-64 Execute /bin/sh - 27 bytes 822 Linux/x86-64 bind-shell with netcat - 131 bytes 823 Linux/x86-64 connect back shell with netcat - 109 bytes 815 Linux/x86-64 setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 85 bytes 816 Linux/x86-64 setreuid(0,0) execve(/bin/csh, [/bin/csh, NULL]) + XOR - 87 bytes 817 Linux/x86-64 setreuid(0,0) execve(/bin/ksh, [/bin/ksh, NULL]) + XOR - 87 bytes 818 Linux/x86-64 setreuid(0,0) execve(/bin/zsh, [/bin/zsh, NULL]) + XOR - 87 bytes 78 Linux/x86-64 bindshell port:4444 shellcode - 132 bytes 77 Linux/x86-64 setuid(0) + execve(/bin/sh) 49 bytes 76 Linux/x86-64 execve(/bin/sh, [/bin/sh], NULL) - 33 bytes 603 Linux/x86-64 execve(/bin/sh); - 30 bytes 602 Linux/x86-64 reboot(POWER_OFF) - 19 bytes 605 Linux/x86-64 sethostname() & killall - 33 bytes [+] Use `shellcode get <id>` to fetch shellcode
Use shellcode get to get shellcodes by ID and write them to disk.
gef➤ shellcode get 806 [+] Downloading shellcode id=806 [+] Downloaded, written to disk... [+] Shellcode written to '/tmp/gef/sc-7yvmnvyp.txt'
Inside gdb, you can use the shell command to spawn a shell without losing your gdb session.
gef➤ shell $ cat /tmp/gef/sc-7yvmnvyp.txt ... char code[] = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"; ... $ exit gef➤