Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes ๐.
BinTut is a set of tutorials, as well as exercises.
See Get Started for usage information.
If you are a fan of Faiz, Burst Mode
or Single Mode
should
sound familiar and inspiring.
Watch and replay to obtain general understanding of the process.
Use -b / --burst
to control the interval (in seconds).
Note that -b0
means Single Mode
, which is the default.
Play and examine various contents such as the stack, registers or memory addresses, carefully and step by step, to acquire comprehensive and detailed knowledge of the process.
Use Enter
or Ctrl + D
to step.
You can execute normal GDB commands via the promt.
But note that BinTut won't synchronize the display
when you execute state-changing commands,
e.g. stepi
or nexti
,
which are discouraged for the time being.
Another bad news is that readline does not work ๐ฑ, and I can't figure out the reason ๐ฑ.
Write exploits that work outside debuggers
when you understand the principles and techniques
via watching and replaying (i.e. rewatching),
careful playing (i.e., Single Mode),
and most importantly,
reading the source code responsible for exploit generation,
which resides in a file named exploits.py
.
pip install bintut
may or may not work for the time being.
Therefore it's recommended to just clone this repository
and run without installation
as long as necessary libraries are installed
by pip install -r requirements.txt
.
Current version of Arch Linux ships GDB with Python 3, in which I developed BinTut.
Version 0.2.1 should work fine.
Fedora 23 Workstation comes with GDB with Python 3, which has been tested and BinTut version 0.2.1 is known to work properly as in Arch Linux.
Install
glibc.i686
to support 32-bit programs if needed.sudo dnf install glibc.i686
Install
BinTut
from PyPI.sudo pip3 install bintut
Give it a try.
bintut -b0.1 frame-faking
GDB from the stable branch of Debian ships with Python 2, where BinTut 0.2.1 does not work.
Lastest source from Git works with minor problems.
Add support to 32-bit programs if necessary.
sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install libc6:i386
Clone the lastest source code from Git and install requirements.
git clone https://github.com/NoviceLive/bintut.git cd bintut sudo apt-get install python-pip gdb pip2 install -r requirements.txt
Run it without installation.
python2 ./bintut.py -b0.1 frame-faking
Python scripting support is required.
BinTut is developed with Python 3, but it's intended to be Python 2 compatible.
Therefore, when Python 2 yells at you, feel free to create an issue or send me a pull request.
- Can't display disassembly after returning to shellcode.
- Can't print the payload for some courses.
Show information about binary files and find gadgets to build rop chains for different architectures.
Python library for analyzing ELF files and DWARF debugging information.
Customizable Lazy Exploit Pattern Utility.
Simple cross-platform colored terminal text in Python.
Python composable command line utility.
See bintut --help
and give it a shot
via bintut --burst 0.1 frame-faking
.
./bintut.py --help Usage: bintut.py [OPTIONS] [COURSE] Teach You A Binary Exploitation For Great Good. Options: -V, --version Show the version and exit. -l, --list List available courses. -6, --x64 Use x64 courses. -A, --aslr Enable ASLR. -b, --burst FLOAT Use this burst mode interval. [default: 0] -v, --verbose Be verbose. -q, --quiet Be quiet. -h, --help Show this message and exit.
Other courses might be added later.
Return to plain shellcode.
Linux x86 / x64.
NX: Disabled.
ASLR: Disabled.
Stack Protector: Disabled.
2. nop-slide
Return to NOPs plus shellcode.
Linux x86 / x64.
NX: Disabled.
ASLR: Disabled.
Stack Protector: Disabled.
This course is not demonstrative enough and shall be updated when the author finds a scenario where nop-slide really stands out.
Return to shellcode via JMP ESP / RSP.
Linux x86 / x64.
NX: Disabled.
ASLR: Disabled.
Stack Protector: Disabled.
4. ret2lib
Return to functions.
Linux x86.
NX: Enabled.
ASLR: Disabled.
Stack Protector: Disabled.
Either on Linux or Windows, the ABI of x64, unlike that of x86, passes some arguments, first six or four integral arguments on Linux or Windows respectively, via registers, which may not be controlled without resort to certain gadgets.
Therefore, it may be discussed in the section for ROP.
Return to chained functions via LEAVE RET gadget.
Linux x86.
NX: Enabled.
ASLR: Disabled.
Stack Protector: Disabled.
See Notes for x64.
Create issues.
BinTut may or may not work on your system, but bug reports with necessary information are always welcome.