前言

原本用的虚拟机不知道怎么抽风了,弄了半天没弄好😣,干脆一不做二不休删了重新安装,顺便记录下环境搭建过程.因为用惯了ubuntu20所以这次的版本是20.04.04。

正文

设置超级用户

sudo passwd root

先换个源

备份一下旧的

sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak

编辑

sudo gedit /etc/apt/sources.list

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#清华源
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse multiverse


# 阿里云镜像源
deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse

deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse

deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse

这里又踩了个大坑

得先用lsb_release -c看看自己的ubuntu是哪个版本

我的是focal之前却用的bionic的源

就出现了装什么都出错的冥场面

pip换源

1
2
mkdir -p ~/.pip/
vim ~/.pip/pip.conf

内容

1
2
3
[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple
trusted-host = pypi.tuna.tsinghua.edu.cn

python-is-python3

sudo apt install python-is-python3

安装vim

1
sudo apt install vim

安装gcc

1
2
sudo apt install gcc
gcc --version

配置32位环境

1
2
3
4
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt install build-essential
sudo apt install gcc-multilib

安装git

1
sudo apt install git

安装pwntools

两种方法

第一种

1
2
3
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
sudo python3 -m pip install --upgrade pip
sudo python3 -m pip install --upgrade pwntools

第二种

1
2
3
git clone https://github.com/Gallopsled/pwntools
cd pwntools
sudo python setup.py install #这一步最好挂魔法

安装capstone

1
2
3
4
git clone https://github.com/aquynh/capstone
cd capstone
make
sudo make install

pwndbg与pwngdb

pwngdb

1
2
3
cd ~/
git clone https://github.com/scwuaptx/Pwngdb.git 
cp ~/Pwngdb/.gdbinit ~/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
功能
libc : Print the base address of libc
ld : Print the base address of ld
codebase : Print the base of code segment
heap : Print the base of heap
got : Print the Global Offset Table infomation
dyn : Print the Dynamic section infomation
findcall : Find some function call
bcall : Set the breakpoint at some function call
tls : Print the thread local storage address
at : Attach by process name
findsyscall : Find the syscall
fmtarg : Calculate the index of format string
You need to stop on printf which has vulnerability.
force : Calculate the nb in the house of force.
heapinfo : Print some infomation of heap
heapinfo (Address of arena)
default is the arena of current thread
If tcache is enable, it would show infomation of tcache entry
heapinfoall : Print some infomation of heap (all threads)
arenainfo : Print some infomation of all arena
chunkinfo: Print the infomation of chunk
chunkinfo (Address of victim)
chunkptr : Print the infomation of chunk
chunkptr (Address of user ptr)
mergeinfo : Print the infomation of merge
mergeinfo (Address of victim)
printfastbin : Print some infomation of fastbin
tracemalloc on : Trace the malloc and free and detect some error .
You need to run the process first than tracemalloc on, it will record all of the malloc and free.
You can set the DEBUG in pwngdb.py , than it will print all of the malloc and free infomation such as the screeshot.
parseheap : Parse heap layout
magic : Print useful variable and function in glibc
fp : show FILE structure
fp (Address of FILE)
fpchain: show linked list of FILE
orange : Test house of orange condition in the _IO_flush_lockp
orange (Address of FILE)
glibc version <= 2.23

pwndbg

1
2
3
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh#建议挂魔法

联合使用

1
2
3
gedit ~/.gdbinit
注释掉第一行 然后在第二行写入
source ~/pwndbg/gdbinit.py

安装seccomp-tools

1
2
sudo apt install gcc ruby-dev
gem install seccomp-tools

安装one_gadget

1
sudo gem install one_gadget

安装ROPgadget

1
2
3
4
5
6
7
sudo apt-get install python-capstone
 
git clone https://github.com/JonathanSalwan/ROPgadget.git
 
cd ROPgadget
 
sudo python setup.py install

安装ropper

pip3 install capstone filebytes unicorn keystone-engine ropper

安装LibcSearcher

1
2
sudo pip3 install LibcSearcher
sudo pip3 install -U LibcSearcher

安装main_arena_offset

1
2
3
git clone https://github.com/dev2ero/py_main_arena_offset.git
cd py_main_arena_offset
sudo python3 setup.py develop

用法

1
2
3
4
5
from pymao import *

libc = "./libc.so.6"
main_arena_offset = gmao( libc )
print(hex(main_arena_offset))

安装本地调试不同版本的libc环境

glibc-all-in-one

1
2
3
4
5
git clone https://github.com/matrix1001/glibc-all-in-one.git
cd glibc-all-in-one
python3 update_list
cat list
 ./download [libc-version]

patchelf

1
2
3
4
5
6
7
git clone https://github.com/NixOS/patchelf.git
cd patchelf
sudo apt-get install autoconf automake libtool
./bootstrap.sh
./configure
make
sudo make install

用法

1
2
3
4
patchelf --replace-needed libc.so.6 [your-libc-path] [yourelf]
patchelf --set-interpreter [libc-ld-path] [elf]
cp -r ~/Desktop/glibc-all-in-one/libs/[libcfolderpath]/.debug/ ./debug
gdb [elf]

gdb-multiarch

sudo apt-get install gdb-multiarch

用于调试异构程序

qemu

1
2
3
4
5
sudo apt update
sudo apt-get install qemu
sudo apt-get install qemu-user-static#可以不装
sudo apt-get install qemu-system
sudo apt-get install qemu-user

另外提前安装一些常见的架构支持

sudo apt-get install libc6-arm64-cross libc6-armel-cross libc6-armhf-cross libc6-mips-cross libc6-mips32-mips64-cross libc6-mips32-mips64el-cross libc6-mips64-cross libc6-mips64-mips-cross libc6-mips64-mipsel-cross libc6-mips64el-cross libc6-mipsel-cross libc6-mipsn32-mips-cross libc6-mipsn32-mips64-cross libc6-mipsn32-mips64el-cross libc6-mipsn32-mipsel-cross

寻找其他架构支持:

apt-cache search "libc6" | grep $arch

搜索所需的架构就行,可以换成换成其他架构就行等

调试:

启动调试和运行程序的命令很相似,仅仅是加了一个参数-g 然后后面跟一个端口。

比如程序是动态链接的32位 arm架构的话,输入qemu-arm -g 1234 -L /usr/aarch64-linux-gnu ./程序名

这个1234是你指定的端口,指定别的端口也可以。然后参照运行程序那四个命令以及上面这个命令,就可以依次类推出调试aarch64架构的命令了。

此时再打开另一个终端,输入gdb-multiarch(必须是用pwndbg,如果是peda的话,是没法正常调试的

然后再输入target remote localhost:1234 连接到刚才开的那个端口。

当然直接用pwntools也行

比较新的pwndbg可能无法使用vmmap命令,等作者修复吧

binutils

apt-cache search "binutils" | grep $arch

搜索需要的安装

buildroot

buildroot构建异构调试环境