Teach You A Binary Exploitation For Great Good.
Project description
BinTut
Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes :yum:.
What’s BinTut
BinTut is a set of tutorials, as well as exercises.
Tutorials
See Get Started for usage information.
If you are a fan of Faiz, Burst Mode or Single Mode should sound familiar and inspiring.
Burst Mode
Watch and replay to obtain general understanding of the process.
Use -b / --burst to control the interval (in seconds). Note that -b0 means Single Mode, which is the default.
Single Mode
Play and examine various contents such as the stack, registers or memory addresses, carefully and step by step, to acquire comprehensive and detailed knowledge of the process.
Use Enter or Ctrl + D to step.
You can execute normal GDB commands via the promt. But note that BinTut won’t synchronize the display when you execute state-changing commands, e.g. stepi or nexti, which are discouraged for the time being.
Another bad news is that readline does not work :scream:, and I can’t figure out the reason :scream:.
Exercises
Write exploits that work outside debuggers when you understand the principles and techniques via watching and replaying (i.e. rewatching), careful playing (i.e., Single Mode), and most importantly, reading the source code responsible for exploit generation, which resides in a file named exploits.py.
Installation
pip install bintut may or may not work for the time being.
Therefore it’s recommended to just clone this repository and run without installation as long as necessary libraries are installed by pip install -r requirements.txt.
Tested Platforms
Arch Linux
Current version of Arch Linux ships GDB with Python 3, in which I developed BinTut.
Version 0.2.1 should work fine.
Fedora
Fedora 23 Workstation comes with GDB with Python 3, which has been tested and BinTut version 0.2.1 is known to work properly as in Arch Linux.
Install glibc.i686 to support 32-bit programs if needed.
sudo dnf install glibc.i686
Install BinTut from PyPI.
sudo pip3 install bintut
Give it a try.
bintut -b0.1 frame-faking
Debian
GDB from the stable branch of Debian ships with Python 2, where BinTut 0.2.1 does not work.
Lastest source from Git works with minor problems.
Add support to 32-bit programs if necessary.
sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install libc6:i386
Clone the lastest source code from Git and install requirements.
git clone https://github.com/NoviceLive/bintut.git cd bintut sudo apt-get install python-pip gdb pip2 install -r requirements.txt
Run it without installation.
python2 ./bintut.py -b0.1 frame-faking
Requirements
GDB
Python scripting support is required.
BinTut is developed with Python 3, but it’s intended to be Python 2 compatible.
Therefore, when Python 2 yells at you, feel free to create an issue or send me a pull request.
Known unresolved issues existing on Python 2
Can’t display disassembly after returning to shellcode.
Can’t print the payload for some courses.
Ropper
Show information about binary files and find gadgets to build rop chains for different architectures.
pyelftools
Python library for analyzing ELF files and DWARF debugging information.
Pat
Customizable Lazy Exploit Pattern Utility.
Colorama
Simple cross-platform colored terminal text in Python.
Click
Python composable command line utility.
Get Started
See bintut --help and give it a shot via bintut --burst 0.1 frame-faking.
./bintut.py --help Usage: bintut.py [OPTIONS] [COURSE] Teach You A Binary Exploitation For Great Good. Options: -V, --version Show the version and exit. -l, --list List available courses. -6, --x64 Use x64 courses. -A, --aslr Enable ASLR. -b, --burst FLOAT Use this burst mode interval. [default: 0] -v, --verbose Be verbose. -q, --quiet Be quiet. -h, --help Show this message and exit.
Available Courses
Other courses might be added later.
Stack-based buffer overflow
1. plain
Return to plain shellcode.
Linux x86 / x64.
NX: Disabled.
ASLR: Disabled.
Stack Protector: Disabled.
2. nop-slide
Return to NOPs plus shellcode.
Linux x86 / x64.
NX: Disabled.
ASLR: Disabled.
Stack Protector: Disabled.
This course is not demonstrative enough and shall be updated when the author finds a scenario where nop-slide really stands out.
3. jmp-esp
Return to shellcode via JMP ESP / RSP.
Linux x86 / x64.
NX: Disabled.
ASLR: Disabled.
Stack Protector: Disabled.
4. ret2lib
Return to functions.
Linux x86.
NX: Enabled.
ASLR: Disabled.
Stack Protector: Disabled.
Notes for x64
Either on Linux or Windows, the ABI of x64, unlike that of x86, passes some arguments, first six or four integral arguments on Linux or Windows respectively, via registers, which may not be controlled without resort to certain gadgets.
Therefore, it may be discussed in the section for ROP.
5. frame-faking
Return to chained functions via LEAVE RET gadget.
Linux x86.
NX: Enabled.
ASLR: Disabled.
Stack Protector: Disabled.
Notes for x64
See Notes for x64.
Bug Reports
Create issues.
BinTut may or may not work on your system, but bug reports with necessary information are always welcome.
References
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
