0x00 概述

因为最近开始学堆,所以经常需要切换glibc,然后又重新搭建了一个环境,顺便把之前搭环境的文章删掉,合起来在本章。

以下是我的配置环境:腾讯云远程服务器和m1的macbookpro

0x01 ubuntu20.04

1
2
3
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python get-pip.py
pip install pwntools

然后python提示你缺啥库,你就pip install 库名安装就行

1
2
3
git clone https://github.com/lieanu/LibcSearcher.git
cd LibcSearcher
python setup.py develop

切换glibc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
git clone https://github.com/matrix1001/glibc-all-in-one
cd glibc-all-in-one
./update_list
cat list
./download 你需要的libc

git clone https://github.com/NixOS/patchelf
./bootstrap.sh
# 如果显示autoreconf: not found,就使用sudo apt-get install autoconf automake libtool
# 虽然我的没有报错。
./configure
make
make check
sudo make install

ldd 程序可以查看程序原本的libc和ld。

./pwn题所给的libc能查看ubuntu版本,可以去寻找相应的链接器。

1
2
3
4
5
6
sudo ln ld-2.26.so /lib64/ld-2.26.so
#软连接链接器,上面的ld.so替换成自己的
patchelf --set-interpreter /lib64/ld-2.26.so ./demo
#设置链接器
patchelf --replace-needed libc.so.6 ~/glibc-all-in-one/libs/2.26-0ubuntu2_amd64/libc-2.26.so ./demo
#把程序原本的libc.so.6替换成我们用的

参考链接

顺便写了个脚本方便改glibc,毕竟谁也不想每次都搞上面那么多命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import os
import sys
from pwn import *
try:
    glibc=sys.argv[1]
except IndexError:
    log.info("[Error] need a file (python patchlibc.py filename)")
    exit(1)
path="/home/ubuntu/tools/glibc-all-in-one/"
# 记得修改glibc-all-in-one的路径
# 记得download glibc
print ("1:   2.23-0ubuntu11.3_amd64")
print ("2:   2.23-0ubuntu11.3_i386")
print ("3:   2.23-0ubuntu3_amd64")
print ("4:   2.23-0ubuntu3_i386")
print ("5:   2.27-3ubuntu1.2_amd64")
print ("6:   2.27-3ubuntu1.2_i386")
print ("7:   2.27-3ubuntu1.4_amd64")
print ("8:   2.27-3ubuntu1.4_i386")
print ("9:   2.27-3ubuntu1_amd64")
print ("10:  2.27-3ubuntu1_i386")
print ("11:  2.31-0ubuntu9.2_amd64")
print ("12:  2.31-0ubuntu9.2_i386")
print ("13:  2.31-0ubuntu9_amd64")
print ("14:  2.31-0ubuntu9_i386")
print ("15:  2.32-0ubuntu3.2_amd64")
print ("16:  2.32-0ubuntu3.2_i386")
print ("17:  2.32-0ubuntu3_amd64")
print ("18:  2.32-0ubuntu3_i386")
print ("19:  2.33-0ubuntu5_amd64")
print ("20:  2.33-0ubuntu5_i386")
print ("21:  2.34-0ubuntu3_amd64")
print ("22:  2.34-0ubuntu3_i386")
op={1:["2.23-0ubuntu11.3_amd64","2.23","64"],2:["2.23-0ubuntu11.3_i386","2.23","32"],3:["2.23-0ubuntu3_amd64","2.23","64"],4:["2.23-0ubuntu3_i386","2.23","32"]
,5:["2.27-3ubuntu1.2_amd64","2.27","64"],6:["2.27-3ubuntu1.2_i386","2.27","32"],7:["2.27-3ubuntu1.4_amd64","2.27","64"],8:["2.27-3ubuntu1.4_i386","2.27","32"],
9:["2.27-3ubuntu1_amd64","2.27","64"],10:["2.27-3ubuntu1_i386","2.27","32"],11:["2.31-0ubuntu9.2_amd64","2.31","64"],12:["2.31-0ubuntu9.2_i386","2.31","32"],
13:["2.31-0ubuntu9_amd64","2.31","64"],14:["2.31-0ubuntu9_i386","2.31","32"],15:["2.32-0ubuntu3.2_amd64","2.32","64"],16:["2.32-0ubuntu3.2_i386","2.32","32"],
17:["2.32-0ubuntu3_amd64","2.32","64"],18:["2.32-0ubuntu3_i386","2.32","32"],19:["2.33-0ubuntu5_amd64","2.33","64"],20:["2.33-0ubuntu5_i386","2.33","32"],
21:["2.34-0ubuntu3_amd64","2.34","64"],22:["2.34-0ubuntu3_i386","2.34","32"]}
parameter=input("choice your glic: ")
print(op[parameter][0])
os.system("cp "+path+"libs/"+op[parameter][0]+"/ld-"+op[parameter][1]+".so .")
os.system("sudo rm -rf /lib"+op[parameter][2]+"/ld-"+op[parameter][1]+".so")
os.system("sudo ln ld-"+op[parameter][1]+".so /lib"+op[parameter][2]+"/ld-"+op[parameter][1]+".so")
os.system("patchelf --set-interpreter /lib"+op[parameter][2]+"/ld-"+op[parameter][1]+".so ./"+sys.argv[1])
os.system("patchelf --replace-needed libc.so.6 "+path+"libs/"+op[parameter][0]+"/libc-"+op[parameter][1]+".so ./"+sys.argv[1])
success("patchelf success!")
1
2
3
4
5
6
7
8
9
10
11
git clone https://github.com/scwuaptx/Pwngdb.git 
cp ~/tools/Pwngdb/.gdbinit ~/

git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

vim ~/.gdbinit
source ~/tools/pwndbg/gdbinit.py
source ~/tools/Pwngdb/pwngdb.py
source ~/tools/Pwngdb/angelheap/gdbinit.py

参考链接

1
2
3
#ERROR: ld.so: object '/usr/local/lib/libftp.so' from /etc/ld.so.preload cannot be preloaded: ignored.
#报错
echo "" > /etc/ld.so.preload

0x02 m1 docker

先说一句,搞pwn别买m1。

x64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ docker pull ubuntu:20.04 --platform linux/amd64
$ docker run -i -t --name 一个名字 ubuntu:20.04 /bin/bash
# -i: 交互式操作
# -t: 终端
# -name: 给镜像起个名
$ docker ps -a
# 查看所有的容器
$ docker rmi 96f7f14e99ab
# 删除镜像images
$ docker start|stop 96f7f14e99ab
# 启动docker
$ docker cp /root/xxx 96f7f14e99ab:/root/
# 复制到docker
$ docker cp 96f7f14e99ab:/root/xxx /root/
# 复制到本机

无法用x64的gdb。

https://github.com/docker/for-mac/issues/5191

arm

1
2
3
4
5
$ docker pull ubuntu:20.04
$ docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -it ubuntu:20.04 /bin/bash
# --cap-add list                   # 添加某些权限
# --cap-drop list                  # 关闭权限
# 因为m1 docker默认不开启SYS_PTRACE,导致gdb无法使用

Secure computing mode (seccomp):Linux kernel的一个特性。在Docker中利用这个特性限制container中可以做哪些操作。

默认的seccomp profile禁用了300+个系统调用中的44个。使用–security-opt seccomp=unconfined允许容器执行全部的系统的调用

0x03 一些讨人厌的报错

pwntools 调用gdb出错,首先请记住一定要进入tmux之后再执行脚本,否则肯定报错(耽误我一晚上时间)。

然后是第二个问题pwntools中使用tmux和gdb attach时Waiting for debugger无限等待的解决方案

1
2
git clone --depth 1 git://github.com/Gallopsled/pwntools
然后不需要cd切换目录,直接使用pip install --upgrade --editable ./pwntools

我讨厌配环境