-q# No show banner-x<file># Auto-execute GDB instructions from here-p<pid># Attach to process
Uputstva
run# Executestart# Start and break in mainn/next/ni# Execute next instruction (no inside)s/step/si# Execute next instructionc/continue# Continue until next breakpointpsystem# Find the address of the system functionset $eip =0x12345678# Change value of $eiphelp# Get helpquit# exit# Disassembledisassemblemain# Disassemble the function called maindisassemble0x12345678# Disassemble taht addresssetdisassembly-flavorintel# Use intel syntaxsetfollow-fork-modechild/parent# Follow child/parent process# Breakpointsbrfunc# Add breakpoint to functionbr*func+23br*0x12345678del<NUM># Delete that number of breakpointwatchEXPRESSION# Break if the value changes# infoinfofunctions-->Infoabountfunctionsinfofunctionsfunc-->Infoofthefuntioninforegisters-->Valueoftheregistersbt# Backtrace Stackbtfull# Detailed stackprintvariableprint0x87654321-0x12345678# Caculate# x/examineexamine/<num><o/x/d/u/t/i/s/c><b/h/w/g> dir_mem/reg/puntero # Shows content of <num> in <octal/hexa/decimal/unsigned/bin/instruction/ascii/char> where each entry is a <Byte/half word (2B)/Word (4B)/Giant word (8B)>
x/o0xDir_hexx/2x $eip # 2Words from EIPx/2x $eip -4# $eip - 4x/8xb $eip # 8 bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes)ireip# Value of $eipx/wpointer# Value of the pointerx/spointer# String pointed by the pointerx/xw&pointer# Address where the pointer is locatedx/i $eip # Instructions of the EIP
Opciono možete koristiti ovu granu GEF koja sadrži više interesantnih instrukcija.
helpmemory# Get help on memory commandcanary# Search for canary value in memorychecksec#Check protectionspsystem#Find system function addresssearch-pattern"/bin/sh"#Search in the process memoryvmmap#Get memory mappingsxinfo<addr># Shows page, size, perms, memory area and offset of the addr in the pagememorywatch0x7840000x1000byte#Add a view always showinf this memorygot#Check got tablememorywatch $_got()+0x185#Watch a part of the got table# Vulns detectionformat-string-helper#Detect insecure format stringsheap-analysis-helper#Checks allocation and deallocations of memory chunks:NULL free, UAF,double free, heap overlap#Patternspatterncreate200#Generate length 200 patternpatternsearch"avaaawaa"#Search for the offset of that substringpatternsearch $rsp #Search the offset given the content of $rsp#Shellcodeshellcodesearchx86#Search shellcodesshellcodeget61#Download shellcode number 61#Dump memory to filedumpbinarymemory/tmp/dump.bin0x2000000000x20000c350#Another way to get the offset of to the RIP1-PutabpafterthefunctionthatoverwritestheRIPandsendappaterntoovwerwriteit2-ef➤ifStacklevel0,frameat0x7fffffffddd0:rip=0x400cd3; savedrip=0x6261617762616176calledbyframeat0x7fffffffddd8Arglistat0x7fffffffdcf8,args:Localsat0x7fffffffdcf8,Previousframe's sp is 0x7fffffffddd0Saved registers:rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8gef➤ pattern search 0x6261617762616176[+] Searching for '0x6261617762616176'[+] Found at offset 184 (little-endian search) likely
Trikovi
GDB iste adrese
Prilikom debagovanja, GDB će imati nešto drugačije adrese od onih koje koristi binarni fajl prilikom izvršavanja. Možete postaviti GDB da koristi iste adrese na sledeći način:
unset env LINES
unset env COLUMNS
set env _=<putanja>Stavite apsolutnu putanju do binarnog fajla
Iskoristite binarni fajl koristeći istu apsolutnu putanju
PWD i OLDPWD moraju biti isti prilikom korišćenja GDB-a i prilikom iskorišćavanja binarnog fajla
Backtrace za pronalaženje pozvanih funkcija
Kada imate statički povezan binarni fajl, sve funkcije će pripadati binarnom fajlu (a ne spoljnim bibliotekama). U ovom slučaju će biti teško identifikovati tok koji binarni fajl prati kako bi na primer zatražio korisnički unos.
Ovaj tok možete lako identifikovati pokretanjem binarnog fajla sa gdb sve dok vas ne zatraže unos. Zatim ga zaustavite sa CTRL+C i koristite komandu bt (backtrace) da vidite pozvane funkcije:
gef➤ bt
#0 0x00000000004498ae in ?? ()
#1 0x0000000000400b90 in ?? ()
#2 0x0000000000400c1d in ?? ()
#3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? ()
GDB server
gdbserver --multi 0.0.0.0:23947 (u IDA morate popuniti apsolutnu putanju izvršnog fajla na Linux mašini i na Windows mašini)
Ghidra
Pronalaženje offseta steka
Ghidra je veoma koristan za pronalaženje offseta za preplavljivanje bafera zahvaljujući informacijama o poziciji lokalnih promenljivih.
Na primer, u primeru ispod, preplavljivanje bafera u local_bc ukazuje da je potreban offset od 0xbc. Osim toga, ako je local_10 kolačić kanarinac, to ukazuje da postoji offset od 0xac za prepisivanje iz local_bc.
Zapamtite da prvih 0x08 gde je RIP sačuvan pripada RBP.
gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2 --> Kompajliranje bez zaštite
-o --> Izlaz
-g --> Sačuvaj kod (GDB će moći da ga vidi)
echo 0 > /proc/sys/kernel/randomize_va_space --> Deaktiviranje ASLR u Linuxu
Za kompajliranje shell koda:nasm -f elf assembly.asm --> vraća ".o"
ld assembly.o -o shellcodeout --> Izvršna datoteka
ldd executable | grep libc.so.6 --> Adresa (ako je ASLR, onda se menja svaki put)
for i in `seq 0 20`; do ldd <Izvršivo> | grep libc; done --> Petlja za praćenje promene adrese
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system --> Offset "system"
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh --> Offset "/bin/sh"
strace executable --> Funkcije pozvane od strane izvršivog fajla
rabin2 -i ejecutable --> Adresa svih funkcija
Inmunity debugger
!monamodules#Get protections, look for all false except last one (Dll of SO)!monafind-s"\xff\xe4"-mname_unsecure.dll#Search for opcodes insie dll space (JMP ESP)
IDA
Debugiranje na udaljenom Linuxu
Unutar IDA foldera možete pronaći binarne datoteke koje se mogu koristiti za debugiranje binarne datoteke unutar Linuxa. Da biste to učinili, premestite binarnu datoteku linux_server ili linux_server64 unutar Linux servera i pokrenite je unutar foldera koji sadrži binarnu datoteku: