본문 바로가기

PDS/Tools

Using GDB for Vulnerability Developement

지디비.

출처 : http://www.securiteam.com/securityreviews/5UP0B2KCKI.html




 * Start gdb:
gdb 'executable-file'
gdb ./vuln // example

gdb `executable-file` `core-file`
gdb ./vuln core // example

If program segfaults and no core image generated do something like:
hack@exploit:~ > ulimit -c 9999

 * Attach running process: 실행중인 프로세스에 attach 하기

// launch gdb
hack@exploit:~ > gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux".
(gdb) attach 'pid'
(gdb) attach 1127 // example

 * Search the memory: 메모리 검색
(gdb) x/d or x 'address' 10진수 출력
(gdb) x/100s 문자열 100줄 x/100s 'address' 문자열 100줄
(gdb) x 0x0804846c show decimal at 0x0804846c
(gdb) x/s 'address' show strings at address
(gdb) x/105 0x0804846c show 105 strings at 0x0804846c
(gdb) x/x 'address' show hexadecimal address
(gdb) x/10x 0x0804846c show 10 addresses at 0x0804846c
(gdb) x/b 0x0804846c show byte at 0x0804846c
(gdb) x/10b 0x0804846c-10 show byte at 0x0804846c-10
(gdb) x/10b 0x0804846c+20 show byte at 0x0804846c+20
(gdb) x/20i 0x0804846c show 20 assembler instructions at address

 * Search shellcode or return address or something else on stack: 

스택에서 뭐든 찾기
(gdb) break 'your function name or address'
(gdb) break main // example
Breakpoint 1 at 0x8048409
(gdb) run
Starting program: /home/hack/homepage/challenge/buf/basic

Breakpoint 1, 0x8048409 in main ()
(gdb) x/1000s 'address' // Print 1000 strings at address
(gdb) p $esp // Show esp register

레지스터를 보여 주는데, 그게 어떤 형태인지도 찍어줌. 인트인지, 보이드 포인터인지, 함수 포인터인지 기타등등.
$2 = (void *) 0xbffff454
(gdb) x/1000s $esp // Search 1000 strings at $esp address. 
(gdb) x/1000s $esp-1000 // Search 1000 strings at $esp register
    // - 1000. 
(gdb) x/1000s 0xbffff4b4 // Search 1000 strings at 0xbffff4b4 

 * List all sections of executable file:
(gdb) maintenance info sections // or
(gdb) mai i s

섹션별 이름과 권한 출력. 

Executable file:
    `/home/hack/homepage/challenge/buf/basic', file type elf32-i386.
    0x080480f4->0x08048107 at 0x000000f4: .interp ALLOC LOAD READONLY DATA HAS_CONTENTS
    0x08048108->0x08048128 at 0x00000108: .note.ABI-tag ALLOC LOAD READONLY DATA HAS_CONTENTS
    0x08048128->0x08048158 at 0x00000128: .hash ALLOC LOAD READONLY DATA HAS_CONTENTS
    0x08048158->0x080481c8 at 0x00000158: .dynsym ALLOC LOAD READONLY DATA HAS_CONTENTS
    0x080481c8->0x08048242 at 0x000001c8: .dynstr ALLOC LOAD READONLY DATA HAS_CONTENTS
    0x08048242->0x08048250 at 0x00000242: .gnu.version ALLOC LOAD READONLY DATA
HAS_CONTENTS

...

 * Break at address:
(gdb) disassemble main
Dump of assembler code for function main:
0x8048400 <main>: push %ebp
0x8048401 <main+1>: mov %esp,%ebp
0x8048403 <main+3>: sub $0x408,%esp
0x8048409 <main+9>: add $0xfffffff8,%esp
0x804840c <main+12>: mov 0xc(%ebp),%eax
0x804840f <main+15>: add $0x4,%eax
0x8048412 <main+18>: mov (%eax),%edx
0x8048414 <main+20>: push %edx
0x8048415 <main+21>: lea 0xfffffc00(%ebp),%eax
...

(gdb) break *0x8048414 // example
Breakpoint 1 at 0x8048414
(gdb) break main // example
Breakpoint 2 at 0x8048409
(gdb)

 * Delete breakpoints: 브레이크포인트 지우기
(gdb) delete breakpoints // or
(gdb) d b
Delete all breakpoints? (y or n) y
(gdb)

 * Search anything in heap, bss, got, ...:
(gdb) maintenance info sections

0x08049570->0x08049588 at 0x00000570: .bss ALLOC
0x00000000->0x00000654 at 0x00000570: .stab READONLY HAS_CONTENTS
0x00000000->0x00001318 at 0x00000bc4: .stabstr READONLY HAS_CONTENTS
0x00000000->0x000000e4 at 0x00001edc: .comment READONLY HAS_CONTENTS
0x08049588->0x08049600 at 0x00001fc0: .note READONLY HAS_CONTENTS

(gdb) x/1000s 0x08049600 // print strings heap
(gdb) x/1000s 0x08049570 // print strings bss section
...

 * Show registers (Very useful for stack exploits):
(gdb) break main
Breakpoint 7 at 0x8048409
(gdb) r

Starting program: /home/hack/homepage/challenge/buf/basic

Breakpoint 7, 0x8048409 in main ()
(gdb) info registers
eax 0x1 1
ecx 0x8048298 134513304
edx 0x8048400 134513664
ebx 0x400f6618 1074751000
esp 0xbffff4b4 0xbffff4b4
ebp 0xbffff8bc 0xbffff8bc
esi 0x4000aa20 1073785376
edi 0xbffff924 -1073743580
eip 0x8048409 0x8048409
eflags 0x286 646
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb)

 * Get dynamic function pointer (Useful for return into libc exploits):

p < 함수명 > - 다이나믹 함수 포인터. 
(gdb) break main
Breakpoint 1 at 0x8048409
(gdb) r
Starting program: /home/hack/homepage/challenge/buf/./basic

Breakpoint 1, 0x8048409 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40052460 <system>

(gdb) p strcpy
$5 = {char *(char *, char *)} 0x4006e880 <strcpy>

 * Backtrace the stack:
(gdb) backtrace
(gdb) bt

#0 0x8048476 in main ()
#1 0x40031a5e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93




'PDS > Tools' 카테고리의 다른 글

checksec on pwntools  (0) 2017.03.07
exploit template  (0) 2017.02.21
towelroot  (0) 2014.07.30