编写poc和exploit的几款常用工具介绍
来源:互联网 发布:unity3d内景 编辑:程序博客网 时间:2024/06/06 15:48
1.pwntools
pwntools是一个CTF框架和漏洞利用开发库,用Python开发,由rapid设计,旨在让使用者简单快速的编写exploit。
pwntools对Ubuntu 12.04和14.04的支持最好,但是绝大多数的功能也支持Debian, Arch, FreeBSD, OSX, 等等。
sudo pip install pwntools即可安装
如果安装过程中提示缺少相应的库,应该都可以很容易的google到解决方法。
安装完成后执行以下命令来检测是否成功:如果执行结果和上面相同,则说明安装成功,pwn模块现在可以使用了。2.zio
pwntools和zio两者均是用python开发的exp编写工具,同时方便了远程exp和本地exp的转换 sudo pip install zio
即可安装
zio is an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.
The primary goal of zio is to provide unified io interface between process stdin/stdout and TCP socket io. So when you have done local pwning development, you only need to change the io target to pwn the remote server.
The following code illustrate the basic idea.
3.gdb+peda
关于gdb的介绍我不想多说,http://blog.csdn.NET/haoel/article/details/2879大家可以看看这一系列文章,或者直接看我的blog的相关部分(我的没有给出的这篇详细)。
而peda是用python开发gdb插件用来:
- Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debuggin
- 相关命令的解释:
- Add commands to support debugging and exploit development (for a full list of commands use
peda help
):aslr
-- Show/set ASLR setting of GDBchecksec
-- Check for various security options of binarydumpargs
-- Display arguments passed to a function when stopped at a call instructiondumprop
-- Dump all ROP gadgets in specific memory rangeelfheader
-- Get headers information from debugged ELF fileelfsymbol
-- Get non-debugging symbol information from an ELF filelookup
-- Search for all addresses/references to addresses which belong to a memory rangepatch
-- Patch memory start at an address with string/hexstring/intpattern
-- Generate, search, or write a cyclic pattern to memoryprocinfo
-- Display various info from /proc/pid/pshow
-- Show various PEDA options and other settingspset
-- Set various PEDA options and other settingsreadelf
-- Get headers information from an ELF fileropgadget
-- Get common ROP gadgets of binary or libraryropsearch
-- Search for ROP gadgets in memorysearchmem|find
-- Search for a pattern in memory; support regex searchshellcode
-- Generate or download common shellcodes.skeleton
-- Generate python exploit code templatevmmap
-- Get virtual mapping address ranges of section(s) in debugged processxormem
-- XOR a memory region with a key
安装:
git clone https://github.com/longld/peda.git ~/pedaecho "source ~/peda/peda.py" >> ~/.gdbinit
如果没什么问题的话,现在执行gdb就会发现之前gdb$会变成gdb-peda$,由于我在windows下写blog,在另一台lubuntu14.04上安装的,所以不方便截图,大家见谅。
github上关于peda的README.md中倒是有几张截图,大家有兴趣的话可以看看:https://github.com/longld/peda
当然,peda的一些属性是可以配置的:
- General usage and features
- The list of commands can be read by typing peda
- Peda has wrappers over many gdb commands
- Here is disas versus pdisas:
- There are three commands to show context:
- context reg for the registers and flags
- context code for disassembling around the current instruction pointer
- context stack for examining the stack
- There is also a command for all at once: context all that is run by default whenever a breakpoint is hit:
- As you can see, there is a lot of information available. Note that the addresses are color coded according to their origin: code/data/rodata
- Peda also features smart dereferencing (telescoping)
- Getting information about an address or register can be done with xinfo. The origin of the mapping is searched from another command: vmmaps
- Displaying all strings in the address space is done using strings
- Searching for specific strings can be done with find
- Sometimes you need to find a pointer to a specific string. You can use refsearch
- Searching for specific instructions or chains of instructions is done using asmsearch(although it's not always accurate)
Exploit/ Reverse Engineering specifics
- Process info and security
- ROP gadgets
- Tracing calls
- Tracing individual instructions: Peda can also infer the arguments to functions or the operands for comparisons and display them
- Creating exploit patterns and searching for them in memory and registers
更多信息见:http://security.cs.pub.ro/hexcellents/wiki/kb/toolset/peda
4.IDA
由于IDA的功能过于强大,不适合在本文中简单讲解,建议大家去学习一下《IDA pro权威指南》这本书,再加上勤奋的动手,我想你会爱上IDA的,因为她确实很迷人。
- 编写poc和exploit的几款常用工具介绍
- 编写poc和exploit的几款常用工具介绍
- .net exploit poc 笔记
- 提交Poc的平台介绍
- 集成gitHub的几款常用工具
- POC和frame_num的概念
- 几款常用工具
- 学习编写Metasploit的exploit模块
- Token Kidnapping Windows 2008 PoC exploit
- 常用工具类的介绍
- [Oracle]几款Database常用工具和字典表视图
- 几款iOS开发常用工具
- POC,和frame_num的概念(转)
- 一键通(PoC)市场发展的几点思考
- 【转】POC介绍
- Token Kidnapping Windows 2003 PoC exploit (Win2K3测试成功)
- MS Windows 2003 Token Kidnapping Local Exploit PoC
- MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)
- 阅读程序,分析输出结果。/修改程序第2行为const Student stud(101,78.5),修改程序使之正常运行。
- LeetCode刷题(C++)——Generate Parentheses(Medium)
- 蓝桥杯未名湖边的烦恼
- Dubbo服务集群容错配置(四)
- 2017微信公开课·张小龙演讲全文(上)
- 编写poc和exploit的几款常用工具介绍
- 辨析文件描述符和文件指针
- 2017微信公开课·张小龙演讲全文(下)
- 【Unity】UGUI的Text各种小问题
- s3c2440 dm9000网卡驱动移植
- 【LeetCode27】【Remove Element】
- python3.4+KNN
- jQuery文档初始化函数原理
- CentOS 6 与 CentOS 7 bonding实现