ByteShield

┌──────────────┐ ← High Addresses │ Stack │ ← Contains Local Variables, Return Addresses ├──────────────┤ │ Heap │ ← Contains Dynamic Objects (malloc/new) ├──────────────────────────────────── │ BSS & Data │ ← Global/static variables ├───────────────────────┘ ← Lower addresses Exploits usually occur in the Stack or Heap 🧨 Most important types of bugs in Binary Exploitation Type of vulnerability: Buffer Overflow Writing more data than allowed into the buffer can overwrite the Return Address Stack-based Overflow Overflow The stack is usually used to control EIP/RIP Heap Overflow Overflow in the heap causes malloc structures to fail Use-After-Free Using a pointer after freeing causes control over freed memory Format String Bug Unsafe use of printf can cause memory leak or write Integer Overflow/Underflow Causes memory allocation or bypass errors Checks are Double Free Freeing a pointer twice leads to heap corruption 🧭 General steps of Binary Exploitation: Create a crash Bug Trigger: Make the program crash with specific input For example, overflow the buffer with a very long string Analyze the bug: Use gdb, pwndbg, gef, or radare2 Understand what exactly was overwritten, what registers are controllable, and what the execution flow is like Leak Security Information: To bypass ASLR or PIE, you need to leak addresses For example, you use a format string to print pointers Build Payload Exploit: For example, build a ROP chain or Shellcode Carefully change the Return Address to your gadgets or shellcode Bypass Protections: Modern browsers and binaries have protections such as: ASLR Addresses are randomized, you need to leak NX / DEP Stack is not executable, you should use ROP Canary Overflow protection should be leaked or bypassed PIE / RELRO Hardening GOT/PLT control Taking ultimate control: Usually an exploit ends in one of the following: Executing Shellcode and getting a shell 🐚 Executing ROP chain to execute system commands Changing program behavior in favor of the attacker 🧰 Important tools in Binary Exploitation Most used tools: gdb + pwndbg or gef Debugging and crash and memory analysis radare2, Ghidra, IDA Pro Binary reverse engineering ROPgadget, ROPPER Finding ROP gadgets pwntools Quickly building exploits with Python angr, Qiling Symbolic analysis or advanced emulation checksec Checking binary protections 🧪 Very simple classic Stack Overflow example Vulnerable code:

#include <stdio.h> #include <string.h> void vuln() { char buf[64]; gets(buf); // ❌ Insecure printf("You said: %s\n", buf); } int main() { vuln(); return 0; }

If you give more than 64 bytes in input, you can overwrite the Return Address and send the program to your shellcode address instead of returning to main @reverseengine

Android backdoor hijacks Telegram accounts, gaining complete control over them https://news.drweb.com/show/?i=15076&lng=en&c=5

Binary Exploitation 101 https://r1ru.github.io/categories/binary-exploitation-101/