Pwn

I placed pwn in with programming, because it relies heavily on programming concepts and knowledge

ELF Analysis

Take a quick look at the file before jumping into analysis

readelf -h ./binary # Analyze the ELF headers
readelf -sW ./binary | grep FUNC # List all functions in binary
objdump -M intel -d ./binary | awk -v RS= '/^[[:xdigit:]]+ <main>/' # Display disassembly for main() only
ltrace ./binary # Watch library calls as program executes
strings ./binary # The classic
printf $(python -c 'print("A"*15)') | ./int-overflow # Easy way to change amount of bytes passed to program
echo -n -e ' \x41\x41\x41\x41\x41\x41\x42' > bytes # Put bytes directly into a file
(cat ./exploit; cat) | ./program # Pass the exploit to the program, leaves stdin open
​
# Use MSF to create the pattern and identify offsets
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 200 -q 6641396541386541

Pwntools

>>> import pwn
>>> pwn.p64(0x7fffffffe380)
b'\x80\xe3\xff\xff\xff\x7f\x00\x00'
>>> pwn.p32(0x0804853b)
b';\x85\x04\x08'