-q# No show banner-x<file># Auto-execute GDB instructions from here-p<pid># Attach to process
Maelekezo
run# Executestart# Start and break in mainn/next/ni# Execute next instruction (no inside)s/step/si# Execute next instructionc/continue# Continue until next breakpointpsystem# Find the address of the system functionset $eip =0x12345678# Change value of $eiphelp# Get helpquit# exit# Disassembledisassemblemain# Disassemble the function called maindisassemble0x12345678# Disassemble taht addresssetdisassembly-flavorintel# Use intel syntaxsetfollow-fork-modechild/parent# Follow child/parent process# Breakpointsbrfunc# Add breakpoint to functionbr*func+23br*0x12345678del<NUM># Delete that number of breakpointwatchEXPRESSION# Break if the value changes# infoinfofunctions-->Infoabountfunctionsinfofunctionsfunc-->Infoofthefuntioninforegisters-->Valueoftheregistersbt# Backtrace Stackbtfull# Detailed stackprintvariableprint0x87654321-0x12345678# Caculate# x/examineexamine/<num><o/x/d/u/t/i/s/c><b/h/w/g> dir_mem/reg/puntero # Shows content of <num> in <octal/hexa/decimal/unsigned/bin/instruction/ascii/char> where each entry is a <Byte/half word (2B)/Word (4B)/Giant word (8B)>
x/o0xDir_hexx/2x $eip # 2Words from EIPx/2x $eip -4# $eip - 4x/8xb $eip # 8 bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes)ireip# Value of $eipx/wpointer# Value of the pointerx/spointer# String pointed by the pointerx/xw&pointer# Address where the pointer is locatedx/i $eip # Instructions of the EIP
Unaweza hiari kutumia hii fork ya GEF ambayo ina maelekezo zaidi ya kuvutia.
helpmemory# Get help on memory commandcanary# Search for canary value in memorychecksec#Check protectionspsystem#Find system function addresssearch-pattern"/bin/sh"#Search in the process memoryvmmap#Get memory mappingsxinfo<addr># Shows page, size, perms, memory area and offset of the addr in the pagememorywatch0x7840000x1000byte#Add a view always showinf this memorygot#Check got tablememorywatch $_got()+0x185#Watch a part of the got table# Vulns detectionformat-string-helper#Detect insecure format stringsheap-analysis-helper#Checks allocation and deallocations of memory chunks:NULL free, UAF,double free, heap overlap#Patternspatterncreate200#Generate length 200 patternpatternsearch"avaaawaa"#Search for the offset of that substringpatternsearch $rsp #Search the offset given the content of $rsp#Shellcodeshellcodesearchx86#Search shellcodesshellcodeget61#Download shellcode number 61#Dump memory to filedumpbinarymemory/tmp/dump.bin0x2000000000x20000c350#Another way to get the offset of to the RIP1-PutabpafterthefunctionthatoverwritestheRIPandsendappaterntoovwerwriteit2-ef➤ifStacklevel0,frameat0x7fffffffddd0:rip=0x400cd3; savedrip=0x6261617762616176calledbyframeat0x7fffffffddd8Arglistat0x7fffffffdcf8,args:Localsat0x7fffffffdcf8,Previousframe's sp is 0x7fffffffddd0Saved registers:rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8gef➤ pattern search 0x6261617762616176[+] Searching for '0x6261617762616176'[+] Found at offset 184 (little-endian search) likely
Mbinu
Anwani sawa za GDB
Wakati wa kudebugi GDB itakuwa na anwani kidogo tofauti na zile zinazotumiwa na binary wakati inatekelezwa. Unaweza kufanya GDB iwe na anwani sawa kwa kufanya yafuatayo:
unset env LINES
unset env COLUMNS
set env _=<njia>Weka njia kamili ya binary
Tumia exploit kwenye binary ukitumia njia kamili ileile
PWD na OLDPWD lazima ziwe sawa unapotumia GDB na unapokuwa unatumia exploit kwenye binary
Kufuatilia nyuma ili kupata kazi zilizoitwa
Ukiwa na binary iliyolinkwa kistatiki kazi zote zitakuwa sehemu ya binary (na sio maktaba za nje). Katika kesi hii itakuwa ngumu kutambua mwendelezo ambao binary inafuata kwa mfano kuomba mwingiliano wa mtumiaji.
Unaweza kutambua mwendelezo huu kwa urahisi kwa kutekeleza binary na gdb hadi unapoombwa mwingiliano. Kisha, isimamishe kwa kubonyeza CTRL+C na tumia amri ya bt (backtrace) kuona kazi zilizoitwa:
gef➤ bt
#0 0x00000000004498ae in ?? ()
#1 0x0000000000400b90 in ?? ()
#2 0x0000000000400c1d in ?? ()
#3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? ()
Server ya GDB
gdbserver --multi 0.0.0.0:23947 (katika IDA unahitaji kujaza njia kamili ya kutekelezeka kwenye mashine ya Linux na kwenye mashine ya Windows)
Ghidra
Pata offset ya stack
Ghidra ni muhimu sana kwa kupata offset kwa buffer overflow kutokana na habari kuhusu nafasi ya variables za ndani.
Kwa mfano, katika mfano hapa chini, mchuruziko wa buffer katika local_bc unaonyesha kwamba unahitaji offset ya 0xbc. Zaidi ya hayo, ikiwa local_10 ni kuki ya canary inaonyesha kwamba kuiandika upya kutoka local_bc kuna offset ya 0xac.
Kumbuka kwamba 0x08 ya kwanza ambapo RIP inahifadhiwa inahusiana na RBP.
-d --> Disassemble sehemu za utekelezaji (angalia opcodes ya shellcode iliyopachikwa, pata ROP Gadgets, pata anwani ya kazi...)
-Mintel --> Sintaksia ya Intel-t --> Jedwali la Alama-D --> Disassemble zote (anwani ya kipengee tuli)
-s -j .dtors --> sehemu ya dtors
-s -j .got --> sehemu ya got
-D -s -j .plt --> sehemu ya pltiliyopachikwa-TR --> Uhamishajiojdump -t --dynamic-relo ./exec | grep puts --> Anwani ya "puts" ya kuhaririwa katika GOT
objdump -D ./exec | grep "VAR_NAME" --> Anwani au kipengee tuli (hizi huhifadhiwa katika sehemu ya DATA).
Core dumps
Tekeleza ulimit -c unlimited kabla ya kuanza programu yangu
ldd executable | grep libc.so.6 --> Anwani (ikiwa na ASLR, basi hii hubadilika kila wakati)
for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done --> Mzunguko wa kuona ikiwa anwani inabadilika sana
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system --> Kielezo cha "system"
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh --> Kielezo cha "/bin/sh"
strace executable --> Kazi zilizoitwa na utekelezaji
rabin2 -i ejecutable --> Anwani ya kila kazi
Inmunity debugger
!monamodules#Get protections, look for all false except last one (Dll of SO)!monafind-s"\xff\xe4"-mname_unsecure.dll#Search for opcodes insie dll space (JMP ESP)
IDA
Kudebugi kwa mbali kwenye linux
Ndani ya folda ya IDA unaweza kupata binaries ambazo zinaweza kutumika kudebugi binary kwenye linux. Ili kufanya hivyo hamisha binary linux_server au linux_server64 ndani ya server ya linux na iendeshe ndani ya folda inayohifadhi binary hiyo:
./linux_server64 -Ppass
Then, configure the debugger: Debugger (linux remote) --> Proccess options...: