00

OrbStack虚拟机

主要是耗能低,mac intel上使用基本上不发烫

ubuntu 20.04 国内更新源

sudo gedit  /etc/apt/sources.listdeb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse

部分Ubuntu系统代号

lsb_release -a

Ubuntu 16.04 代号为: xenial
Ubuntu 17.04 代号为: zesty
Ubuntu 18.04 代号为: bionic
Ubuntu 19.04 代号为: disco
Ubuntu 20.04 代号为: focal
Ubuntu 22.04 代号为: jammy
Ubuntu 22.10 代号为: kinetic

设置代理

export http_proxy=http://192.168.0.102:7890
export https_proxy=http://192.168.0.102:7890

库安装

sudo apt-get install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev git vim libedit-dev vim openssh-server gdb gdb-multiarch "binfmt*" qemu-user qemu-utils qemu-system libseccomp-dev libseccomp2 seccomp tmux

安装pyenv

curl  | bash
# 再根据提示,设置环境变量

pip切换源

vim ~/.pip/pip.conf[global]
index-url = 

安装pwntools

pip install pwntools

安装gdb插件pwndbg

git clone .git
cd pwndbg/
./setup.sh

安装pwncli

git clone .git
cd pwncli
sudo pip3 install --editable .

安装LibcSearcher

python3 -m pip install LibcSearcher

one_gadget下载安装

sudo apt -y install ruby
sudo apt-get install gem -y
sudo gem install one_gadget# 使用方式
one_gadget libc-2.23.so

安装main_arena_offset

git clone 

安装seccomp-tools

# 用来读取 seccomp 沙箱规则
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools# 要是说 ruby 版本不对
sudo add-apt-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get purge --auto-remove ruby
sudo apt-get install ruby2.6 ruby2.6-dev
gem install seccomp-tools

安装ROPgadget

sudo apt install python3-pip
sudo -H python3 -m pip install ROPgadget
ROPgadget --help

roputils

git clone .git

ae64

git clone .git

alpha3

git clone .git

查看当前环境glibc版本

# 通过ldd
ldd --version# 通过环境变量
getconf GNU_LIBC_VERSION# 通过代码
#include <stdio.h>
#include <gnu/libc-version.h>
int main(void) 
{ puts (gnu_get_libc_version ()); return 0; 
}

查看系统默认libc版本

/lib/x86_64-linux-gnu/libc.so.6

二进制文件依赖的glibc版本

ldd -r -v ./checkGlibc

切换glibc

# 安装glibc-all-in-one
git clone .git# 安装patchelf
sudo apt install patchelf# 切换
patchelf --replace-needed libc.so.6 你要换的libc的硬路径 ./pwn
patchelf --set-interpreter ld的硬路径 ./pwn# 或者是在pwntools中指定
p = process(["ld-2.27.so", "./pwn"],env={"LD_PRELOAD":"./libc-2.27.so"})

Glibc 调试符号加载

先得到 libc 的 Build ID(glibc 2.35为例)

readelf -n libc.so.6 | grep 'Build ID:'
readelf -n ld-linux-x86-64.so.2 | grep 'Build ID:'

分别得到:

Build ID: 89c3cb85f9e55046776471fed05ec441581d1969
Build ID: aa1b0b998999c397062e1016f0c95dc0e8820117

因为 GDB 会从

/usr/lib/debug/.build-id/89/c3cb85f9e55046776471fed05ec441581d1969.debug 和

/usr/lib/debug/.build-id/aa/1b0b998999c397062e1016f0c95dc0e8820117.debug

文件中读取调试信息。(注意 .build-id 是隐藏文件夹,需要取消隐藏才可以看到)

所以把 /glibc-all-in-one/libs/2.35-0ubuntu3_amd64/.debug/.build-id/ 下对应的文件复制去 /usr/lib/debug/.build-id/ 即可

参考

00

OrbStack虚拟机

主要是耗能低,mac intel上使用基本上不发烫

ubuntu 20.04 国内更新源

sudo gedit  /etc/apt/sources.listdeb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb / focal main restricted universe multiverse
deb / focal-updates main restricted universe multiverse
deb / focal-backports main restricted universe multiverse
deb / focal-security main restricted universe multiverse
deb / focal-proposed main restricted universe multiverse
deb-src / focal main restricted universe multiverse
deb-src / focal-updates main restricted universe multiverse
deb-src / focal-backports main restricted universe multiverse
deb-src / focal-security main restricted universe multiverse
deb-src / focal-proposed main restricted universe multiverse

部分Ubuntu系统代号

lsb_release -a

Ubuntu 16.04 代号为: xenial
Ubuntu 17.04 代号为: zesty
Ubuntu 18.04 代号为: bionic
Ubuntu 19.04 代号为: disco
Ubuntu 20.04 代号为: focal
Ubuntu 22.04 代号为: jammy
Ubuntu 22.10 代号为: kinetic

设置代理

export http_proxy=http://192.168.0.102:7890
export https_proxy=http://192.168.0.102:7890

库安装

sudo apt-get install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev git vim libedit-dev vim openssh-server gdb gdb-multiarch "binfmt*" qemu-user qemu-utils qemu-system libseccomp-dev libseccomp2 seccomp tmux

安装pyenv

curl  | bash
# 再根据提示,设置环境变量

pip切换源

vim ~/.pip/pip.conf[global]
index-url = 

安装pwntools

pip install pwntools

安装gdb插件pwndbg

git clone .git
cd pwndbg/
./setup.sh

安装pwncli

git clone .git
cd pwncli
sudo pip3 install --editable .

安装LibcSearcher

python3 -m pip install LibcSearcher

one_gadget下载安装

sudo apt -y install ruby
sudo apt-get install gem -y
sudo gem install one_gadget# 使用方式
one_gadget libc-2.23.so

安装main_arena_offset

git clone 

安装seccomp-tools

# 用来读取 seccomp 沙箱规则
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools# 要是说 ruby 版本不对
sudo add-apt-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get purge --auto-remove ruby
sudo apt-get install ruby2.6 ruby2.6-dev
gem install seccomp-tools

安装ROPgadget

sudo apt install python3-pip
sudo -H python3 -m pip install ROPgadget
ROPgadget --help

roputils

git clone .git

ae64

git clone .git

alpha3

git clone .git

查看当前环境glibc版本

# 通过ldd
ldd --version# 通过环境变量
getconf GNU_LIBC_VERSION# 通过代码
#include <stdio.h>
#include <gnu/libc-version.h>
int main(void) 
{ puts (gnu_get_libc_version ()); return 0; 
}

查看系统默认libc版本

/lib/x86_64-linux-gnu/libc.so.6

二进制文件依赖的glibc版本

ldd -r -v ./checkGlibc

切换glibc

# 安装glibc-all-in-one
git clone .git# 安装patchelf
sudo apt install patchelf# 切换
patchelf --replace-needed libc.so.6 你要换的libc的硬路径 ./pwn
patchelf --set-interpreter ld的硬路径 ./pwn# 或者是在pwntools中指定
p = process(["ld-2.27.so", "./pwn"],env={"LD_PRELOAD":"./libc-2.27.so"})

Glibc 调试符号加载

先得到 libc 的 Build ID(glibc 2.35为例)

readelf -n libc.so.6 | grep 'Build ID:'
readelf -n ld-linux-x86-64.so.2 | grep 'Build ID:'

分别得到:

Build ID: 89c3cb85f9e55046776471fed05ec441581d1969
Build ID: aa1b0b998999c397062e1016f0c95dc0e8820117

因为 GDB 会从

/usr/lib/debug/.build-id/89/c3cb85f9e55046776471fed05ec441581d1969.debug 和

/usr/lib/debug/.build-id/aa/1b0b998999c397062e1016f0c95dc0e8820117.debug

文件中读取调试信息。(注意 .build-id 是隐藏文件夹,需要取消隐藏才可以看到)

所以把 /glibc-all-in-one/libs/2.35-0ubuntu3_amd64/.debug/.build-id/ 下对应的文件复制去 /usr/lib/debug/.build-id/ 即可

参考