Introduction

Warning

Beware: you will find neither optimal ways of doing things nor fastest ways of getting flags here; what will follow is about exploiting binaries in a different way because why the hell not!

What is this about?

First of all, I’m not an expert. I’m a hobbyist, which means I do not pwn binaries on a regular basis. I sleep between 6 and 8 hours every day, so someone said this makes me no hacker ;-) And, of course, most of the things that I write about here are probably known by some. And yet, for a long time I’ve meant to write this. This project is a book about pwning. But you won’t find the usual stuff in here; for that there are a lot of resources that will provide you with the basics to get you started. Here, on the other hand, I write about different ways of doing things like spawning a shell when there is no apparent way of doing so; setting a value into a register (typically, RAX, RDI, RSI or RDX) when you don’t have ROP-gadgets for that at all; and so on and so forth. For each Chapter in this book, I created a bunch of vulnerable programs to play with. I provide their exploits also, so if you are kind of new to pwning, they will help you avoid from getting stuck. My exploits are examples, and sometimes there’s more than just one way of doing things; feel free to send me a PR if you find a better way of pwning an exercise! I will add your exploit to the chapter.

Who is this for?

Hackers interested in pwning binaries. Pwners in general. People. What the hell do I know? I thought about writing this but, to be honest, I am not entirely sure who this is aimed for. I think that for people still learning (like myself!), getting all this stuff packed into a sort of a central repository would prove useful at some point. So yes, it’s for me too! And maybe for you. And it’s for free! For newbies, I would suggest to read about the basics first and come to this book later.

How this book is organized

Every chapter covers a different topic. For every chapter, there are a bunch of vulnerable programs within the creativepwning/chapterN directory on the official repository. These are exercises you can try. If you get stuck, an exploit for each exercise is also provided. The source code of the book is also on the official repository, under docs/source. So if you want, you are more than welcome to clone it right now:

git clone https://github.com/nonamed01/exploits.git

and browse the book locally or make a pdf out of it if you feel like it! The book is written in RST [1] language using Sphinx [2] and the ReadTheDocs [3] ecosystem.

What architecture(s) this book covers

So far, GNU/Linux ELF binaries built on x86_64 platforms.

What you need to try the exercises

• pwntools [4]

• gdb [5]

• gef [6] (you can also use peda if you prefer)

• r2 [7] (or Ida, or Ghidra, or whatever your poison is)

• r2ghidra [8]

• r2pipe [9]

• Some exploits are GLIBC dependant, so you will need to run the binary with the same version of GLIBC. You will find the library and the loader under creativepwning/chapter2/ directory. To patch the binary you can use patchelf [10] or pwninit [11].

Note

All the binaries and exploits have been developed and tested on a Debian GNU/Linux Bookworm with libc6 version 2.36.

Reporting Bugs, errors, etc.

If you find any mistakes or bugs, please send me a PR. Of course, as mentioned earlier, if you have a new example or exploit, send me a PR as well: I might add it to the book!

[1]

https://docutils.sourceforge.io/rst.html

[2]

https://www.sphinx-doc.org/en/master/

[3]

https://about.readthedocs.com/?ref=readthedocs.com

[4]

https://github.com/Gallopsled/pwntools

[5]

https://www.sourceware.org/gdb/

[6]

https://github.com/hugsy/gef

[7]

https://github.com/radareorg/radare2

[8]

https://github.com/radareorg/r2ghidra

[9]

https://github.com/radareorg/radare2-r2pipe

[10]

https://github.com/droidian/patchelf

[11]

https://github.com/io12/pwninit