基础命令
跟着b站你想有多PWN(开始更新)做的一点笔记。
GCC
GCC 编译工具链在编译一个C源文件时需要经过以下 4 步:
- 预处理:为把头文件的代码、宏之类的内容转换成生成的.i文件,还是C代码。
- 编译:把预处理后的.i文件通过编译成.s文件,汇编语言。
- 汇编:将汇编语言文件生成目标文件.o文件,机器码。
- 链接:将每个源文件对应的.o文件链接起来,就生成一个可执行程序文件。
- 动态链接:GCC编译时的默认选项。动态是指在应用程序运行时才去加载外部的代码库,不同的程序可以共用代码库。 所以动态链接生成的程序比较小,占用较少的内存。
- 静态链接:链接时使用选项 “--static”,它在编译阶段就会把所有用到的库打包到自己的可执行程序中。 所以静态链接的优点是具有较好的兼容性,不依赖外部环境,但是生成的程序比较大。
#预处理过程中,对源代码文件中的文件包含 (include)、 预编译语句 (如宏定义define等)进行展开,生成 .i 文件。
gcc –E hello.c –o hello.i
#编译阶段把预处理后的.i文件通过编译成为汇编语言,生成.s文件,即把代码从C语言转换成汇编语言,这是GCC编译器完成的工作。
gcc –S hello.i –o hello.s
#汇编阶段将汇编语言文件经过汇编,生成目标文件.o文件,每一个源文件都对应一个目标文件。即把汇编语言的代码转换成机器码,这是as汇编器完成的工作。
gcc –c hello.s –o hello.o
#链接阶段将每个源文件对应的目标.o文件链接起来,就生成一个可执行程序文件,这是链接器ld完成的工作。
gcc hello.o –o hello
NX:-z execstack / -z noexecstack (关闭 / 开启) #不让执行栈上的数据,于是JMP ESP就不能用了
Canary:-fno-stack-protector /-fstack-protector / -fstack-protector-all #(关闭 / 开启 / 全开启) 栈里插入cookie信息
PIE:-no-pie / -pie #(关闭 / 开启) 地址随机化,另外打开后会有get_pc_thunk
RELRO:-z norelro / -z lazy / -z now #(关闭 / 部分开启 / 完全开启) 对GOT表具有写权限file
用于辨识文件类型:
file [-bcLvz][-f <名称文件>][-m <魔法数字文件>...][文件或目录...]
-b 列出辨识结果时,不显示文件名称。
-c 详细显示指令执行过程,便于排错或分析程序执行的情形。
-f <名称文件> 指定名称文件,其内容有一个或多个文件名称时,让file依序辨识这些文件,格式为每列一个文件名称。
-L 直接显示符号连接所指向的文件的类别。
-m <魔法数字文件> 指定魔法数字文件。
-v 显示版本信息。
-z 尝试去解读压缩文件的内容。
[文件或目录...] 要确定类型的文件列表,多个文件之间使用空格分开,可以使用shell通配符匹配多个文件。ldd
在linux中, ldd是list, dynamic, dependencies的缩写, 意思是, 列出动态库依赖关系。
ldd(选项)(参数)
--version 打印指令版本号;
-v 详细信息模式,打印所有相关信息;
-u 打印未使用的直接依赖;
-d 执行重定位和报告任何丢失的对象;
-r 执行数据对象和函数的重定位,并且报告任何丢失的对象和函数;
--help 显示帮助信息。原理:
ldd不是一个可执行程序,而只是一个shell脚本。
ldd能够显示可执行模块的dependency,其原理是通过设置一系列的环境变量。
ldd显示可执行模块的dependency的工作原理,其实质是通过ld-linux.so(elf动态库的装载器)来实现的。我们知道,ld- linux.so模块会先于executable模块程序工作,并获得控制权,因此当上述的那些环境变量被设置时,ld-linux.so选择了显示可执行模块的dependency。
实际上可以直接执行ld-linux.so模块,如:/lib/ld-linux.so.2 --list program(这相当于ldd program)
nm
nm命令是linux下自带的特定文件分析工具,一般用来检查分析二进制文件、库文件、可执行文件中的符号表,返回二进制文件中各段的信息。
nm [-option]
-A 每个符号前显示文件名
-D 显示动态符号
-g 仅显示外部符号
-r 反序显示符号表hexdump
hexdump是Linux下的一个二进制文件查看工具,它可以将二进制文件转换为ASCII、八进制、十进制、十六进制格式进行查看。
hexdump: [-bcCdovx] [-e fmt] [-f fmt_file] [-n length] [-s skip] [file ...]
-n length 只格式化输入文件的前length个字节。
-C 输出规范的十六进制和ASCII码。
-b 单字节八进制显示。
-c 单字节字符显示。
-d 双字节十进制显示。
-o 双字节八进制显示。
-x 双字节十六进制显示。
-s 从偏移量开始输出。objdump
objdump命令是Linux下的反汇编目标文件或者可执行文件的命令
objdump [option] [file]
-f 显示文件头信息
-d 将代码段反汇编
-S 将代码段反汇编的同时,将反汇编代码与源代码交替显示,编译时需要使用-g参数,即需要调试信息;
-C 将C++符号名逆向解析
-l 反汇编代码中插入文件名和行号
-j section 仅反汇编指定的section
-M intel 以intel的汇编形式呈现,默认是AT&Treadelf
readelf命令,一般用于查看ELF格式的文件信息,常见的文件如在Linux上的可执行文件,动态库(*.so)或者静态库(*.a) 等包含ELF格式的文件。
readelf (option)(file)
-a all 显示全部信息
-h (elf header),显示elf文件开始的文件头信息。
-l (program headers),segments 显示程序头(段头)信息(如果有数据的话)。
-S (section headers),sections 显示节头信息(如果有数据的话)。
-g (section groups),显示节组信息(如果有数据的话)。
-s (symbols) 显示符号表段中的项(如果有数据的话)。
-e headers 显示全部头信息,等价于: -h -l -S 。
-r relocs 显示可重定位段的信息。
-d dynamic 显示动态段的信息。
-V version-info 显示版本段的信息。ROPgadget
查找文件中一些需要的指令和字符串等。
ROPgadget --binary 文件名 --only "pop|ret" | grep rdi
ROPgadget --binary 文件名 --only "pop|ret" | grep rsi
ROPgadget --binary 文件名 --only "pop|ret"
ROPgadget --binary 文件名 --sting '/bin/sh'
ROPgadget --binary 文件名 --sting 'cat flag.txt'
ROPgadget --binary 文件名 --sting 'cat flag'
ROPgadget --binary 文件名 --sting 'sh'
ROPgadget --binary 文件名 --sting '/sh'gdb调试
GDB 全称“GNU symbolic debugger”是 Linux 下常用的程序调试器。发展至今,GDB 已经迭代了诸多个版本,当下的 GDB 支持调试多种编程语言编写的程序,包括 C、C++、Go、Objective-C、OpenCL、Ada 等。实际场景中,GDB 更常用来调试 C 和 C++ 程序。
常用命令
| 命令名称 | 命令缩写 | 命令说明 |
|---|---|---|
| run | r | 运行一个待调试的程序 |
| continue | c | 让暂停的程序继续运行 |
| next | n | 运行到下一行 |
| step | s | 单步执行,遇到函数会进入 |
| until | u | 运行到指定行停下来 |
| finish | fi | 结束当前调用函数,回到上一层调用函数处 |
| return | return | 结束当前调用函数并返回指定值,到上一层函数调用处 |
| jump | j | 将当前程序执行流跳转到指定行或地址 |
| p | 打印变量或寄存器值 | |
| backtrace | bt | 查看当前线程的调用堆栈 |
| frame | f | 切换到当前调用线程的指定堆栈 |
| thread | thread | 切换到指定线程 |
| break | b | 添加断点 |
| tbreak | tb | 添加临时断点 |
| delete | d | 删除断点 |
| enable | enable | 启用某个断点 |
| disable | disable | 禁用某个断点 |
| watch | watch | 监视某一个变量或内存地址的值是否发生变化 |
| list | l | 显示源码 |
| info | i | 查看断点 / 线程等信息 |
| ptype | ptype | 查看变量类型 |
| disassemble | dis | 查看汇编代码 |
| set args | set args | 设置程序启动命令行参数 |
| show args | show args | 查看设置的命令行参数 |
gdb ./
gdb ./[程序名]
gdb ./a
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./a...(no debugging symbols found)...done.没输入状态下 Tab 可以查看所有命令
run
(gdb) run
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
input:
abc
abc[Inferior 1 (process 39) exited normally]start
(gdb) start
Temporary breakpoint 1 at 0x555555400912
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
Temporary breakpoint 1, 0x0000555555400912 in main ()i r
(gdb) i r
rax 0x55555540090e 93824990841102
rbx 0x0 0
rcx 0x5555554009a0 93824990841248
rdx 0x7fffffffdcd8 140737488346328
rsi 0x7fffffffdcc8 140737488346312
rdi 0x1 1
rbp 0x7fffffffdbe0 0x7fffffffdbe0
rsp 0x7fffffffdbe0 0x7fffffffdbe0
r8 0x7ffff7dced80 140737351839104
r9 0x7ffff7dced80 140737351839104
r10 0x2 2
r11 0xf 15
r12 0x555555400780 93824990840704
r13 0x7fffffffdcc0 140737488346304
r14 0x0 0
r15 0x0 0
rip 0x555555400912 0x555555400912 <main+4>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
disassemble $rip
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push %rbp
0x000055555540090f <+1>: mov %rsp,%rbp
=> 0x0000555555400912 <+4>: sub $0x20,%rsp
0x0000555555400916 <+8>: mov %fs:0x28,%rax
0x000055555540091f <+17>: mov %rax,-0x8(%rbp)
0x0000555555400923 <+21>: xor %eax,%eax
0x0000555555400925 <+23>: movq $0x0,-0x18(%rbp)
0x000055555540092d <+31>: movq $0x0,-0x10(%rbp)
0x0000555555400935 <+39>: lea 0xe8(%rip),%rdi # 0x555555400a24
0x000055555540093c <+46>: callq 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea -0x18(%rbp),%rax
0x0000555555400945 <+55>: mov %rax,%rdi
0x0000555555400948 <+58>: mov $0x0,%eax
0x000055555540094d <+63>: callq 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea -0x18(%rbp),%rax
0x0000555555400956 <+72>: mov %rax,%rdi
0x0000555555400959 <+75>: mov $0x0,%eax
0x000055555540095e <+80>: callq 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzbl -0x10(%rbp),%eax
0x0000555555400967 <+89>: cmp $0x61,%al
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea 0x20069e(%rip),%rdi # 0x555555601010 <sh>
0x0000555555400972 <+100>: callq 0x5555554008ef <func>
0x0000555555400977 <+105>: mov $0x0,%eax
0x000055555540097c <+110>: mov -0x8(%rbp),%rdx
0x0000555555400980 <+114>: xor %fs:0x28,%rdx
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: callq 0x555555400720 <__stack_chk_fail@plt>
---Type <return> to continue, or q <return> to quit---、
#转换成intel汇编格式:
(gdb) set disassembly-flavor intel
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
=> 0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>b *,i b,r,d
(gdb) b *0x0000555555400916
Breakpoint 3 at 0x555555400916
(gdb) i b
Num Type Disp Enb Address What
3 breakpoint keep y 0x0000555555400916 <main+8>
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
Breakpoint 3, 0x0000555555400916 in main ()
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
0x0000555555400912 <+4>: sub rsp,0x20
=> 0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
(gdb) d 3
(gdb) i b
No breakpoints or watchpoints.disable enable
(gdb) b *0x0000555555400916
Breakpoint 2 at 0x555555400916
(gdb) i b
Num Type Disp Enb Address What
2 breakpoint keep y 0x0000555555400916 <main+8>
(gdb) disable b 2
(gdb) i b
Num Type Disp Enb Address What
2 breakpoint keep n 0x0000555555400916 <main+8>
(gdb) enable b 2
(gdb) i b
Num Type Disp Enb Address What
2 breakpoint keep y 0x0000555555400916 <main+8>ni si finish
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gdb ./a
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./a...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x912
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
Temporary breakpoint 1, 0x0000555555400912 in main ()
(gdb) disassble $rip
Undefined command: "disassble". Try "help".
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
=> 0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
---Type <return> to continue, or q <return> to quit---
0x0000555555400990 <+130>: leave
0x0000555555400991 <+131>: ret
End of assembler dump.
(gdb) b *0x000055555540093c
Breakpoint 2 at 0x55555540093c
(gdb) start
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Temporary breakpoint 3 at 0x555555400912
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
Temporary breakpoint 3, 0x0000555555400912 in main ()
(gdb) c
Continuing.
Breakpoint 2, 0x000055555540093c in main ()
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
=> 0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) ni
input:
0x0000555555400941 in main ()
(gdb) start
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Temporary breakpoint 4 at 0x555555400912
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
Temporary breakpoint 4, 0x0000555555400912 in main ()
(gdb) c
Continuing.
Breakpoint 2, 0x000055555540093c in main ()
(gdb) si
0x0000555555400710 in puts@plt ()
(gdb) disassemble $rip
Dump of assembler code for function puts@plt:
=> 0x0000555555400710 <+0>: jmp QWORD PTR [rip+0x200892] # 0x555555600fa8
0x0000555555400716 <+6>: push 0x0
0x000055555540071b <+11>: jmp 0x555555400700
End of assembler dump.
(gdb) finish
Run till exit from #0 0x0000555555400710 in puts@plt ()
input:
0x0000555555400941 in main ()
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
=> 0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
---Type <return> to continue, or q <return> to quit---
0x0000555555400990 <+130>: leave
0x0000555555400991 <+131>: ret
End of assembler dump.小知识点
BYTE WORD DWORD QWORD
BYTE 8
WORD 16
DWORD 32
QWORD 64
print x/ set
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gdb ./a
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./a...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x912
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a
Temporary breakpoint 1, 0x0000555555400912 in main ()
(gdb) i r
rax 0x55555540090e 93824990841102
rbx 0x0 0
rcx 0x5555554009a0 93824990841248
rdx 0x7fffffffdcd8 140737488346328
rsi 0x7fffffffdcc8 140737488346312
rdi 0x1 1
rbp 0x7fffffffdbe0 0x7fffffffdbe0
rsp 0x7fffffffdbe0 0x7fffffffdbe0
r8 0x7ffff7dced80 140737351839104
r9 0x7ffff7dced80 140737351839104
r10 0x2 2
r11 0xf 15
r12 0x555555400780 93824990840704
r13 0x7fffffffdcc0 140737488346304
r14 0x0 0
r15 0x0 0
rip 0x555555400912 0x555555400912 <main+4>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
=> 0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
0x0000555555400990 <+130>: leave
0x0000555555400991 <+131>: ret
End of assembler dump.
(gdb) b *0x0000555555400963
Breakpoint 2 at 0x555555400963
(gdb) c
Continuing.
input:
aaaaa
Breakpoint 2, 0x0000555555400963 in main ()
(gdb) x/20i $rip
=> 0x555555400963 <main+85>: movzx eax,BYTE PTR [rbp-0x10]
0x555555400967 <main+89>: cmp al,0x61
0x555555400969 <main+91>: jne 0x555555400977 <main+105>
0x55555540096b <main+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x555555400972 <main+100>: call 0x5555554008ef <func>
0x555555400977 <main+105>: mov eax,0x0
0x55555540097c <main+110>: mov rdx,QWORD PTR [rbp-0x8]
0x555555400980 <main+114>: xor rdx,QWORD PTR fs:0x28
0x555555400989 <main+123>: je 0x555555400990 <main+130>
0x55555540098b <main+125>: call 0x555555400720 <__stack_chk_fail@plt>
0x555555400990 <main+130>: leave
0x555555400991 <main+131>: ret
0x555555400992: nop WORD PTR cs:[rax+rax*1+0x0]
0x55555540099c: nop DWORD PTR [rax+0x0]
0x5555554009a0 <__libc_csu_init>: push r15
0x5555554009a2 <__libc_csu_init+2>: push r14
0x5555554009a4 <__libc_csu_init+4>: mov r15,rdx
0x5555554009a7 <__libc_csu_init+7>: push r13
0x5555554009a9 <__libc_csu_init+9>: push r12
0x5555554009ab <__libc_csu_init+11>: lea r12,[rip+0x2003de] # 0x555555600d90
(gdb) x/20b $rbp-0x10
0x7fffffffdbd0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffdbd8: 0x00 0xcb 0x22 0xba 0x58 0x60 0xea 0x40
0x7fffffffdbe0: 0xa0 0x09 0x40 0x55
(gdb) set *0x7fffffffdbd0=0x61
(gdb) i r
rax 0x5 5
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x61616161 1633771873
rdi 0x555555602260 93824992944736
rbp 0x7fffffffdbe0 0x7fffffffdbe0
rsp 0x7fffffffdbc0 0x7fffffffdbc0
r8 0x7ffff7fe94c0 140737354044608
r9 0x7ffff7fe94c0 140737354044608
r10 0x555555602010 93824992944144
r11 0x246 582
r12 0x555555400780 93824990840704
r13 0x7fffffffdcc0 140737488346304
r14 0x0 0
r15 0x0 0
rip 0x555555400963 0x555555400963 <main+85>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/20b $rbp-0x10
0x7fffffffdbd0: 0x61 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffdbd8: 0x00 0xcb 0x22 0xba 0x58 0x60 0xea 0x40
0x7fffffffdbe0: 0xa0 0x09 0x40 0x55
(gdb) ni
0x0000555555400967 in main ()
(gdb) i r
rax 0x61 97
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x61616161 1633771873
rdi 0x555555602260 93824992944736
rbp 0x7fffffffdbe0 0x7fffffffdbe0
rsp 0x7fffffffdbc0 0x7fffffffdbc0
r8 0x7ffff7fe94c0 140737354044608
r9 0x7ffff7fe94c0 140737354044608
r10 0x555555602010 93824992944144
r11 0x246 582
r12 0x555555400780 93824990840704
r13 0x7fffffffdcc0 140737488346304
r14 0x0 0
r15 0x0 0
rip 0x555555400967 0x555555400967 <main+89>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
=> 0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
0x0000555555400990 <+130>: leave
0x0000555555400991 <+131>: ret
End of assembler dump.
(gdb) ni
0x0000555555400969 in main ()
(gdb) ni
0x000055555540096b in main ()
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
=> 0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
0x0000555555400990 <+130>: leave
0x0000555555400991 <+131>: ret
End of assembler dump.
(gdb) ni
0x0000555555400972 in main ()
(gdb) si
0x00005555554008ef in func ()
(gdb) disassemble $rip
Dump of assembler code for function func:
=> 0x00005555554008ef <+0>: push rbp
0x00005555554008f0 <+1>: mov rbp,rsp
0x00005555554008f3 <+4>: sub rsp,0x10
0x00005555554008f7 <+8>: mov QWORD PTR [rbp-0x8],rdi
0x00005555554008fb <+12>: mov rax,QWORD PTR [rbp-0x8]
0x00005555554008ff <+16>: mov rdi,rax
0x0000555555400902 <+19>: call 0x555555400730 <system@plt>
0x0000555555400907 <+24>: mov eax,0x0
0x000055555540090c <+29>: leave
0x000055555540090d <+30>: ret
End of assembler dump.
(gdb) c
Continuing.
$ whoami
hack
$ exit
aaaaa[Inferior 1 (process 50) exited normally]编译成32位程序再pwn
先安装适配库
sudo apt-get install gcc-multilib g++-multilib module-assistant编译
gcc -m32hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ ls
a question_1.c question_1.s question_1_x64
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gcc -m32 question_1.c
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
/tmp/cc7EtBTh.o: In function `main':
question_1.c:(.text+0xea): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ ls
a a.out question_1.c question_1.s question_1_x64
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gdb ./a.out
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./a.out...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x738
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/a.out
Temporary breakpoint 1, 0x56555738 in main ()
(gdb) disassemble $eip
Dump of assembler code for function main:
0x56555729 <+0>: lea ecx,[esp+0x4]
0x5655572d <+4>: and esp,0xfffffff0
0x56555730 <+7>: push DWORD PTR [ecx-0x4]
0x56555733 <+10>: push ebp
0x56555734 <+11>: mov ebp,esp
0x56555736 <+13>: push ebx
0x56555737 <+14>: push ecx
=> 0x56555738 <+15>: sub esp,0x20
0x5655573b <+18>: call 0x565555a0 <__x86.get_pc_thunk.bx>
0x56555740 <+23>: add ebx,0x1878
0x56555746 <+29>: mov eax,gs:0x14
0x5655574c <+35>: mov DWORD PTR [ebp-0xc],eax
0x5655574f <+38>: xor eax,eax
0x56555751 <+40>: mov DWORD PTR [ebp-0x1c],0x0
0x56555758 <+47>: mov DWORD PTR [ebp-0x18],0x0
0x5655575f <+54>: mov DWORD PTR [ebp-0x14],0x0
0x56555766 <+61>: mov DWORD PTR [ebp-0x10],0x0
0x5655576d <+68>: sub esp,0xc
0x56555770 <+71>: lea eax,[ebx-0x1738]
0x56555776 <+77>: push eax
0x56555777 <+78>: call 0x56555510 <puts@plt>
0x5655577c <+83>: add esp,0x10
0x5655577f <+86>: sub esp,0xc
0x56555782 <+89>: lea eax,[ebp-0x1c]
0x56555785 <+92>: push eax
0x56555786 <+93>: call 0x565554f0 <gets@plt>
0x5655578b <+98>: add esp,0x10
0x5655578e <+101>: sub esp,0xc
0x56555791 <+104>: lea eax,[ebp-0x1c]
0x56555794 <+107>: push eax
0x56555795 <+108>: call 0x565554e0 <printf@plt>
0x5655579a <+113>: add esp,0x10
0x5655579d <+116>: movzx eax,BYTE PTR [ebp-0x14]
0x565557a1 <+120>: cmp al,0x61
0x565557a3 <+122>: jne 0x565557b7 <main+142>
0x565557a5 <+124>: sub esp,0xc
0x565557a8 <+127>: lea eax,[ebx+0x50]
0x565557ae <+133>: push eax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) b *0x5655579d
Breakpoint 2 at 0x5655579d
(gdb) c
Continuing.
input:
aaaaaaa
Breakpoint 2, 0x5655579d in main ()
(gdb) x/20i $eip
=> 0x5655579d <main+116>: movzx eax,BYTE PTR [ebp-0x14]
0x565557a1 <main+120>: cmp al,0x61
0x565557a3 <main+122>: jne 0x565557b7 <main+142>
0x565557a5 <main+124>: sub esp,0xc
0x565557a8 <main+127>: lea eax,[ebx+0x50]
0x565557ae <main+133>: push eax
0x565557af <main+134>: call 0x565556fe <func>
0x565557b4 <main+139>: add esp,0x10
0x565557b7 <main+142>: mov eax,0x0
0x565557bc <main+147>: mov edx,DWORD PTR [ebp-0xc]
0x565557bf <main+150>: xor edx,DWORD PTR gs:0x14
0x565557c6 <main+157>: je 0x565557cd <main+164>
0x565557c8 <main+159>: call 0x56555850 <__stack_chk_fail_local>
0x565557cd <main+164>: lea esp,[ebp-0x8]
0x565557d0 <main+167>: pop ecx
0x565557d1 <main+168>: pop ebx
0x565557d2 <main+169>: pop ebp
0x565557d3 <main+170>: lea esp,[ecx-0x4]
0x565557d6 <main+173>: ret
0x565557d7 <__x86.get_pc_thunk.ax>: mov eax,DWORD PTR [esp]
(gdb) x/20b $ebp-0x14
0xffffcd04: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xffffcd0c: 0x00 0xb0 0xb5 0xbd 0x30 0xcd 0xff 0xff
0xffffcd14: 0x00 0x00 0x00 0x00
(gdb) p $ebp-0x14
$1 = (void *) 0xffffcd04
(gdb) set *0xffffcd04=0x61
(gdb) ni
0x565557a1 in main ()
(gdb) ni
0x565557a3 in main ()
(gdb) x/20i $eip
=> 0x565557a3 <main+122>: jne 0x565557b7 <main+142>
0x565557a5 <main+124>: sub esp,0xc
0x565557a8 <main+127>: lea eax,[ebx+0x50]
0x565557ae <main+133>: push eax
0x565557af <main+134>: call 0x565556fe <func>
0x565557b4 <main+139>: add esp,0x10
0x565557b7 <main+142>: mov eax,0x0
0x565557bc <main+147>: mov edx,DWORD PTR [ebp-0xc]
0x565557bf <main+150>: xor edx,DWORD PTR gs:0x14
0x565557c6 <main+157>: je 0x565557cd <main+164>
0x565557c8 <main+159>: call 0x56555850 <__stack_chk_fail_local>
0x565557cd <main+164>: lea esp,[ebp-0x8]
0x565557d0 <main+167>: pop ecx
0x565557d1 <main+168>: pop ebx
0x565557d2 <main+169>: pop ebp
0x565557d3 <main+170>: lea esp,[ecx-0x4]
0x565557d6 <main+173>: ret
0x565557d7 <__x86.get_pc_thunk.ax>: mov eax,DWORD PTR [esp]
0x565557da <__x86.get_pc_thunk.ax+3>: ret
0x565557db <__x86.get_pc_thunk.ax+4>: xchg ax,ax
(gdb) c
Continuing.
$ whoami
hack作业
gcc -m32 question_1.c -fno-omit-frame-pointer -o question_1_x86_esp
gcc question_1.c -fno-omit-frame-pointer -o question_1_x64_esphack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gcc -m32 question_1.c -fno-omit-frame-pointer -o question_1_x86_esp
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
/tmp/ccfZI7oo.o: In function `main':
question_1.c:(.text+0xea): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ ls
a a.out question_1.c question_1.s question_1_x64 question_1_x86_esp
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gdb ./question_1_x86_esp
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./question_1_x86_esp...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x738
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/question_1_x86_esp
Temporary breakpoint 1, 0x56555738 in main ()
(gdb) disassemble $eip
Dump of assembler code for function main:
0x56555729 <+0>: lea ecx,[esp+0x4]
0x5655572d <+4>: and esp,0xfffffff0
0x56555730 <+7>: push DWORD PTR [ecx-0x4]
0x56555733 <+10>: push ebp
0x56555734 <+11>: mov ebp,esp
0x56555736 <+13>: push ebx
0x56555737 <+14>: push ecx
=> 0x56555738 <+15>: sub esp,0x20
0x5655573b <+18>: call 0x565555a0 <__x86.get_pc_thunk.bx>
0x56555740 <+23>: add ebx,0x1878
0x56555746 <+29>: mov eax,gs:0x14
0x5655574c <+35>: mov DWORD PTR [ebp-0xc],eax
0x5655574f <+38>: xor eax,eax
0x56555751 <+40>: mov DWORD PTR [ebp-0x1c],0x0
0x56555758 <+47>: mov DWORD PTR [ebp-0x18],0x0
0x5655575f <+54>: mov DWORD PTR [ebp-0x14],0x0
0x56555766 <+61>: mov DWORD PTR [ebp-0x10],0x0
0x5655576d <+68>: sub esp,0xc
0x56555770 <+71>: lea eax,[ebx-0x1738]
0x56555776 <+77>: push eax
0x56555777 <+78>: call 0x56555510 <puts@plt>
0x5655577c <+83>: add esp,0x10
0x5655577f <+86>: sub esp,0xc
0x56555782 <+89>: lea eax,[ebp-0x1c]
0x56555785 <+92>: push eax
0x56555786 <+93>: call 0x565554f0 <gets@plt>
0x5655578b <+98>: add esp,0x10
0x5655578e <+101>: sub esp,0xc
0x56555791 <+104>: lea eax,[ebp-0x1c]
0x56555794 <+107>: push eax
0x56555795 <+108>: call 0x565554e0 <printf@plt>
0x5655579a <+113>: add esp,0x10
0x5655579d <+116>: movzx eax,BYTE PTR [ebp-0x14]
0x565557a1 <+120>: cmp al,0x61
0x565557a3 <+122>: jne 0x565557b7 <main+142>
0x565557a5 <+124>: sub esp,0xc
0x565557a8 <+127>: lea eax,[ebx+0x50]
0x565557ae <+133>: push eax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) b *0x5655579d
Breakpoint 2 at 0x5655579d
(gdb) c
Continuing.
input:
aaaaa
Breakpoint 2, 0x5655579d in main ()
(gdb) x/20i $eip
=> 0x5655579d <main+116>: movzx eax,BYTE PTR [ebp-0x14]
0x565557a1 <main+120>: cmp al,0x61
0x565557a3 <main+122>: jne 0x565557b7 <main+142>
0x565557a5 <main+124>: sub esp,0xc
0x565557a8 <main+127>: lea eax,[ebx+0x50]
0x565557ae <main+133>: push eax
0x565557af <main+134>: call 0x565556fe <func>
0x565557b4 <main+139>: add esp,0x10
0x565557b7 <main+142>: mov eax,0x0
0x565557bc <main+147>: mov edx,DWORD PTR [ebp-0xc]
0x565557bf <main+150>: xor edx,DWORD PTR gs:0x14
0x565557c6 <main+157>: je 0x565557cd <main+164>
0x565557c8 <main+159>: call 0x56555850 <__stack_chk_fail_local>
0x565557cd <main+164>: lea esp,[ebp-0x8]
0x565557d0 <main+167>: pop ecx
0x565557d1 <main+168>: pop ebx
0x565557d2 <main+169>: pop ebp
0x565557d3 <main+170>: lea esp,[ecx-0x4]
0x565557d6 <main+173>: ret
0x565557d7 <__x86.get_pc_thunk.ax>: mov eax,DWORD PTR [esp]
(gdb) x/20b $ebp-0x14
0xffffccf4: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xffffccfc: 0x00 0x2a 0x9f 0xbf 0x20 0xcd 0xff 0xff
0xffffcd04: 0x00 0x00 0x00 0x00
(gdb) set *0xffffccf4=0x61
(gdb) c
Continuing.
$ whoami
hack
$ exit
aaaaa[Inferior 1 (process 126) exited normally]
(gdb) q
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gcc question_1.c -fno-omit-frame-pointer -o question_1_x64_esp
question_1.c: In function ‘main’:
question_1.c:22:2: warning: implicit declaration of function ‘gets’; did you mean ‘fgets’? [-Wimplicit-function-declaration]
gets(a);
^~~~
fgets
question_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]
printf(a);
^
/tmp/cc5FEGz8.o: In function `main':
question_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ ls
a a.out question_1.c question_1.s question_1_x64 question_1_x64_esp question_1_x86_esp
hack@QC-20210627LTVJ:/mnt/e/qqdownload/pwn/chapter_1/test_1$ gdb ./question_1_x64_esp
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./question_1_x64_esp...(no debugging symbols found)...done.
(gdb) start
Temporary breakpoint 1 at 0x912
Starting program: /mnt/e/qqdownload/pwn/chapter_1/test_1/question_1_x64_esp
Temporary breakpoint 1, 0x0000555555400912 in main ()
(gdb) disassemble $rip
Dump of assembler code for function main:
0x000055555540090e <+0>: push rbp
0x000055555540090f <+1>: mov rbp,rsp
=> 0x0000555555400912 <+4>: sub rsp,0x20
0x0000555555400916 <+8>: mov rax,QWORD PTR fs:0x28
0x000055555540091f <+17>: mov QWORD PTR [rbp-0x8],rax
0x0000555555400923 <+21>: xor eax,eax
0x0000555555400925 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x000055555540092d <+31>: mov QWORD PTR [rbp-0x10],0x0
0x0000555555400935 <+39>: lea rdi,[rip+0xe8] # 0x555555400a24
0x000055555540093c <+46>: call 0x555555400710 <puts@plt>
0x0000555555400941 <+51>: lea rax,[rbp-0x18]
0x0000555555400945 <+55>: mov rdi,rax
0x0000555555400948 <+58>: mov eax,0x0
0x000055555540094d <+63>: call 0x555555400750 <gets@plt>
0x0000555555400952 <+68>: lea rax,[rbp-0x18]
0x0000555555400956 <+72>: mov rdi,rax
0x0000555555400959 <+75>: mov eax,0x0
0x000055555540095e <+80>: call 0x555555400740 <printf@plt>
0x0000555555400963 <+85>: movzx eax,BYTE PTR [rbp-0x10]
0x0000555555400967 <+89>: cmp al,0x61
0x0000555555400969 <+91>: jne 0x555555400977 <main+105>
0x000055555540096b <+93>: lea rdi,[rip+0x20069e] # 0x555555601010 <sh>
0x0000555555400972 <+100>: call 0x5555554008ef <func>
0x0000555555400977 <+105>: mov eax,0x0
0x000055555540097c <+110>: mov rdx,QWORD PTR [rbp-0x8]
0x0000555555400980 <+114>: xor rdx,QWORD PTR fs:0x28
0x0000555555400989 <+123>: je 0x555555400990 <main+130>
0x000055555540098b <+125>: call 0x555555400720 <__stack_chk_fail@plt>
0x0000555555400990 <+130>: leave
0x0000555555400991 <+131>: ret
End of assembler dump.
(gdb) b *0x0000555555400963
Breakpoint 2 at 0x555555400963
(gdb) c
Continuing.
input:
aaaaa
Breakpoint 2, 0x0000555555400963 in main ()
(gdb) x/20b $rbp-0x10
0x7fffffffdbb0: 0 0 0 0 0 0 0 0
0x7fffffffdbb8: 0 -63 -87 121 26 14 97 -2
0x7fffffffdbc0: -96 9 64 85
(gdb) x/20x $rbp-0x10
0x7fffffffdbb0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fffffffdbb8: 0x00 0xc1 0xa9 0x79 0x1a 0x0e 0x61 0xfe
0x7fffffffdbc0: 0xa0 0x09 0x40 0x55
(gdb) set *0x7fffffffdbb0=0x61
(gdb) c
Continuing.
$ whoami
hack
$ exit
aaaaa[Inferior 1 (process 142) exited normally]
(gdb) q
