linux下pwn常用的命令

查看文件

持续更新的文章因为一时半会总结不出来用到多少写多少吧

这里用rop做例子
查看文件 32位文件
xfgg@ubuntu:~/Downloads$ file rop
rop: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 2.6.24, BuildID[sha1]=a6c3ab368d8cd315e3bb2b970556ed0510bca094, not stripped

查看文件保护机制
xfgg@ubuntu:~/Downloads$ file rop
rop: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 2.6.24, BuildID[sha1]=a6c3ab368d8cd315e3bb2b970556ed0510bca094, not stripped

分析文件调用了哪些系统调用
strace ./rop
execve("./rop", ["./rop"], 0x7ffe697d85e0 /* 55 vars */) = -1 ENOENT (No such file or directory)
fstat(2, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
write(2, "strace: exec: No such file or di"..., 40strace: exec: No such file or directory
) = 40
getpid()                                = 2180
exit_group(1)                           = ?
+++ exited with 1 +++
 我这里出现问题，一直提示没有这个文件
因为在64位系统上运行32位文件
sudo apt-get install lib32stdc++6 即可
重新来一次

xfgg@ubuntu:~/Desktop$ strace ./rop
execve("./rop", ["./rop"], 0x7fff2dbf80f0 /* 51 vars */) = 0
strace: [ Process PID=2479 runs in 32 bit mode. ]
brk(NULL)                               = 0x8634000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf7f58000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=80654, ...}) = 0
mmap2(NULL, 80654, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf7f44000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib32/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\220\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1926828, ...}) = 0
mmap2(NULL, 1935900, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7d6b000
mprotect(0xf7f3d000, 4096, PROT_NONE)   = 0
mmap2(0xf7f3e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d2000) = 0xf7f3e000
mmap2(0xf7f41000, 10780, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf7f41000
close(3)                                = 0
set_thread_area({entry_number=-1, base_addr=0xf7f590c0, limit=0x0fffff, seg_32bit=1, contents=0, read_exec_only=0, limit_in_pages=1, seg_not_present=0, useable=1}) = 0 (entry_number=12)
mprotect(0xf7f3e000, 8192, PROT_READ)   = 0
mprotect(0x8049000, 4096, PROT_READ)    = 0
mprotect(0xf7f85000, 4096, PROT_READ)   = 0
munmap(0xf7f44000, 80654)               = 0
getegid32()                             = 1000
setresgid32(1000, 1000, 1000)           = 0
read(0, 
"\n", 256)                      = 1
write(1, "Hello, World\n", 13Hello, World
)          = 13
exit_group(13)                          = ?
+++ exited with 13 +++
成功了  我还看不太懂这个 慢慢研究了

查看libc文件的位置和地址
xfgg@ubuntu:~/Desktop$ ldd rop
	linux-gate.so.1 (0xf7fc1000)
	libc.so.6 => /lib32/libc.so.6 (0xf7dcf000)
	/lib/ld-linux.so.2 (0xf7fc3000)

提升文件的权限

xfgg@ubuntu:~/Desktop$ chmod 777 rop

gdb的运用

root@ubuntu:/home/xfgg/Downloads# gdb rop
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from rop...(no debugging symbols found)...done.
(gdb) 

开启文件
安装 peda
$ git clone https://github.com/longld/peda.git ~/peda
$ echo "source ~/peda/peda.py" >> ~/.gdbinit

gdb-peda$ b main
Breakpoint 2 at 0x80484c9
gdb-peda$ start

[----------------------------------registers-----------------------------------]
EAX: 0xf7fb8dd8 --> 0xffffd16c --> 0xffffd344 ("CLUTTER_IM_MODULE=xim")
EBX: 0x0 
ECX: 0x20fd0adc 
EDX: 0xffffd0f4 --> 0x0 
ESI: 0xf7fb7000 --> 0x1d4d6c 
EDI: 0x0 
EBP: 0xffffd0c8 --> 0x0 
ESP: 0xffffd0c8 --> 0x0 
EIP: 0x80484c9 (<main+3>:	and    esp,0xfffffff0)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80484c5 <be_nice_to_people+40>:	ret    
   0x80484c6 <main>:	push   ebp
   0x80484c7 <main+1>:	mov    ebp,esp
=> 0x80484c9 <main+3>:	and    esp,0xfffffff0
   0x80484cc <main+6>:	sub    esp,0x10
   0x80484cf <main+9>:	call   0x804849d <be_nice_to_people>
   0x80484d4 <main+14>:	call   0x8048474 <vulnerable_function>
   0x80484d9 <main+19>:	mov    DWORD PTR [esp+0x8],0xd
[------------------------------------stack-------------------------------------]
0000| 0xffffd0c8 --> 0x0 
0004| 0xffffd0cc --> 0xf7dfae81 (<__libc_start_main+241>:	add    esp,0x10)
0008| 0xffffd0d0 --> 0x1 
0012| 0xffffd0d4 --> 0xffffd164 --> 0xffffd32b ("/home/xfgg/Downloads/rop")
0016| 0xffffd0d8 --> 0xffffd16c --> 0xffffd344 ("CLUTTER_IM_MODULE=xim")
0020| 0xffffd0dc --> 0xffffd0f4 --> 0x0 
0024| 0xffffd0e0 --> 0x1 
0028| 0xffffd0e4 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x080484c9 in main ()
gdb-peda$ 
 

下断点运行

(gdb) disassemble main
Dump of assembler code for function main:
   0x080484c6 <+0>:	push   %ebp
   0x080484c7 <+1>:	mov    %esp,%ebp
=> 0x080484c9 <+3>:	and    $0xfffffff0,%esp
   0x080484cc <+6>:	sub    $0x10,%esp
   0x080484cf <+9>:	call   0x804849d <be_nice_to_people>
   0x080484d4 <+14>:	call   0x8048474 <vulnerable_function>
   0x080484d9 <+19>:	movl   $0xd,0x8(%esp)
   0x080484e1 <+27>:	movl   $0x80485d0,0x4(%esp)
   0x080484e9 <+35>:	movl   $0x1,(%esp)
   0x080484f0 <+42>:	call   0x80483a0 <write@plt>
   0x080484f5 <+47>:	leave  
   0x080484f6 <+48>:	ret    
End of assembler dump.
(gdb) 

反汇编函数
 

padding强行爆破，实在不会找padding再用

gdb-peda$ pattern_create 150
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'
gdb-peda$ r
Starting program: /home/xfgg/Downloads/rop 
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x99 
EBX: 0x0 
ECX: 0xffffcff0 ("'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA'\n\205\004\b")
EDX: 0x100 
ESI: 0xf7fb7000 --> 0x1d4d6c 
EDI: 0x0 
EBP: 0x5141416c ('lAAQ')
ESP: 0xffffd080 ("ARAAoAA'\n\205\004\b")
EIP: 0x416d4141 ('AAmA')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x416d4141
[------------------------------------stack-------------------------------------]
0000| 0xffffd080 ("ARAAoAA'\n\205\004\b")
0004| 0xffffd084 ("oAA'\n\205\004\b")
0008| 0xffffd088 --> 0x804850a (<__libc_csu_init+10>:	ret)
0012| 0xffffd08c --> 0x0 
0016| 0xffffd090 --> 0xf7fb7000 --> 0x1d4d6c 
0020| 0xffffd094 --> 0xf7fb7000 --> 0x1d4d6c 
0024| 0xffffd098 --> 0x0 
0028| 0xffffd09c --> 0xf7dfae81 (<__libc_start_main+241>:	add    esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x416d4141 in ?? ()
gdb-peda$ pattern_offset 0x416d4141
1097679169 found at offset: 139

padding为139

ROP的运用

1
2