This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
session:04-gdb [2014/06/30 18:05] rcaragea created |
session:04-gdb [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | !!!! | + | ====== Refresher. Taming GDB ====== |
+ | |||
+ | Although it is a powerful tool, gdb is pretty cumbersome to use by itself. Even simple tasks such as execution tracing are made difficult by the lack of " | ||
+ | To overcome this, we're going to use a wrapper over gdb that greatly enhances its default functionality. This tool is called " | ||
+ | Even though there are lots of goodies included in it we're going to go only over what we need right now. | ||
+ | |||
+ | ====== Installation ====== | ||
+ | |||
+ | You can download peda using: | ||
+ | <code bash> | ||
+ | git clone https:// | ||
+ | </ | ||
+ | To set it up add the following to your **~/ | ||
+ | |||
+ | <file bash .gdbinit> | ||
+ | # Source all settings from the peda dir | ||
+ | source ~/ | ||
+ | |||
+ | # These are other settings I have found useful | ||
+ | |||
+ | # When inspecting large portions of code the scrollbar works better than ' | ||
+ | set pagination off | ||
+ | |||
+ | |||
+ | # Keep a history of all the commands typed. Search is possible using ctrl-r | ||
+ | set history save on | ||
+ | set history filename ~/ | ||
+ | set history size 32768 | ||
+ | set history expansion on | ||
+ | |||
+ | # By default peda clears the screen after most commands, displaying a single | ||
+ | # context frame at a time and allowing you to access the previous/ | ||
+ | # using Shift+PageUp/ | ||
+ | # terminal, leaving you unable to access any older information. If that is the | ||
+ | # case, uncomment the following line: | ||
+ | # | ||
+ | #pset opt clearscr off | ||
+ | </ | ||
+ | ====== Basic stuff ====== | ||
+ | The most common actions done in gdb are: setting breakpoints, | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | <note info> | ||
+ | |||
+ | In order to provide command line arguments to a program run under gdb we can use (assume the name of the program is '' | ||
+ | <code bash> | ||
+ | gdb test | ||
+ | ... # GDB banner is skipped | ||
+ | gdb-peda$ run arg0 arg1 arg2 | ||
+ | </ | ||
+ | |||
+ | In order to redirect both '' | ||
+ | <code bash> | ||
+ | gdb test | ||
+ | ... # GDB banner is skipped | ||
+ | gdb-peda$ run < inputfile > outputfile | ||
+ | </ | ||
+ | |||
+ | Obviously, one could combine the two examples into one, meaning that command line arguments, standard input and standard output are all controlled from inside GDB. This is great for debugging your exploits in an automated way. | ||
+ | <code bash> | ||
+ | gdb test | ||
+ | ... # GDB banner is skipped | ||
+ | gdb-peda$ run arg0 arg1 arg2 < inputfile > outputfile | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ===== Practice the basic stuff ===== | ||
+ | Let's find out how to do these on a previous crackme from session 01.Remember that the point was that it implemented a custom '' | ||
+ | |||
+ | First we start it and investigate what happens in '' | ||
+ | <code bash> | ||
+ | $ gdb ./ | ||
+ | gdb-peda$ pdis main | ||
+ | Dump of assembler code for function main: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | End of assembler dump. | ||
+ | </ | ||
+ | |||
+ | The interesting function is '' | ||
+ | <code bash> | ||
+ | gdb-peda$ break *my_strcmp | ||
+ | Breakpoint 1 at 0x80484fc | ||
+ | gdb-peda$ run | ||
+ | Password: | ||
+ | bla bla bla | ||
+ | [----------------------------------registers-----------------------------------] | ||
+ | EAX: 0xffffc9e8 ("bla bla bla" | ||
+ | EBX: 0xf7f94e54 --> 0x1a6d5c | ||
+ | ECX: 0x28 (' | ||
+ | EDX: 0xc (' | ||
+ | ESI: 0x0 | ||
+ | EDI: 0x0 | ||
+ | EBP: 0xffffcdd8 --> 0x0 | ||
+ | ESP: 0xffffc9cc --> 0x8048620 (< | ||
+ | EIP: 0x80484fc (< | ||
+ | EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) | ||
+ | [-------------------------------------code-------------------------------------] | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | => 0x80484fc < | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | [------------------------------------stack-------------------------------------] | ||
+ | 0000| 0xffffc9cc --> 0x8048620 (< | ||
+ | 0004| 0xffffc9d0 --> 0xffffc9e8 ("bla bla bla" | ||
+ | 0008| 0xffffc9d4 --> 0x804a02c (" | ||
+ | 0012| 0xffffc9d8 --> 0xf7f95a80 --> 0xfbad2288 | ||
+ | 0016| 0xffffc9dc --> 0x4 | ||
+ | 0020| 0xffffc9e0 --> 0x4 | ||
+ | 0024| 0xffffc9e4 --> 0x7 | ||
+ | 0028| 0xffffc9e8 ("bla bla bla" | ||
+ | 0032| 0xffffc9ec ("bla bla" | ||
+ | 0036| 0xffffc9f0 --> 0x616c62 (' | ||
+ | 0040| 0xffffc9f4 --> 0x0 | ||
+ | 0044| 0xffffc9f8 --> 0x40 (' | ||
+ | 0048| 0xffffc9fc --> 0x4 | ||
+ | 0052| 0xffffca00 --> 0x4 | ||
+ | 0056| 0xffffca04 --> 0x6474e550 | ||
+ | 0060| 0xffffca08 --> 0x170960 | ||
+ | |||
+ | [------------------------------------------------------------------------------] | ||
+ | Legend: code, data, rodata, value | ||
+ | |||
+ | Breakpoint 1, 0x080484fc in my_strcmp () | ||
+ | </ | ||
+ | If you remember from the last session, the parameters passed to a function are on the stack. Because we have just arrived at this function using a '' | ||
+ | |||
+ | Note that peda automatically // | ||
+ | |||
+ | Returning into main we see that there is something similar to an '' | ||
+ | <code asm> | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | If my_strcmp returns 0 then the Zero Flag is set and '' | ||
+ | <code bash> | ||
+ | gdb-peda$ x/s 0x80486ea | ||
+ | 0x80486ea: | ||
+ | gdb-peda$ x/s 0x80486f3 | ||
+ | 0x80486f3: | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ====== Dynamic analysis shortcuts ====== | ||
+ | In peda you have quick access to information that you would otherwise have to obtain using other tools as presented before: | ||
+ | <code bash> | ||
+ | gdb-peda$ vmmap | ||
+ | Start End Perm Name | ||
+ | 0x08048000 0x08049000 r-xp / | ||
+ | 0x08049000 0x0804a000 r--p / | ||
+ | 0x0804a000 0x0804b000 rw-p / | ||
+ | 0xf7ded000 0xf7dee000 rw-p mapped | ||
+ | 0xf7dee000 0xf7f93000 r-xp / | ||
+ | 0xf7f93000 0xf7f95000 r--p / | ||
+ | 0xf7f95000 0xf7f96000 rw-p / | ||
+ | 0xf7f96000 0xf7f99000 rw-p mapped | ||
+ | 0xf7fda000 0xf7fdb000 rw-p mapped | ||
+ | 0xf7fdb000 0xf7fdc000 r-xp [vdso] | ||
+ | 0xf7fdc000 0xf7ffc000 r-xp / | ||
+ | 0xf7ffc000 0xf7ffd000 r--p / | ||
+ | 0xf7ffd000 0xf7ffe000 rw-p / | ||
+ | 0xfffdd000 0xffffe000 rw-p [stack] | ||
+ | gdb-peda$ elfheader | ||
+ | .interp = 0x8048174 | ||
+ | .note.ABI-tag = 0x8048188 | ||
+ | .hash = 0x80481a8 | ||
+ | .gnu.hash = 0x80481e0 | ||
+ | .dynsym = 0x8048204 | ||
+ | .dynstr = 0x8048294 | ||
+ | .gnu.version = 0x80482f6 | ||
+ | .gnu.version_r = 0x8048308 | ||
+ | .rel.dyn = 0x8048328 | ||
+ | .rel.plt = 0x8048338 | ||
+ | .init = 0x8048368 | ||
+ | .plt = 0x8048390 | ||
+ | .text = 0x8048400 | ||
+ | .fini = 0x80486c4 | ||
+ | .rodata = 0x80486d8 | ||
+ | .eh_frame_hdr = 0x80486fc | ||
+ | .eh_frame = 0x8048738 | ||
+ | .init_array = 0x8049f00 | ||
+ | .fini_array = 0x8049f04 | ||
+ | .jcr = 0x8049f08 | ||
+ | .dynamic = 0x8049f0c | ||
+ | .got = 0x8049ffc | ||
+ | .got.plt = 0x804a000 | ||
+ | .data = 0x804a024 | ||
+ | .bss = 0x804a044 | ||
+ | gdb-peda$ elfsymbol | ||
+ | Found 6 symbols | ||
+ | fgets@plt = 0x80483a0 | ||
+ | puts@plt = 0x80483b0 | ||
+ | __gmon_start__@plt = 0x80483c0 | ||
+ | exit@plt = 0x80483d0 | ||
+ | strlen@plt = 0x80483e0 | ||
+ | __libc_start_main@plt = 0x80483f0 | ||
+ | </ | ||
+ | |||
+ | You can also search for strings in the mapped regions: | ||
+ | <code bash> | ||
+ | gdb-peda$ find " | ||
+ | Searching for ' | ||
+ | Found 2 results, display max 2 items: | ||
+ | crackme3 : 0x80486ea (" | ||
+ | crackme3 : 0x80496ea (" | ||
+ | |||
+ | gdb-peda$ find "/ | ||
+ | Searching for '/ | ||
+ | Found 1 results, display max 1 items: | ||
+ | libc : 0xf7f53be6 ("/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | ====== Tasks ====== | ||
+ | * Download level01 from Smash the stack and solve it using peda. Break on '' | ||
+ | < | ||
+ | $ scp level1@io.netgarage.org:/ | ||
+ | </ |