00
OrbStack虚拟机
主要是耗能低,mac intel上使用基本上不发烫
ubuntu 20.04 国内更新源
sudo gedit /etc/apt/sources.listdeb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
部分Ubuntu系统代号
lsb_release -a
Ubuntu 16.04 代号为: xenial
Ubuntu 17.04 代号为: zesty
Ubuntu 18.04 代号为: bionic
Ubuntu 19.04 代号为: disco
Ubuntu 20.04 代号为: focal
Ubuntu 22.04 代号为: jammy
Ubuntu 22.10 代号为: kinetic
设置代理
export http_proxy=http://192.168.0.102:7890
export https_proxy=http://192.168.0.102:7890
库安装
sudo apt-get install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev git vim libedit-dev vim openssh-server gdb gdb-multiarch "binfmt*" qemu-user qemu-utils qemu-system libseccomp-dev libseccomp2 seccomp tmux
安装pyenv
curl | bash
# 再根据提示,设置环境变量
pip切换源
vim ~/.pip/pip.conf[global]
index-url =
安装pwntools
pip install pwntools
安装gdb插件pwndbg
git clone .git
cd pwndbg/
./setup.sh
安装pwncli
git clone .git
cd pwncli
sudo pip3 install --editable .
安装LibcSearcher
python3 -m pip install LibcSearcher
one_gadget下载安装
sudo apt -y install ruby
sudo apt-get install gem -y
sudo gem install one_gadget# 使用方式
one_gadget libc-2.23.so
安装main_arena_offset
git clone
安装seccomp-tools
# 用来读取 seccomp 沙箱规则
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools# 要是说 ruby 版本不对
sudo add-apt-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get purge --auto-remove ruby
sudo apt-get install ruby2.6 ruby2.6-dev
gem install seccomp-tools
安装ROPgadget
sudo apt install python3-pip
sudo -H python3 -m pip install ROPgadget
ROPgadget --help
roputils
git clone .git
ae64
git clone .git
alpha3
git clone .git
查看当前环境glibc版本
# 通过ldd
ldd --version# 通过环境变量
getconf GNU_LIBC_VERSION# 通过代码
#include <stdio.h>
#include <gnu/libc-version.h>
int main(void)
{ puts (gnu_get_libc_version ()); return 0;
}
查看系统默认libc版本
/lib/x86_64-linux-gnu/libc.so.6
二进制文件依赖的glibc版本
ldd -r -v ./checkGlibc
切换glibc
# 安装glibc-all-in-one
git clone .git# 安装patchelf
sudo apt install patchelf# 切换
patchelf --replace-needed libc.so.6 你要换的libc的硬路径 ./pwn
patchelf --set-interpreter ld的硬路径 ./pwn# 或者是在pwntools中指定
p = process(["ld-2.27.so", "./pwn"],env={"LD_PRELOAD":"./libc-2.27.so"})
Glibc 调试符号加载
先得到 libc 的 Build ID(glibc 2.35为例)
readelf -n libc.so.6 | grep 'Build ID:'
readelf -n ld-linux-x86-64.so.2 | grep 'Build ID:'
分别得到:
Build ID: 89c3cb85f9e55046776471fed05ec441581d1969
Build ID: aa1b0b998999c397062e1016f0c95dc0e8820117
因为 GDB 会从
/usr/lib/debug/.build-id/89/c3cb85f9e55046776471fed05ec441581d1969.debug 和
/usr/lib/debug/.build-id/aa/1b0b998999c397062e1016f0c95dc0e8820117.debug
文件中读取调试信息。(注意 .build-id 是隐藏文件夹,需要取消隐藏才可以看到)
所以把 /glibc-all-in-one/libs/2.35-0ubuntu3_amd64/.debug/.build-id/ 下对应的文件复制去 /usr/lib/debug/.build-id/ 即可
参考
00
OrbStack虚拟机
主要是耗能低,mac intel上使用基本上不发烫
ubuntu 20.04 国内更新源
sudo gedit /etc/apt/sources.listdeb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
部分Ubuntu系统代号
lsb_release -a
Ubuntu 16.04 代号为: xenial
Ubuntu 17.04 代号为: zesty
Ubuntu 18.04 代号为: bionic
Ubuntu 19.04 代号为: disco
Ubuntu 20.04 代号为: focal
Ubuntu 22.04 代号为: jammy
Ubuntu 22.10 代号为: kinetic
设置代理
export http_proxy=http://192.168.0.102:7890
export https_proxy=http://192.168.0.102:7890
库安装
sudo apt-get install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev git vim libedit-dev vim openssh-server gdb gdb-multiarch "binfmt*" qemu-user qemu-utils qemu-system libseccomp-dev libseccomp2 seccomp tmux
安装pyenv
curl | bash
# 再根据提示,设置环境变量
pip切换源
vim ~/.pip/pip.conf[global]
index-url =
安装pwntools
pip install pwntools
安装gdb插件pwndbg
git clone .git
cd pwndbg/
./setup.sh
安装pwncli
git clone .git
cd pwncli
sudo pip3 install --editable .
安装LibcSearcher
python3 -m pip install LibcSearcher
one_gadget下载安装
sudo apt -y install ruby
sudo apt-get install gem -y
sudo gem install one_gadget# 使用方式
one_gadget libc-2.23.so
安装main_arena_offset
git clone
安装seccomp-tools
# 用来读取 seccomp 沙箱规则
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools# 要是说 ruby 版本不对
sudo add-apt-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get purge --auto-remove ruby
sudo apt-get install ruby2.6 ruby2.6-dev
gem install seccomp-tools
安装ROPgadget
sudo apt install python3-pip
sudo -H python3 -m pip install ROPgadget
ROPgadget --help
roputils
git clone .git
ae64
git clone .git
alpha3
git clone .git
查看当前环境glibc版本
# 通过ldd
ldd --version# 通过环境变量
getconf GNU_LIBC_VERSION# 通过代码
#include <stdio.h>
#include <gnu/libc-version.h>
int main(void)
{ puts (gnu_get_libc_version ()); return 0;
}
查看系统默认libc版本
/lib/x86_64-linux-gnu/libc.so.6
二进制文件依赖的glibc版本
ldd -r -v ./checkGlibc
切换glibc
# 安装glibc-all-in-one
git clone .git# 安装patchelf
sudo apt install patchelf# 切换
patchelf --replace-needed libc.so.6 你要换的libc的硬路径 ./pwn
patchelf --set-interpreter ld的硬路径 ./pwn# 或者是在pwntools中指定
p = process(["ld-2.27.so", "./pwn"],env={"LD_PRELOAD":"./libc-2.27.so"})
Glibc 调试符号加载
先得到 libc 的 Build ID(glibc 2.35为例)
readelf -n libc.so.6 | grep 'Build ID:'
readelf -n ld-linux-x86-64.so.2 | grep 'Build ID:'
分别得到:
Build ID: 89c3cb85f9e55046776471fed05ec441581d1969
Build ID: aa1b0b998999c397062e1016f0c95dc0e8820117
因为 GDB 会从
/usr/lib/debug/.build-id/89/c3cb85f9e55046776471fed05ec441581d1969.debug 和
/usr/lib/debug/.build-id/aa/1b0b998999c397062e1016f0c95dc0e8820117.debug
文件中读取调试信息。(注意 .build-id 是隐藏文件夹,需要取消隐藏才可以看到)
所以把 /glibc-all-in-one/libs/2.35-0ubuntu3_amd64/.debug/.build-id/ 下对应的文件复制去 /usr/lib/debug/.build-id/ 即可
发布评论