Linux Pwn Getting Started tutorial (0)--Environment configuration

[Email protected]0x00 Preface

As a graduate of more than a year of spicy chicken CTF, has been suffering from PWN problems, into the door more difficult problem. Originally on the online information about PWN is relatively fragmented, and often meet the teacher as a problem-solving process a little writeup and no comments, there are a lot of hard-coded offset script, there are difficult to find the practice, debugging the environment is hard to build, GDB does not have IDA good operation and so on. As an old Meng Xin (fog), decided according to Atum Master in the I spring and autumn in the PWN introductory course of the technical classification, combined with a number of topics and articles appearing in recent years to sort out a relatively complete Linux PWN tutorial.
This series of tutorials is only for I386/AMD64 Linux PWN common PWN techniques, such as stack, heap, integer overflow, formatted strings, conditional competition, etc. are introduced. For the sake of learning from the same students as me, all environments are encapsulated in a Docker image and are provided with instructional programs for debugging, original titles from previous events and Python scripts with annotations. Tutorials welcome you to the teacher spit groove, if the use of the topic and the script is inappropriate, will be in the teacher feedback after the apology and should be required to deal with.

0x01 Docker container usage and simple operation

Before setting up the environment, we need to prepare a 64-bit Linux system with Docker, which has a kernel version above 3.10 (which can be viewed through uname-r) and can be run on a physical machine or a virtual machine. The installation and launch of Docker is not mentioned here, and readers can search for themselves based on their Linux distributions. There are two links available here for Ubuntu and Kali users to refer to:
Kali: "Kali rolling install docker" http://www.cnblogs.com/Roachs/p/6308896.html
Ubuntu: "Ubuntu 16.04 installation Docker" http://blog.csdn.net/qq_27818541/article/details/73647797
After successfully installing Docker and verifying its availability, we can customize our own lab containers. This part of the content can be found in various areas of the tutorial, and PWN learning is not relevant, not to repeat here. In order to facilitate the experiment, I packed the experimental environment into several container snapshots, which can be imported directly into the image for use.

Take Ubuntu.17.04.amd64 as an example, the imported command is

Cat Ubuntu.17.04.amd64 | Docker IMPORT–UBUNTU/17.04.AMD64

After the import is successful, use the command Docker images to see a new image appear in the mirrored warehouse.

Rundocker run -it -p 23946:23946 ubuntu/17.04.amd64 /bin/bash

You can create a container with this image, open a shell, and forward the 23946 port that the IDA debug server listens to on the local 23946 port. By command docker container ls -a We found a container in the list of containers that had just been created, and was given a random name, which in my experiment was nostalgic_raman. We can rename docker container rename nostalgic_raman ubuntu.17.04.amd64 this container by command to UBUNTU.17.04.AMD64 or other name that you think is appropriate. Using docker exec -it ubuntu.17.04.amd64 /bin/bash a new bash shell we can open the target container. This allows us to start the IDA Debug server in the container in subsequent debugs and deploy the PWN topic with Socat.

In addition, you can use docker container cp commands to transfer files both inside and outside the Docker container and so on. It is important to note that the various operations on the container need to be performed at the time of the container run, and if the container is not yet running (the Docker container LS does not display the corresponding container), use the command to docker start run the corresponding container. In addition, if you are running multiple containers at the same time, in order to avoid port conflicts, you can docker run -it -p 23946:23946 ubuntu/17.04.amd64 /bin/bash change the first port number 23946 in the command to another number when you start the container.

0x02 Ida easy to use and remote Debug configuration

After successfully building the Docker environment, we are now familiar with the setup of the remote debugging environment for IDA and Ida. First we find the required debug server Linux_server (32-bit) and linux_serverx64 (64-bit) in the Dbgsrv folder of the folder where Ida is located and copy it to Kali.

Then use the command to docker container cp linux_server ubuntu.17.04.i386:/root/linux_server copy the Linux_server to the/root directory in the 32-bit container. At this point we can see linux_server in the login container, and running the server will prompt you to listen on port 23946.

Then we open the 32-bit IDA, load a program that will later be used to demonstrate the heap vulnerability heaptest_x86, find the main function in the left functions window, pick a line of code and press F2 the next breakpoint. Then through the debugger->process options ... Opens the Options window to set the remote debugging options.

In the pop-up Options window, configure the IP address hostname to Kali, and port maps the container to the ports in Kali.

Click OK after filling, press the shortcut key F9 run the program. If the connection is normal, you may be prompted to input file is missing:xxxxx, all right, Ida will copy the files being debugged to the server directory, and then the assembly code in the window background will become light blue and the window layout changes. If Ida zombies jumps out of the warning window for a while, you need to check if Ida's machine and Kali are able to ping, whether the container corresponds to the port mapping, whether the parameters are filled in correctly, and so on.

After the debugger is successfully connected, we can use various shortcut keys to debug the target program, common shortcut keys have the next breakpoint/Cancel breakpoint F2, run the program F9, step through the function F8, step into the function F7, run to the selected location F4 and so on. The main window used in debug mode is the assembly window IDA View-eip, register window general registers, Stack window stack view, Memory window hex view, System Log window Output window, etc.

Cut back to Kali, and we'll see that as the program runs, the shell window running the debug server will show the new content

When a program in Ida executes call    ___isoc99_scanf or resembles a command that waits for input, it falls into a blocking state, and the shortcut keys such as F4,F7,F8,F9 and run-related do not take effect. At this point we can enter content in the shell and the program in IDA resumes execution.

0x03 using Pwntools and IDA debugging programs

In the previous section we tried to configure remote debugging using IDA, but in debugging we might have some special requirements, such as automating some operations or passing some addresses to the program that contain invisible characters, such as \x50\x83\x04\x08 (0X08048350). At this point we need to use a script to do this kind of operation. We are using the famous Python library pwntools. The Pwntools library can be installed using PIP and its official document address is http://docs.pwntools.com/en/stable/. In this section we will use Pwntools and Ida to debug the program.

First we install Pwntools in Kali, enter python into the Python environment after the installation is complete, and import the Pwntools library using the from PWN import *.

Using Docker exec to open a new bash shell in a 32-bit container, jump to Heaptest_x86 's directory/root, view the container's IP address, and then execute the command to socat tcp-listen:10001,reuseaddr,fork EXEC:./heapTest_x86,pty,raw,echo=0 forward the heaptest_x86 io to Port 10001. We can see that the IP address in my container is 172.17.0.2. Back in Python, use io = remote("172.17.0.2", 10001) the open connection to heaptest_x86. This time we return to Ida to set breakpoints. It is important to note that at this point the heaptest_x86 has started to run, our goal is to attach to its running process, so we need to set the breakpoint after waiting for call    ___isoc99_scanf the input command to run the order, or because the computer running speed, Our breakpoint will expire because the target command has been executed and cannot reach the end result. Select Debugger->attach to process ..., attached to the./heaptest_x86 processes. At this point the EIP will point to the pop EBP command in Vdso.

These lines of instruction are actually the instructions after the execution of the sys_read, here we do not need to care about it, directly press F9, the check mark will disappear.

Back in the Python window, we used Pwntools's recv/send function family to interact with the running heaptest_x86. First enter IO.RECV () and we find that the menu that originally appeared in the Shell window is read out into the Python window.

Similarly, we can pass input to this process through Io.send (). We use Io.send (' 1′) to tell the process that we want to select option 1. This time we switch to the Ida window and find Ida still in a pending state, why is this?

Recall that when we interact with the process through the shell, we need to press ENTER after entering the option to "tell" the process that our input is over. So here we also need to send a return, so we do io.send (' \ n '), switch to the IDA window will find the EIP parked in the familiar program airspace. We can then use Ida's shortcut keys to debug, to observe the process of memory, stacks, registers and so on. Of course, we can also directly use the Io.sendline (), you can directly at the end of the input automatically added ' \ n '.

In the state, we enter IO.RECV () again in Python, and we find that the output is not read and Python is blocked. This is because the program does not have output to read at this time. We press F8 to call Mallocchunk line in Ida, and when you press F7 to enter the function and run to call _fflush the next line in the function, you will find that the blocking state of Python is lifted.

When we want to end debugging, we should use io.close() this IO to close down. Otherwise, the next time you try to attach, you will find two ./heapTest_x86 processes. Press to Ctrl+F2 exit debug mode in Ida.

The configuration lab environment is packaged as follows:

Link: https://pan.baidu.com/s/1xr9n9EBs2dALOkmIFaIdcQ Password please read the original

Linux Pwn Getting Started tutorial (0)--Environment configuration