前言 原本用的虚拟机不知道怎么抽风了,弄了半天没弄好😣,干脆一不做二不休删了重新安装,顺便记录下环境搭建过程.因为用惯了ubuntu20所以这次的版本是20.04.04。
正文 设置超级用户 sudo passwd root
先换个源 备份一下旧的
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
编辑
sudo gedit /etc/apt/sources.list
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #清华源 deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse multiverse # 阿里云镜像源 deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
这里又踩了个大坑
得先用lsb_release -c
看看自己的ubuntu是哪个版本
我的是focal之前却用的bionic的源
就出现了装什么都出错的冥场面
pip换源 1 2 mkdir -p ~/.pip/ vim ~/.pip/pip.conf
内容
1 2 3 [global] index-url = https://pypi.tuna.tsinghua.edu.cn/simple trusted-host = pypi.tuna.tsinghua.edu.cn
python-is-python3 sudo apt install python-is-python3
安装vim
安装gcc 1 2 sudo apt install gcc gcc --version
配置32位环境 1 2 3 4 sudo dpkg --add-architecture i386 sudo apt-get update sudo apt install build-essential sudo apt install gcc-multilib
安装git
两种方法
第一种
1 2 3 sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential sudo python3 -m pip install --upgrade pip sudo python3 -m pip install --upgrade pwntools
第二种
1 2 3 git clone https://github.com/Gallopsled/pwntools cd pwntools sudo python setup.py install #这一步最好挂魔法
安装capstone 1 2 3 4 git clone https://github.com/aquynh/capstone cd capstone make sudo make install
pwndbg与pwngdb pwngdb
1 2 3 cd ~/ git clone https://github.com/scwuaptx/Pwngdb.git cp ~/Pwngdb/.gdbinit ~/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 功能 libc : Print the base address of libc ld : Print the base address of ld codebase : Print the base of code segment heap : Print the base of heap got : Print the Global Offset Table infomation dyn : Print the Dynamic section infomation findcall : Find some function call bcall : Set the breakpoint at some function call tls : Print the thread local storage address at : Attach by process name findsyscall : Find the syscall fmtarg : Calculate the index of format string You need to stop on printf which has vulnerability. force : Calculate the nb in the house of force. heapinfo : Print some infomation of heap heapinfo (Address of arena) default is the arena of current thread If tcache is enable, it would show infomation of tcache entry heapinfoall : Print some infomation of heap (all threads) arenainfo : Print some infomation of all arena chunkinfo: Print the infomation of chunk chunkinfo (Address of victim) chunkptr : Print the infomation of chunk chunkptr (Address of user ptr) mergeinfo : Print the infomation of merge mergeinfo (Address of victim) printfastbin : Print some infomation of fastbin tracemalloc on : Trace the malloc and free and detect some error . You need to run the process first than tracemalloc on, it will record all of the malloc and free. You can set the DEBUG in pwngdb.py , than it will print all of the malloc and free infomation such as the screeshot. parseheap : Parse heap layout magic : Print useful variable and function in glibc fp : show FILE structure fp (Address of FILE) fpchain: show linked list of FILE orange : Test house of orange condition in the _IO_flush_lockp orange (Address of FILE) glibc version <= 2.23
pwndbg
1 2 3 git clone https://github.com/pwndbg/pwndbg cd pwndbg ./setup.sh#建议挂魔法
联合使用
1 2 3 gedit ~/.gdbinit 注释掉第一行 然后在第二行写入 source ~/pwndbg/gdbinit.py
1 2 sudo apt install gcc ruby-dev gem install seccomp-tools
安装one_gadget 1 sudo gem install one_gadget
安装ROPgadget 1 2 3 4 5 6 7 sudo apt-get install python-capstone git clone https://github.com/JonathanSalwan/ROPgadget.git cd ROPgadget sudo python setup.py install
安装ropper pip3 install capstone filebytes unicorn keystone-engine ropper
安装LibcSearcher 1 2 sudo pip3 install LibcSearcher sudo pip3 install -U LibcSearcher
安装main_arena_offset 1 2 3 git clone https://github.com/dev2ero/py_main_arena_offset.git cd py_main_arena_offset sudo python3 setup.py develop
用法
1 2 3 4 5 from pymao import * libc = "./libc.so.6" main_arena_offset = gmao( libc ) print(hex(main_arena_offset))
安装本地调试不同版本的libc环境 glibc-all-in-one
1 2 3 4 5 git clone https://github.com/matrix1001/glibc-all-in-one.git cd glibc-all-in-one python3 update_list cat list ./download [libc-version]
patchelf
1 2 3 4 5 6 7 git clone https://github.com/NixOS/patchelf.git cd patchelf sudo apt-get install autoconf automake libtool ./bootstrap.sh ./configure make sudo make install
用法
1 2 3 4 patchelf --replace-needed libc.so.6 [your-libc-path] [yourelf] patchelf --set-interpreter [libc-ld-path] [elf] cp -r ~/Desktop/glibc-all-in-one/libs/[libcfolderpath]/.debug/ ./debug gdb [elf]
gdb-multiarch sudo apt-get install gdb-multiarch
用于调试异构程序
qemu 1 2 3 4 5 sudo apt update sudo apt-get install qemu sudo apt-get install qemu-user-static#可以不装 sudo apt-get install qemu-system sudo apt-get install qemu-user
另外提前安装一些常见的架构支持
sudo apt-get install libc6-arm64-cross libc6-armel-cross libc6-armhf-cross libc6-mips-cross libc6-mips32-mips64-cross libc6-mips32-mips64el-cross libc6-mips64-cross libc6-mips64-mips-cross libc6-mips64-mipsel-cross libc6-mips64el-cross libc6-mipsel-cross libc6-mipsn32-mips-cross libc6-mipsn32-mips64-cross libc6-mipsn32-mips64el-cross libc6-mipsn32-mipsel-cross
寻找其他架构支持:
apt-cache search "libc6" | grep $arch
搜索所需的架构就行,可以换成换成其他架构就行等
调试:
启动调试和运行程序的命令很相似,仅仅是加了一个参数-g 然后后面跟一个端口。
比如程序是动态链接的32位 arm架构的话,输入qemu-arm -g 1234 -L /usr/aarch64-linux-gnu ./程序名
这个1234是你指定的端口,指定别的端口也可以。然后参照运行程序那四个命令以及上面这个命令,就可以依次类推出调试aarch64架构的命令了。
此时再打开另一个终端,输入gdb-multiarch(必须是用pwndbg,如果是peda的话,是没法正常调试的 )
然后再输入target remote localhost:1234 连接到刚才开的那个端口。
当然直接用pwntools也行
比较新的pwndbg可能无法使用vmmap命令,等作者修复吧
binutils apt-cache search "binutils" | grep $arch
搜索需要的安装
buildroot buildroot构建异构调试环境