更新于 

Pwn

pwntools

1
2
3
4
sudo apt-get update
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential -y
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools

打开 python,输入 from pwn import * 看看是否有报错即可。

gdb

1
sudo apt install gdb -y

peda/pwngdb/gef

这是常见的 gdb 的三个插件,配合 gdb 使用可以提升调试效率。

pwndbg

1
2
3
4
cd ~
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

peda

1
2
3
4
cd ~
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

gef

1
2
3
cd ~
wget -q -O ~/.gdbinit-gef.py https://github.com/hugsy/gef/raw/master/gef.py
echo source ~/.gdbinit-gef.py >> ~/.gdbinit

gdb切换插件

1
2
vim ~/.gdbinit
#把所有内容注释掉
1
2
3
cd /usr/local/sbin
sudo touch gdb.sh
sudo vim gdb.sh

粘贴下面的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/bin/bash
function Mode_change {
    name=$1
    gdbinitfile=~/.gdbinit    #这个路径按照你的实际情况修改
    # gdbinitfile=/root/Desktop/mode
 
    peda="source ~/peda/peda.py"   #这个路径按照你的实际情况修改
    gef="source ~/.gdbinit-gef.py"   #这个路径按照你的实际情况修改
    pwndbg="source ~/pwndbg/gdbinit.py"   #这个路径按照你的实际情况修改
 
    sign=$(cat $gdbinitfile | grep -n "#this place is controled by user's shell")     
           #此处上面的查找内容要和你自己的保持一致
 
    pattern=":#this place is controled by user's shell"
    number=${sign%$pattern}
    location=$[number+2]
 
    parameter_add=${location}i
    parameter_del=${location}d
 
    message="TEST"
 
    if [ $name -eq "1" ];then
        sed -i "$parameter_del" $gdbinitfile
        sed -i "$parameter_add $peda" $gdbinitfile
        echo -e "Please enjoy the peda!\n"
    elif [ $name -eq "2" ];then
        sed -i "$parameter_del" $gdbinitfile
        sed -i "$parameter_add $gef" $gdbinitfile
        echo -e "Please enjoy the gef!\n"
    elif [ $name -eq "3" ];then
        sed -i "$parameter_del" $gdbinitfile
        sed -i "$parameter_add $pwndbg" $gdbinitfile
        echo -e "Please enjoy the pwndbg!\n"
    else
        sed -i "$parameter_del" $gdbinitfile
    echo -e "Please enjoy pure gdb!"
    fi
 
}
 
echo -e "Please choose one mode of GDB?\n1.peda    2.gef    3.pwndbg   4.pure_gdb"
 
read -p "Input your choice:" num
 
if [ $num -eq "1" ];then
    Mode_change $num
elif [ $num -eq "2" ];then
    Mode_change $num
elif [ $num -eq "3" ];then
    Mode_change $num
elif [ $num -eq "4" ];then
    Mode_change $num
else
    echo -e "Error!\nPleasse input right number!"
fi
 
gdb $1 $2 $3 $4 $5 $6 $7 $8 $9

添加权限

1
sudo chmod -R 777 gdb.sh

然后便可以使用

1
2
3
4
5
6
7
g4ti0r@XiaoxinPro13:~$ gdb.sh
Please choose one mode of GDB?
1.peda    2.gef    3.pwndbg   4.pure_gdb
Input your choice:3
Please enjoy the pwndbg!

pwndbg>

32位程序支持

1
sudo apt-get install libc6-dev-i386 -y

arm 的 pwn 环境 qemu

1
sudo apt-get install qemu qemu-system qemu-user-static binfmt-support -y

安装依赖:

1
2
3
sudo apt-get install -y gcc-arm-linux-gnueabi

sudo apt-get install qemu libncurses5-dev gcc-arm-linux-gnueabi build-essential synaptic gcc-aarch64-linux-gnu -y

LibcSearcher

泄露 libc 库中函数的偏移的库,建议安装,可以节省时间,提高效率。

1
2
3
4
5
sudo pip install capstone
cd ~
git clone https://github.com/lieanu/LibcSearcher.git
cd LibcSearcher
sudo python3 setup.py develop

ROPgadget 和 one_gadget

ROPgadget 是用来找 gadget 的,one_gadget 用来寻找 libc 库中的 execve (‘/bin/sh’, NULL, NULL) 可以一个 gadget 就可以 getshell,建议安装。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 先安装Capstone,它是一个轻量级的多平台架构支持的反汇编架构。
sudo apt-get install python-capstone -y
 
#安装ROPgadget
cd ~
git clone https://github.com/JonathanSalwan/ROPgadget.git
 
#进入
cd ROPgadget
 
# 下载好ROPgadget解压,并进入文件夹中
sudo python3 setup.py install
 
#安装one_gadget
sudo apt install ruby -y
sudo gem install one_gadget

最后:

1
2
sudo apt-get update
sudo apt-get upgrade -y
快来参与讨论吧


👀总访问 次 | 🥷总访客

本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。