1.pwntools
pwntools是一个CTF框架和漏洞利用开发库,用Python开发,由rapid设计,旨在让使用者简单快速的编写exploit。
pwntools对Ubuntu 12.04和14.04的支持最好,但是绝大多数的功能也支持Debian, Arch, FreeBSD, OSX, 等等。
sudo pip install pwntools即可安装
如果安装过程中提示缺少相应的库,应该都可以很容易的google到解决方法。
安装完成后执行以下命令来检测是否成功:如果执行结果和上面相同,则说明安装成功,pwn模块现在可以使用了。
2.zio
pwntools和zio两者均是用python开发的exp编写工具,同时方便了远程exp和本地exp的转换 sudo pip install zio
即可安装
zio is an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.
The primary goal of zio is to provide unified io interface between process stdin/stdout and TCP socket io. So when you have done local pwning development, you only need to change the io target to pwn the remote server.
The following code illustrate the basic idea.
3.gdb+peda
关于gdb的介绍我不想多说,http://blog.csdn.NET/haoel/article/details/2879大家可以看看这一系列文章,或者直接看我的blog的相关部分(我的没有给出的这篇详细)。
而peda是用python开发gdb插件用来:
- Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debuggin
- 相关命令的解释:
- Add commands to support debugging and exploit development (for a full list of commands use
peda help
):aslr
-- Show/set ASLR setting of GDBchecksec
-- Check for various security options of binarydumpargs
-- Display arguments passed to a function when stopped at a call instructiondumprop
-- Dump all ROP gadgets in specific memory rangeelfheader
-- Get headers information from debugged ELF fileelfsymbol
-- Get non-debugging symbol information from an ELF filelookup
-- Search for all addresses/references to addresses which belong to a memory rangepatch
-- Patch memory start at an address with string/hexstring/intpattern
-- Generate, search, or write a cyclic pattern to memoryprocinfo
-- Display various info from /proc/pid/pshow
-- Show various PEDA options and other settingspset
-- Set various PEDA options and other settingsreadelf
-- Get headers information from an ELF fileropgadget
-- Get common ROP gadgets of binary or libraryropsearch
-- Search for ROP gadgets in memorysearchmem|find
-- Search for a pattern in memory; support regex searchshellcode
-- Generate or download common shellcodes.skeleton
-- Generate python exploit code templatevmmap
-- Get virtual mapping address ranges of section(s) in debugged processxormem
-- XOR a memory region with a key
安装:
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
如果没什么问题的话,现在执行gdb就会发现之前gdb$会变成gdb-peda$,由于我在windows下写blog,在另一台lubuntu14.04上安装的,所以不方便截图,大家见谅。
github上关于peda的README.md中倒是有几张截图,大家有兴趣的话可以看看:https://github.com/longld/peda
当然,peda的一些属性是可以配置的:
-
General usage and features
-
The list of commands can be read by typing peda
-
Peda has wrappers over many gdb commands
-
There are three commands to show context:
-
context reg for the registers and flags
-
context code for disassembling around the current instruction pointer
-
context stack for examining the stack
-
-
As you can see, there is a lot of information available. Note that the addresses are color coded according to their origin: code/data/rodata
-
Peda also features smart dereferencing (telescoping)
-
Displaying all strings in the address space is done using strings
Exploit/ Reverse Engineering specifics
更多信息见:http://security.cs.pub.ro/hexcellents/wiki/kb/toolset/peda
4.IDA
由于IDA的功能过于强大,不适合在本文中简单讲解,建议大家去学习一下《IDA pro权威指南》这本书,再加上勤奋的动手,我想你会爱上IDA的,因为她确实很迷人。