00-linux pwn环境搭建

OrbStack虚拟机

主要是耗能低，mac intel上使用基本上不发烫

ubuntu 20.04 国内更新源

bash 复制代码

sudo gedit  /etc/apt/sources.list

deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ focal-security main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ focal-proposed main restricted universe multiverse
deb http://mirrors.163.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.163.com/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ focal-security main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ focal-proposed main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ focal main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ focal-security main restricted universe multiverse
deb-src https://mirrors.ustc.edu.cn/ubuntu/ focal-proposed main restricted universe multiverse

部分Ubuntu系统代号

bash 复制代码

lsb_release -a

Ubuntu 16.04 代号为: xenial

Ubuntu 17.04 代号为: zesty

Ubuntu 18.04 代号为: bionic

Ubuntu 19.04 代号为: disco

Ubuntu 20.04 代号为: focal

Ubuntu 22.04 代号为: jammy

Ubuntu 22.10 代号为: kinetic

设置代理

bash 复制代码

export http_proxy=http://192.168.0.102:7890
export https_proxy=http://192.168.0.102:7890

库安装

bash 复制代码

sudo apt-get install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev liblzma-dev git vim libedit-dev vim openssh-server gdb gdb-multiarch "binfmt*" qemu-user qemu-utils qemu-system libseccomp-dev libseccomp2 seccomp tmux

安装pyenv

bash 复制代码

curl https://pyenv.run | bash
# 再根据提示，设置环境变量

pip切换源

bash 复制代码

vim ~/.pip/pip.conf

[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple

安装pwntools

bash 复制代码

pip install pwntools

安装gdb插件pwndbg

bash 复制代码

git clone https://github.com/pwndbg/pwndbg.git
cd pwndbg/
./setup.sh

安装pwncli

bash 复制代码

git clone https://github.com/RoderickChan/pwncli.git
cd pwncli
sudo pip3 install --editable .

安装LibcSearcher

bash 复制代码

python3 -m pip install LibcSearcher

one_gadget下载安装

bash 复制代码

sudo apt -y install ruby
sudo apt-get install gem -y
sudo gem install one_gadget

# 使用方式
one_gadget libc-2.23.so

安装main_arena_offset

bash 复制代码

git clone https://github.com/bash-c/main_arena_offset

安装seccomp-tools

bash 复制代码

# 用来读取 seccomp 沙箱规则
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools

# 要是说 ruby 版本不对
sudo add-apt-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get purge --auto-remove ruby
sudo apt-get install ruby2.6 ruby2.6-dev
gem install seccomp-tools

安装ROPgadget

bash 复制代码

sudo apt install python3-pip
sudo -H python3 -m pip install ROPgadget
ROPgadget --help

roputils

bash 复制代码

git clone https://github.com/inaz2/roputils.git

ae64

bash 复制代码

git clone https://github.com/veritas501/ae64.git

alpha3

bash 复制代码

git clone https://github.com/TaQini/alpha3.git

查看当前环境glibc版本

bash 复制代码

# 通过ldd
ldd --version

# 通过环境变量
getconf GNU_LIBC_VERSION

# 通过代码
#include <stdio.h>
#include <gnu/libc-version.h>
int main(void) 
{ 
    puts (gnu_get_libc_version ()); 
    return 0; 
}

查看系统默认libc版本

bash 复制代码

/lib/x86_64-linux-gnu/libc.so.6

二进制文件依赖的glibc版本

bash 复制代码

ldd -r -v ./checkGlibc

切换glibc

bash 复制代码

# 安装glibc-all-in-one
git clone https://gitee.com/wangzc1990/glibc-all-in-one.git

# 安装patchelf
sudo apt install patchelf

# 切换
patchelf --replace-needed libc.so.6 你要换的libc的硬路径 ./pwn
patchelf --set-interpreter ld的硬路径 ./pwn

# 或者是在pwntools中指定
p = process(["ld-2.27.so", "./pwn"],env={"LD_PRELOAD":"./libc-2.27.so"})

Glibc 调试符号加载

先得到 libc 的 Build ID（glibc 2.35为例）

bash 复制代码

readelf -n libc.so.6 | grep 'Build ID:'
readelf -n ld-linux-x86-64.so.2 | grep 'Build ID:'

分别得到：

bash 复制代码

Build ID: 89c3cb85f9e55046776471fed05ec441581d1969
Build ID: aa1b0b998999c397062e1016f0c95dc0e8820117

因为 GDB 会从

/usr/lib/debug/.build-id/89/c3cb85f9e55046776471fed05ec441581d1969.debug 和

/usr/lib/debug/.build-id/aa/1b0b998999c397062e1016f0c95dc0e8820117.debug

文件中读取调试信息。（注意 .build-id 是隐藏文件夹，需要取消隐藏才可以看到）

所以把 /glibc-all-in-one/libs/2.35-0ubuntu3_amd64/.debug/.build-id/ 下对应的文件复制去 /usr/lib/debug/.build-id/ 即可

参考

https://blog.csdn.net/weixin_51867085/article/details/128712449