Scribd
Upload
679 views42 pages

Linux Interactive Exploit Development With GDB and PEDA Slides

This document provides an overview of using PEDA (Python Exploit Development Assistance) for Linux exploit development with GDB. It discusses setting up a virtual machine, installing required packages, downloading and configuring PEDA. The document then covers key steps in the exploit development process and demonstrates many useful PEDA commands for tasks like preparing input buffers, examining program context, searching memory, and generating shellcode. It also discusses extending PEDA by writing custom commands or scripts.

Uploaded by

vandilodonu
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
679 views42 pages

Linux Interactive Exploit Development With GDB and PEDA Slides

This document provides an overview of using PEDA (Python Exploit Development Assistance) for Linux exploit development with GDB. It discusses setting up a virtual machine, installing required packages, downloading and configuring PEDA. The document then covers key steps in the exploit development process and demonstrates many useful PEDA commands for tasks like preparing input buffers, examining program context, searching memory, and generating shellcode. It also discusses extending PEDA by writing custom commands or scripts.

Uploaded by

vandilodonu
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

Linux Interactive Exploit Development with GDB and PEDA

Long Le
[email protected]

!or"shop #etup $%&

'irtual machine

'(!are ) 'irtualBox *+untu %,.,-. Live /D I#0 Internet connection $1A2)Bridge& 3e4uired pac"ages
$ sudo apt-get install nasm micro-inetd

Install *+untu pac"ages

0ptional pac"ages
$ sudo apt-get install libc6-dbg vim ssh

!or"shop #etup $ &

PEDA tool

Download peda.tar.g6 at7 http7))ropshell.com)peda) *npac" to home directory


$ tar zxvf peda.tar.gz

/reate a 8.gd+init9

$ echo source ~/peda/peda.py

~/.gdbinit

!or"shop exercises

Download +hus% :wor"shop.tar.g6 at7 http7))ropshell.com)peda) *npac" to home directory


$ tar zxvf bhus!"-#or$shop.tar.gz
5

!or"shop #etup $5&

2emporarily disa+le A#L3


$ sudo sysctl -# $ernel.randomize%va%space&'

Allow ptrace processes


$ sudo sysctl -# $ernel.yama.ptrace%scope&'

Demo7 #ample Exploit Development session with GDB

GDB or not GDB=

#tandard de+ugger on >nix 1ot ExDev oriented


Lac" o? intuitive inter?ace Lac" o? smart context display Lac" o? commands ?or ExDev GDB scripting is wea" #ince GDB @., Power?ul scripting API $v@. .&
<

Python GDB

PEDA Introduction

Python Exploit Development Assistance ?or GDB Python GDB init script

GDB @.xA Python .<. #el? help manual Auto:completion o? commandsA options

Bandy commands ?or exploit development


Cramewor" ?or writing custom commands


@

PEDA ?eatures

(emory operations De+ugging helpers Exploit helpers *tilities

Exploit Development with PEDA

Exploit Development Process


0ccupy EIP Cind the o??set$s& Determine the attac" vector Build the exploit 2est)de+ug the exploit

%,

0ccupied EIPA what next=


Cind the o??set$s& !here is my +u??er= Any register points to it=

%%

Attac" vector $%&

Any exploit mitigation in place=


1F A#L3 PIE 3EL30 /A1A3G

Attac" vector$ &

Cind ways to code execution

ret any7 return to any executa+leA "nown place


stac" data ) heap text li+rary $li+c& code chun" $30P& stac" pivoting

control input +u??er

%5

Build the exploit

Payload

#hellcode ret any payload Exploit s"eleton

!rapper

%-

2est and de+ug the exploit

/hec" ?or limitation


Badchars Bu??er si6e

/hec" ?or runtime a??ects (odi?y)correct the exploit

%;

Demo H Practices

Bu??er over?low exploit Cormat string exploit PEDA commands explanation and usage

%<

PEDA /ommands

%@

Prepare input +u??er

pattern create
pattern create "''' pattern create "''' input

pset arg
pset arg ()*"''( pset arg (cyclic%pattern+"'',(

pset env
pset env -.. (cyclic%pattern+"'',(

%D

/ontext display

3egisters
context reg

/ode
context code

#tac"
context stac$

%E

3untime in?o

'irtual memory mapping


vmmap vmmap binary / libc vmmap 'xb/d00'''

3egister ) address
xinfo register eax xinfo 'xb/d00'''

#tac" ) memory
telescope 1' telescope 'xb/d00''' 1'

#earch ?or input +u??er

pattern o??set
pattern offset $pc

pattern search
pattern search

Imp)call search

Impcall
2mpcall 2mpcall eax 2mpcall esp libc

Generate shellcode)nopsled

gennop
gennop 3'' gennop 3'' 4x5'

shellcode
shellcode x06/linux exec

assem+le
assemble

Exploit wrapper

s"eleton
s$eleton argv exploit.py

*se with GDB


set exec-#rapper ./exploit.py

(emory search

searchmem ) ?ind
find /bin/sh libc find 'xdeadbeef all find ..4x'14x'0 'x'0'10''' 'x'0'15'''

re?search
refsearch /bin/sh refsearch 'xdeadbeef

loo"up address
loo$up address stac$ libc

loo"up pointer
loo$up pointer stac$ ld-"
;

A#( ) 30P search

asmsearch
asmsearch int 'x0' asmsearch add esp6 7 libc

ropsearch
ropsearch pop eax ropsearch xchg eax6 esp libc

dumprop
dumprop dumprop binary pop

ropgadget

ropgadget ropgadget libc


<

ELC headers ) sym+ols

el?header ) readel?
elfheader elfheader .got readelf libc .text

el?sym+ol
elfsymbol elfsymbol printf

ret plt ) 30P payload

payload
payload copybytes payload copybytes target /bin/sh payload copybytes 'x'0'1a'!' offset

0ther memory operations $%&

dumpmem
dumpmem libc.mem libc

loadmem
loadmem stac$.mem 'xbffdf'''

cmpmem
cmpmem 'x'0'15''' 'x'0'1a''' data.mem

xormem
xormem 'x'0'15''' 'x'0'1a''' the$ey

patch
patch $esp 'xdeadbeef patch $eax the long string pattern patch 'xdeadbeef !'' patch +multiple lines,
E

0ther memory operations $ &

strings
strings strings binary 1

hexdump
hexdump $sp 61 hexdump $sp /"'

hexprint
hexprint $sp 61 hexprint $sp /"'

5,

0ther de+ugging helpers $%&

pdisass
pdisass $pc /"'

nearpc
nearpc "' nearpc 'x'0'10101

plt+rea"
pltbrea$ cpy

deactive
deactive setresuid deactive chdir

unptrace
unptrace
5%

0ther de+ugging helpers $ &

stepuntil
stepuntil cmp stepuntil xor nextcall cpy next2mp

tracecall ) ?trace
tracecall tracecall cpy6printf tracecall -puts6fflush

traceinst ) itrace
traceinst "' traceinst cmp6xor
5

0ther de+ugging helpers $5&

wait?or
#aitfor #aitfor myprog -c

snapshot
snapshot save snapshot restore

assem+le
assemble $pc mov al6 'xb int 'x0' end

procin?o
procinfo procinfo fd
55

/on?ig options

pshow
psho# psho# option context

pset option
pset option context code6stac$ pset option badchars 4r4n

Edit li+)con?ig.py ?or permanent changes

5-

Python GDB scripting with PEDA $%&

Glo+al instances

pedacmd7

Interactive commands 3eturn nothing e.g7 pedacmd.context%register+, Bac"end ?unctions that interact with GDB 3eturn values e.g7 peda.getreg+eax,

peda7

*tilities

e.g7 to%int+,6 format%address+,


5;

Python GDB scripting with PEDA $ &

Getting help
pyhelp peda pyhelp hex"str

0ne:liner ) interactive uses


gdb-peda$ python print peda.get%vmmap+, gdb-peda$ python status & peda.get%status+, #hile status && 89-):;<=>?@ peda.execute+continue, end

5<

Python GDB scripting with PEDA $5&

External scripts
A myscript.py def myrun+size,@ argv & cyclic%pattern+size, peda.execute+set arg Bs B argv, peda.execute+run, gdb-peda$ source myscript.py gdb-peda$ python myrun+!'',

5@

Extending PEDA $%&

PEDA structure

PEDA class

Interact with GDB Bac"end ?unctions Interactive commands /on?ig options /ommon utils External li+raries
5D

PEDA/md class

*tilities

Extending PEDA $ &

#pecial ?unctions

;-C).execute+, ;-C).execute%redirect+, ;-C)Dmd.%is%running+, ;-C)Dmd.%missing%argument+, utils.execute%external%command+, utils.reset%cache+,

5E

Extending PEDA $5&

!riting new interactive command

-,

Cuture plan

(ore plat?orms A3( support Integration


IDA li+heap li+?ormat /E32Js exploita+le

-%

2han" youK

You might also like