Linux Interactive Exploit Development with GDB and PEDA

Long Le
longld@vnsecurity.net

!or"shop #etup $%&

'irtual machine

'(!are ) 'irtualBox *+untu %,.,-. Live /D I#0 Internet connection $1A2)Bridge& 3e4uired pac"ages
$ sudo apt-get install nasm micro-inetd

Install *+untu pac"ages

0ptional pac"ages
$ sudo apt-get install libc6-dbg vim ssh

!or"shop #etup $ &

PEDA tool

Download peda.tar.g6 at7 http7))ropshell.com)peda) *npac" to home directory

$ tar zxvf peda.tar.gz

/reate a 8.gd+init9

$ echo source ~/peda/peda.py

~/.gdbinit

!or"shop exercises

Download +hus% :wor"shop.tar.g6 at7 http7))ropshell.com)peda) *npac" to home directory

$ tar zxvf bhus!"-#or$shop.tar.gz
5

!or"shop #etup $5&

2emporarily disa+le A#L3

$ sudo sysctl -# $ernel.randomize%va%space&'

Allow ptrace processes

$ sudo sysctl -# $ernel.yama.ptrace%scope&'

Demo7 #ample Exploit Development session with GDB

GDB or not GDB=

#tandard de+ugger on >nix 1ot ExDev oriented

Lac" o? intuitive inter?ace Lac" o? smart context display Lac" o? commands ?or ExDev GDB scripting is wea" #ince GDB @., Power?ul scripting API $v@. .&
<

Python GDB

PEDA Introduction

Python Exploit Development Assistance ?or GDB Python GDB init script

GDB @.xA Python .<. #el? help manual Auto:completion o? commandsA options

Bandy commands ?or exploit development

Cramewor" ?or writing custom commands

@

PEDA ?eatures

(emory operations De+ugging helpers Exploit helpers *tilities

Exploit Development with PEDA

Exploit Development Process

0ccupy EIP Cind the o??set$s& Determine the attac" vector Build the exploit 2est)de+ug the exploit

%,

0ccupied EIPA what next=

Cind the o??set$s& !here is my +u??er= Any register points to it=

%%

Attac" vector $%&

Any exploit mitigation in place=

1F A#L3 PIE 3EL30 /A1A3G

Attac" vector$ &

Cind ways to code execution

ret any7 return to any executa+leA "nown place

stac" data ) heap text li+rary $li+c& code chun" $30P& stac" pivoting

control input +u??er

%5

Build the exploit

Payload

#hellcode ret any payload Exploit s"eleton

!rapper

%-

2est and de+ug the exploit

/hec" ?or limitation

Badchars Bu??er si6e

/hec" ?or runtime a??ects (odi?y)correct the exploit

%;

Demo H Practices

Bu??er over?low exploit Cormat string exploit PEDA commands explanation and usage

%<

PEDA /ommands

%@

Prepare input +u??er

pattern create
pattern create "''' pattern create "''' input

pset arg
pset arg ()*"''( pset arg (cyclic%pattern+"'',(

pset env
pset env -.. (cyclic%pattern+"'',(

%D

/ontext display

3egisters
context reg

/ode
context code

#tac"
context stac$

%E

3untime in?o

'irtual memory mapping

vmmap vmmap binary / libc vmmap 'xb/d00'''

3egister ) address
xinfo register eax xinfo 'xb/d00'''

#tac" ) memory
telescope 1' telescope 'xb/d00''' 1'

#earch ?or input +u??er

pattern o??set
pattern offset $pc

pattern search
pattern search

Imp)call search

Impcall
2mpcall 2mpcall eax 2mpcall esp libc

Generate shellcode)nopsled

gennop
gennop 3'' gennop 3'' 4x5'

shellcode
shellcode x06/linux exec

assem+le
assemble

Exploit wrapper

s"eleton
s$eleton argv exploit.py

*se with GDB

set exec-#rapper ./exploit.py

(emory search

searchmem ) ?ind
find /bin/sh libc find 'xdeadbeef all find ..4x'14x'0 'x'0'10''' 'x'0'15'''

re?search
refsearch /bin/sh refsearch 'xdeadbeef

loo"up address
loo$up address stac$ libc

loo"up pointer
loo$up pointer stac$ ld-"
;

A#( ) 30P search

asmsearch
asmsearch int 'x0' asmsearch add esp6 7 libc

ropsearch
ropsearch pop eax ropsearch xchg eax6 esp libc

dumprop
dumprop dumprop binary pop

ropgadget

ropgadget ropgadget libc

<

ELC headers ) sym+ols

el?header ) readel?
elfheader elfheader .got readelf libc .text

el?sym+ol
elfsymbol elfsymbol printf

ret plt ) 30P payload

payload
payload copybytes payload copybytes target /bin/sh payload copybytes 'x'0'1a'!' offset

0ther memory operations $%&

dumpmem
dumpmem libc.mem libc

loadmem
loadmem stac$.mem 'xbffdf'''

cmpmem
cmpmem 'x'0'15''' 'x'0'1a''' data.mem

xormem
xormem 'x'0'15''' 'x'0'1a''' the$ey

patch
patch $esp 'xdeadbeef patch $eax the long string pattern patch 'xdeadbeef !'' patch +multiple lines,
E

0ther memory operations $ &

strings
strings strings binary 1

hexdump
hexdump $sp 61 hexdump $sp /"'

hexprint
hexprint $sp 61 hexprint $sp /"'

5,

0ther de+ugging helpers $%&

pdisass
pdisass $pc /"'

nearpc
nearpc "' nearpc 'x'0'10101

plt+rea"
pltbrea$ cpy

deactive
deactive setresuid deactive chdir

unptrace
unptrace
5%

0ther de+ugging helpers $ &

stepuntil
stepuntil cmp stepuntil xor nextcall cpy next2mp

tracecall ) ?trace
tracecall tracecall cpy6printf tracecall -puts6fflush

traceinst ) itrace
traceinst "' traceinst cmp6xor
5

0ther de+ugging helpers $5&

wait?or
#aitfor #aitfor myprog -c

snapshot
snapshot save snapshot restore

assem+le
assemble $pc mov al6 'xb int 'x0' end

procin?o
procinfo procinfo fd
55

/on?ig options

pshow
psho# psho# option context

pset option
pset option context code6stac$ pset option badchars 4r4n

Edit li+)con?ig.py ?or permanent changes

5-

Python GDB scripting with PEDA $%&

Glo+al instances

pedacmd7

Interactive commands 3eturn nothing e.g7 pedacmd.context%register+, Bac"end ?unctions that interact with GDB 3eturn values e.g7 peda.getreg+eax,

peda7

*tilities

e.g7 to%int+,6 format%address+,

5;

Python GDB scripting with PEDA $ &

Getting help
pyhelp peda pyhelp hex"str

0ne:liner ) interactive uses

gdb-peda$ python print peda.get%vmmap+, gdb-peda$ python status & peda.get%status+, #hile status && 89-):;<=>?@ peda.execute+continue, end

5<

Python GDB scripting with PEDA $5&

External scripts
A myscript.py def myrun+size,@ argv & cyclic%pattern+size, peda.execute+set arg Bs B argv, peda.execute+run, gdb-peda$ source myscript.py gdb-peda$ python myrun+!'',

5@

Extending PEDA $%&

PEDA structure

PEDA class

Interact with GDB Bac"end ?unctions Interactive commands /on?ig options /ommon utils External li+raries
5D

PEDA/md class

*tilities

Extending PEDA $ &

#pecial ?unctions

;-C).execute+, ;-C).execute%redirect+, ;-C)Dmd.%is%running+, ;-C)Dmd.%missing%argument+, utils.execute%external%command+, utils.reset%cache+,

5E

Extending PEDA $5&

!riting new interactive command

-,

Cuture plan

(ore plat?orms A3( support Integration

IDA li+heap li+?ormat /E32Js exploita+le

-%

2han" youK