diff --git a/doc/2.1_vm.md b/doc/2.1_vm.md index e8457ab..5c45024 100644 --- a/doc/2.1_vm.md +++ b/doc/2.1_vm.md @@ -19,7 +19,7 @@ skanlite cantata kdenlive konversation libreoffice-still thunderbird-kde k3b cup yaourt -S: -virtualbox tree git ipython ipython2 gdb google-chrome tcpdump vim wireshark-qt edb ssdeep wps-office strace metasploit pwntools peda oh-my-zsh-git radare2 binwalk burpsuite checksec netcat wxhexeditor +virtualbox tree git ipython ipython2 gdb google-chrome tcpdump vim wireshark-qt edb ssdeep wps-office strace ltrace metasploit python2-pwntools peda oh-my-zsh-git radare2 binwalk burpsuite checksec netcat wxhexeditor pip3/pip2 install: diff --git a/doc/2.7_pwntools.md b/doc/2.7_pwntools.md index 365d999..d323425 100644 --- a/doc/2.7_pwntools.md +++ b/doc/2.7_pwntools.md @@ -442,8 +442,47 @@ f7510000-f76df000 r-xp 1cf000 /usr/lib32/libc-2.26.so 该模块用于格式化字符串漏洞的利用,格式化字符串漏洞是 CTF 中一种常见的题型,我们会在后面的章节中详细讲述,关于该模块的使用也会留到那儿。详见 *3.3.1 格式化字符串漏洞* #### gdb +`pwnlib.gdb` + +在写漏洞利用的时候,常常需要使用 gdb 动态调试,该模块就提供了这方面的支持。 + +两个常用函数: +- `gdb.attach(target, gdbscript=None)`:在一个新终端打开 gdb 并 attach 到指定 PID 的进程,或是一个 `pwnlib.tubes` 对象。 +- `gdb.debug(args, gdbscript=None)`:在新终端中使用 gdb 加载一个二进制文件。 + +上面两种方法都可以在开启的时候传递一个脚本到 gdb,可以很方便地做一些操作,如自动设置断点。 + +```python +# attach to pid 1234 +gdb.attach(1234) + +# attach to a process +bash = process('bash') +gdb.attach(bash, ''' +set follow-fork-mode child +continue +''') +bash.sendline('whoami') +``` + +``` +# Create a new process, and stop it at 'main' +io = gdb.debug('bash', ''' +# Wait until we hit the main executable's entry point +break _start +continue + +# Now set breakpoint on shared library routines +break malloc +break free +continue +''') +``` #### memleak +`pwnlib.memleak` + +该模块用于内存泄露的利用。可用作装饰器。它会将泄露的内存缓存起来,在漏洞利用过程中可能会用到。 #### rop diff --git a/doc/6.1_Linuxtools.md b/doc/6.1_Linuxtools.md index 2fc86e2..6b399be 100644 --- a/doc/6.1_Linuxtools.md +++ b/doc/6.1_Linuxtools.md @@ -230,7 +230,7 @@ $ ssdeep -bm hash.txt modified.elf ```text -a --all Scan the entire file, not just the data section [default] -t --radix={o,d,x} Print the location of the string in base 8, 10 or 16 --e --encoding={s,S,b,l,B,L} Select character size and endianness: +-e --encoding={s,S,b,l,B,L} Select character size and endianess: s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit ``` diff --git a/ppt/01_fight-with-linux.pdf b/ppt/01_fight-with-linux.pdf new file mode 100644 index 0000000..32cdcd5 Binary files /dev/null and b/ppt/01_fight-with-linux.pdf differ