Buffer Overflow CheatSheets

Shellcode library

Shellcodes

General tricks

Dissasemble the binary

1

objdump -d [FILE]

Print the headers

1

objdump -x [FILE]

Printing Libraries from the binary

1

ltrace

Printing syscalls and signals from the binary

1

strace

Radare 2 Cheat sheets

radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

• analyze all: aa
• show sections: iS
• list functions: afl
• list imports: ii
• list entrypoints: ie
• seek to function: s sym.main

project management

• open project: Po <name>
• save project: Ps <name>
• edit project notes: Pn -

inspecting a function

• show basic block disassembly: pdb
• show function disassembly: pdf
• show function arguments: afa
• show function variables: afv
• rename function variable: afvn
• set function variable type: afvt
• add/analyze function: af

comments:

by default, these get displayed in disassembly listings to the right of a line. disable them in V visual mode using ‘ (single quote).

multiline comments are not rendered handled well. they don’t look pretty.

• add comment (using editor): CC!
  • note: multiline comments are not formatted nicely
• append comment: CC <text>
• overwrite comment: CCu <text>
• show comment: CC.
• show comment in this function: CCf

visual mode

• enter visual mode: V
• select function, variable, xref: v
• quick command/seek: _ <search string>
• custom quick command list: ??
  • you can update the list of commands shown here by changing $R2HOME/hud.
  • ref: http://radare.today/posts/visual-mode/
• show cursor: c
• set function name: d
• add comment: ;
• remove comment: ;-

“flag” means give something a type. like function or symbol.

graph mode

graph mode is not visual mode!

• enter graph modes: VV
• cycle types of graphs:
  • forward: p
  • backwards: P
• types of graphs:
  • graph view
  • graph view + opcode bytes
  • esil
  • esil + comments
  • overview
• seek to function: g<identifier>
• undo seek: u
• define new function at cursor: df
• rename function at cursor: dr
• show comments: '
• add comment: /
• add comment (complex): :CC!
• select bb: ???
• seek to next bb: tab
• seek to previous bb: TAB
• if bb has conditional branch:
  • seek to True target: t
  • seek to False target: f

pipe,grep,etc

• exec multiple cmd: ;
• pipeline cmd: |
• run shell cmd: ‘!’ , and give output back to r2 buffer: ‘!!’
• grep:
  • <cmd>~<string> grep string from command output
  • <cmd>~[n] grep also the ‘n’ column
  • <cmd>~:n grep also the ‘n’ row

analysis, assembly, memory

• analyze functions: af
• analyze stack: ad@rsp or ad@esp
• search for opcode: /a
• search for rop/jop/etc: /R
• search for bytes: /x
• get offset for the actual seek point address: ?p

configuration

recommended contents of ~/.radare2rc:

1
2
3
4
5
6
7
8
9
10
11

# Show comments at right of disassembly if they fit in screen
e asm.cmt.right=true

# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true

# Solarized theme
eco solarized

# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true

Print stack

1

pxr @ esp

Show registers

1
2

drr 
dr

Debug

First

1

AAA

Then

1
2

V
p (3 times to enter debug mode, this will show stack, registers and assembly code)

Finally you can create a breakpoint into main

1

db main

And continue with the execution and hit the breakpoint or F9

1

dc

Reattach the program to start again

1

do

Change stack size

1
2

: (To enter command line mode)
e stack.size=256

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

[0x55673eccb5fa]> ds?
|Usage: ds Step commands
| ds               Step one instruction
| ds <num>         Step <num> instructions
| dsb              Step back one instruction
| dsf              Step until end of frame
| dsi <cond>       Continue until condition matches
| dsl              Step one source line
| dsl <num>        Step <num> source lines
| dso <num>        Step over <num> instructions
| dsp              Step into program (skip libs)
| dss <num>        Skip <num> step instructions
| dsu[?]<address>  Step until address
| dsui[r] <instr>  Step until an instruction that matches `instr`, use dsuir for regex match
| dsue <esil>      Step until esil expression matches
| dsuf <flag>      Step until pc == flag matching name
F7 is step into, or ds
F8 is step over, or dso

Are you lost?

Hit the period .

You step into a function a want to get out?

1

dsf

Input

1
2
3
4

python -c "print(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)" > p.text   
r2 -d program 
dor stdin=p.text
doo # Reopen in debugger mode

Now the input will send AAAAAA…

Print local variables

1

afvd

Restart radare2

To restart radare2 with the binary

1

ood

To restart the binary

1

oo

0x7ffd91c300bc