由于本来的deepin系统太卡了,就重新换了一个ubuntu 20的系统,那就重新开始配环境吧,有些可能会和用户态的重复
gdb
这个系统自带就不说了
pwndbg
我个人比较喜欢用pwndbg,下面配置一下
首先需要安装一下git
sudo apt install git
然后git获取
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
sudo ./setup.sh
这里由于他放到了root目录下,我们再cp一份到/home/用户下
cp /root/.gdbinit /home/zhou/.gdbinit
qemu
sudo apt install qemu-kvm
虚拟机配置
对于vmware来说,需要修改一下虚拟机设置
勾选上虚拟化InterlVT这一个,如下图,不然之后会报错
Could Not Access KVM kernel module: No Such file or directory. qemu-system-x86_64: Failed to Initialize KVM: No such file or directory.
Ropper
这个用来从vmlinux里面寻找gadget,比ROPgadget更快
pip3 install ropper
下面添加一下path
vim ~/.bashrc
再最下面加上对应的路径
PATH=$PATH:/home/zhou/.local/bin
然后
source ~/.bashrc
extract-vmlinux
源代码位于github
extract-vmlinux
vim extract-vmlinux
把github里面的内容复制进来,也就是下面的内容
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-only
# ----------------------------------------------------------------------
# extract-vmlinux - Extract uncompressed vmlinux from a kernel image
#
# Inspired from extract-ikconfig
# (c) 2009,2010 Dick Streefland <dick@streefland.net>
#
# (c) 2011 Corentin Chary <corentin.chary@gmail.com>
#
# ----------------------------------------------------------------------
check_vmlinux()
{
# Use readelf to check if it's a valid ELF
# TODO: find a better to way to check that it's really vmlinux
# and not just an elf
readelf -h $1 > /dev/null 2>&1 || return 1
cat $1
exit 0
}
try_decompress()
{
# The obscure use of the "tr" filter is to work around older versions of
# "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header ($1) and decompress from here
for pos in `tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"`
do
pos=${pos%%:*}
tail -c+$pos "$img" | $3 > $tmp 2> /dev/null
check_vmlinux $tmp
done
}
# Check invocation:
me=${0##*/}
img=$1
if [ $# -ne 1 -o ! -s "$img" ]
then
echo "Usage: $me <kernel-image>" >&2
exit 2
fi
# Prepare temp files:
tmp=$(mktemp /tmp/vmlinux-XXX)
trap "rm -f $tmp" 0
# That didn't work, so retry after decompression.
try_decompress '\037\213\010' xy gunzip
try_decompress '\3757zXZ\000' abcde unxz
try_decompress 'BZh' xy bunzip2
try_decompress '\135\0\0\0' xxx unlzma
try_decompress '\211\114\132' xy 'lzop -d'
try_decompress '\002!L\030' xxx 'lz4 -d'
try_decompress '(\265/\375' xxx unzstd
# Finally check for uncompressed images or objects:
check_vmlinux $img
# Bail out:
echo "$me: Cannot find vmlinux." >&2
保存之后
chmod +x extract-vmlinux && sudo mv extract-vmlinux /usr/bin/
un-cpio
下面是为了方便新人写了一个小小的解压脚本
vim un-cpio
#!/bin/bash
me=${0##*/}
if [ $# -ne 1 ]
then
echo "Usage: $me <rootfs-cpio>" >&2
echo "Notice: please use this script in a empty dir where the file system will be decompressed" >&2
exit 2
fi
wholepath="`pwd`/$1"
path=$(dirname $wholepath)
file=$(basename $wholepath)
cd $path
mv $file "${file}.gz"
gunzip "${file}.gz"
cpio -idm < $file
rm $file
保持
chmod +x un-cpio
sudo mv un-cpio /usr/bin/
一般做题首先有个压缩包
由于驱动在文件系统里我们需要解压cpio
首先创建一个空目录
解压完成,当修改好之后我们可以用下面的工具进行打包
gen-cpio
下面是为了方便新人写了一个小小的压缩为镜像文件的脚本
vim gen-cpio
#!/bin/bash
me=${0##*/}
if [ $# -ne 1 ]
then
echo "Usage: $me <output-cpio>" >&2
exit 2
fi
find . -print0 |cpio --null -o --format=newc |gzip -9 > $1
保存之后我们
chmod +x gen-cpio
sudo mv gen-cpio /usr/bin/
用法就是
进入到我们需要打包的文件系统目录,一般是题目给的我们解压之后的目录
参数就是我们想要的目标cpio的名字
然后我们把这个cpio文件放到boots.sh同目录,这个时候文件系统就是我们最新的状态,一般exp就是要通过这种方式打包进qemu
常见的kernel-exploit例子
buuctf里面很少有kernel的题,所以只能自己去git上找
这里我分享两个
ctf wiki
上面这个是ctf wiki里面讲解的题目,里面有kernel模块的例题
一共有3道
w0lfzhang/kernel_exploit
这个下面的题目就很多了
9691
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
