之前发现pwn虚拟机从零开始配置pwn环境:CTF PWN 做题环境-CSDN博客无libc,magic等指令,后来查资料发现是没有安装Pwngdb,按如下处理解决该问题
cd ~/
git clone https://github.com/scwuaptx/Pwngdb.git
gedit ~/.gdbinit
source /home/giantbranch/pwndbg/gdbinit.py
source ~/peda/peda.py
source ~/Pwngdb/pwngdb.py
PWngdb有如下指令
libc : Print the base address of libc
ld : Print the base address of ld
codebase : Print the base of code segment
heap : Print the base of heap
got : Print the Global Offset Table infomation
dyn : Print the Dynamic section infomation
findcall : Find some function call
bcall : Set the breakpoint at some function call
tls : Print the thread local storage address
at : Attach by process name
findsyscall : Find the syscall
fmtarg : Calculate the index of format string
You need to stop on printf which has vulnerability.
force : Calculate the nb in the house of force.
heapinfo : Print some infomation of heap
heapinfo (Address of arena)
default is the arena of current thread
If tcache is enable, it would show infomation of tcache entry
heapinfoall : Print some infomation of heap (all threads)
arenainfo : Print some infomation of all arena
chunkinfo: Print the infomation of chunk
chunkinfo (Address of victim)
chunkptr : Print the infomation of chunk
chunkptr (Address of user ptr)
mergeinfo : Print the infomation of merge
mergeinfo (Address of victim)
printfastbin : Print some infomation of fastbin
tracemalloc on : Trace the malloc and free and detect some error .
You need to run the process first than tracemalloc on, it will record all of the malloc and free.
You can set the DEBUG in pwngdb.py , than it will print all of the malloc and free infomation such as the screeshot.
parseheap : Parse heap layout
magic : Print useful variable and function in glibc
fp : show FILE structure
fp (Address of FILE)
fpchain: show linked list of FILE
orange : Test house of orange condition in the _IO_flush_lockp
orange (Address of FILE)
glibc version <= 2.23
giantbranch@ubuntu:~/Re/3$ gdb ./wdb_2018_2nd_easyfmt
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 175 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./wdb_2018_2nd_easyfmt...(no debugging symbols found)...done.
gdb-peda$ r
Starting program: /home/giantbranch/Re/3/wdb_2018_2nd_easyfmt
Do you know repeater?
AAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.
AAAA.0xffffcf98.0x64.0xf7ffdc08.0xf7ffcd00.0xffffd0bc.0x41414141.0x2e70252e.0x252e7025.0x70252e70.0x2e70252e.0x252e7025.0x70252e70.0x2e70252e.0x252e7025.0x70252e70.
�1��
c
c
AA.0xffffcf98.0x64.0xf7ffdc08.0xf7ffcd00.0xffffd0bc.0x41410a63.0x2e70252e.0x252e7025.0x70252e70.0x2e70252e.0x252e7025.0x70252e70.0x2e70252e.0x252e7025.0x70252e70.
�1��
^C
Program received signal SIGINT, Interrupt.
[----------------------------------registers-----------------------------------]
EAX: 0xfffffe00
EBX: 0x0
ECX: 0xffffcf98 ("c\nAA.%p.%p.%p.%"...)
EDX: 0x64 ('d')
ESI: 0xf7fb7000 --> 0x1b2db0
EDI: 0xf7fb7000 --> 0x1b2db0
EBP: 0xffffd008 --> 0x0
ESP: 0xffffcf68 --> 0xffffd008 --> 0x0
EIP: 0xf7fd7fd9 (<__kernel_vsyscall+9>: pop ebp)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0xf7fd7fd3 <__kernel_vsyscall+3>: mov ebp,ecx
0xf7fd7fd5 <__kernel_vsyscall+5>: syscall
0xf7fd7fd7 <__kernel_vsyscall+7>: int 0x80
=> 0xf7fd7fd9 <__kernel_vsyscall+9>: pop ebp
0xf7fd7fda <__kernel_vsyscall+10>: pop edx
0xf7fd7fdb <__kernel_vsyscall+11>: pop ecx
0xf7fd7fdc <__kernel_vsyscall+12>: ret
0xf7fd7fdd: nop
[------------------------------------stack-------------------------------------]
0000| 0xffffcf68 --> 0xffffd008 --> 0x0
0004| 0xffffcf6c --> 0x64 ('d')
0008| 0xffffcf70 --> 0xffffcf98 ("c\nAA.%p.%p.%p.%"...)
0012| 0xffffcf74 --> 0xf7ed9c43 (<__read_nocancel+25>: pop ebx)
0016| 0xffffcf78 --> 0x0
0020| 0xffffcf7c --> 0x80485c0 (: add esp,0x10)
0024| 0xffffcf80 --> 0x0
0028| 0xffffcf84 --> 0xffffcf98 ("c\nAA.%p.%p.%p.%"...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGINT
0xf7fd7fd9 in __kernel_vsyscall ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────
EAX 0xfffffe00
EBX 0x0
ECX 0xffffcf98 ◂— 0x41410a63 ('c\nAA')
EDX 0x64
EDI 0xf7fb7000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
ESI 0xf7fb7000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
EBP 0xffffd008 ◂— 0x0
ESP 0xffffcf68 —▸ 0xffffd008 ◂— 0x0
EIP 0xf7fd7fd9 (__kernel_vsyscall+9) ◂— pop ebp
──────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────
► 0xf7fd7fd9 <__kernel_vsyscall+9> pop ebp
0xf7fd7fda <__kernel_vsyscall+10> pop edx
0xf7fd7fdb <__kernel_vsyscall+11> pop ecx
0xf7fd7fdc <__kernel_vsyscall+12> ret
↓
0xf7ed9c43 <__read_nocancel+25> pop ebx
0xf7ed9c44 <__read_nocancel+26> cmp eax, 0xfffff001
0xf7ed9c49 <__read_nocancel+31> jae __syscall_error <0xf7e1c740>
↓
0xf7e1c740 <__syscall_error> call __x86.get_pc_thunk.dx <0xf7f23c7d>
0xf7e1c745 <__syscall_error+5> add edx, 0x19a8bb
0xf7e1c74b <__syscall_error+11> mov ecx, dword ptr gs:[0]
0xf7e1c752 <__syscall_error+18> neg eax
──────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffcf68 —▸ 0xffffd008 ◂— 0x0
01:0004│ 0xffffcf6c ◂— 0x64 /* 'd' */
02:0008│ 0xffffcf70 —▸ 0xffffcf98 ◂— 0x41410a63 ('c\nAA')
03:000c│ 0xffffcf74 —▸ 0xf7ed9c43 (__read_nocancel+25) ◂— pop ebx
04:0010│ 0xffffcf78 ◂— 0x0
05:0014│ 0xffffcf7c —▸ 0x80485c0 (main+117) ◂— add esp, 0x10
06:0018│ 0xffffcf80 ◂— 0x0
07:001c│ 0xffffcf84 —▸ 0xffffcf98 ◂— 0x41410a63 ('c\nAA')
────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────
► f 0 f7fd7fd9 __kernel_vsyscall+9
f 1 f7ed9c43 __read_nocancel+25
f 2 80485c0 main+117
f 3 f7e1c647 __libc_start_main+247
Program received signal SIGINT
gdb-peda$ libc
libc : 0xf7e04000
gdb-peda$ magic
========== function ==========
system:0x3adb0
execve:0xb08c0
open:0xd5810
read:0xd5c20
write:0xd5c90
gets:0x5f3f0
setcontext+0x35:0x3d105
========== variables ==========
__malloc_hook(0x1b3768) : 0xf7e76380
__free_hook(0x1b48b0) : 0x00000000
__realloc_hook(0x1b3764) : 0xf7e763d0
stdin(-0xefdb9fa0) : 0xf7fb75a0
stdout(-0xefdb9f9c) : 0xf7fb7d60
_IO_list_all(0x1b3ca0) : 0xf7fb7cc0
__after_morecore_hook(0x1b48ac) : 0x00000000
gdb-peda$