[Linux] gdb로 PIE 디버깅

2019. 7. 22. 15:22

P

PIE의 경우 gdb-peda로 디버깅할시 base주소가 항상 0x0000555555554000이더라...

그래서 그냥 저기에 함수 오프셋을 더해줘서 breakpoint를 걸어주면 된다.

단 한번은 직접 실행해줘야한다.


뭐 그것말고도 방법이 있더라...

아래 방법인데 나는 자주안쓰고, 위의 방법을 사용



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Reading symbols from datastore.elf...(no debugging symbols found)...done.
gdb-peda$ b * 0
Breakpoint 1 at 0x0
gdb-peda$ r
Starting program: /home/myria/study_pwn/plaiddb/datastore.elf 
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x0
 
gdb-peda$ x/20i $pc
=> 0x7ffff7dd7c30:    mov    rdi,rsp
   0x7ffff7dd7c33:    call   0x7ffff7dd89b0
   0x7ffff7dd7c38:    mov    r12,rax
   0x7ffff7dd7c3b:    mov    eax,DWORD PTR [rip+0x225037]        # 0x7ffff7ffcc78
   0x7ffff7dd7c41:    pop    rdx
   0x7ffff7dd7c42:    lea    rsp,[rsp+rax*8]
   0x7ffff7dd7c46:    sub    edx,eax
   0x7ffff7dd7c48:    push   rdx
   0x7ffff7dd7c49:    mov    rsi,rdx
   0x7ffff7dd7c4c:    mov    r13,rsp
   0x7ffff7dd7c4f:    and    rsp,0xfffffffffffffff0
   0x7ffff7dd7c53:    mov    rdi,QWORD PTR [rip+0x2253e6]        # 0x7ffff7ffd040
   0x7ffff7dd7c5a:    lea    rcx,[r13+rdx*8+0x10]
   0x7ffff7dd7c5f:    lea    rdx,[r13+0x8]
   0x7ffff7dd7c63:    xor    ebp,ebp
   0x7ffff7dd7c65:    call   0x7ffff7de7750
   0x7ffff7dd7c6a:    lea    rdx,[rip+0xfe4f]        # 0x7ffff7de7ac0
   0x7ffff7dd7c71:    mov    rsp,r13
   0x7ffff7dd7c74:    jmp    r12
   0x7ffff7dd7c77:    nop    WORD PTR [rax+rax*1+0x0]
gdb-peda$ b *0x7ffff7dd7c6a
Breakpoint 2 at 0x7ffff7dd7c6a
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x0
 
gdb-peda$ d 1
gdb-peda$ r
Starting program: /home/myria/study_pwn/plaiddb/datastore.elf 
 
[----------------------------------registers-----------------------------------]
RAX: 0x1c 
RBX: 0x0 
RCX: 0x7fffffffe5b8 --> 0x7fffffffe7f6 ("XDG_SESSION_ID=5")
RDX: 0x7fffffffe5a8 --> 0x7fffffffe7ca ("/home/myria/study_pwn/plaiddb/datastore.elf")
RSI: 0x1 
RDI: 0x7ffff7ffe168 --> 0x555555554000 --> 0x10102464c457f 
RBP: 0x0 
RSP: 0x7fffffffe5a0 --> 0x1 
RIP: 0x7ffff7dd7c6a (<_dl_start_user+50>:    lea    rdx,[rip+0xfe4f]        # 0x7ffff7de7ac0 <_dl_fini>)
R8 : 0x7ffff7ffe6f8 --> 0x0 
R9 : 0x0 
R10: 0x8e 
R11: 0x7ffff7b95300 --> 0xfff229defff228ec 
R12: 0x555555554bc7 (xor    ebp,ebp)
R13: 0x7fffffffe5a0 --> 0x1 
R14: 0x0 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7dd7c5f <_dl_start_user+39>:    lea    rdx,[r13+0x8]
   0x7ffff7dd7c63 <_dl_start_user+43>:    xor    ebp,ebp
   0x7ffff7dd7c65 <_dl_start_user+45>:    call   0x7ffff7de7750 <_dl_init>
=> 0x7ffff7dd7c6a <_dl_start_user+50>:    lea    rdx,[rip+0xfe4f]        # 0x7ffff7de7ac0 <_dl_fini>
   0x7ffff7dd7c71 <_dl_start_user+57>:    mov    rsp,r13
   0x7ffff7dd7c74 <_dl_start_user+60>:    jmp    r12
   0x7ffff7dd7c77 <_dl_start_user+63>:    nop    WORD PTR [rax+rax*1+0x0]
   0x7ffff7dd7c80 <_dl_initial_error_catch_tsd>:    
    lea    rax,[rip+0x226339]        # 0x7ffff7ffdfc0 <data>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe5a0 --> 0x1 
0008| 0x7fffffffe5a8 --> 0x7fffffffe7ca ("/home/myria/study_pwn/plaiddb/datastore.elf")
0016| 0x7fffffffe5b0 --> 0x0 
0024| 0x7fffffffe5b8 --> 0x7fffffffe7f6 ("XDG_SESSION_ID=5")
0032| 0x7fffffffe5c0 --> 0x7fffffffe807 ("SHELL=/bin/bash")
0040| 0x7fffffffe5c8 --> 0x7fffffffe817 ("TERM=xterm")
0048| 0x7fffffffe5d0 --> 0x7fffffffe822 ("SSH_CLIENT=192.168.233.1 49767 22")
0056| 0x7fffffffe5d8 --> 0x7fffffffe844 ("SSH_TTY=/dev/pts/1")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
 
Breakpoint 20x00007ffff7dd7c6a in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
gdb-peda$ x/10i $r12
   0x555555554bc7:    xor    ebp,ebp
   0x555555554bc9:    mov    r9,rdx
   0x555555554bcc:    pop    rsi
   0x555555554bcd:    mov    rdx,rsp
   0x555555554bd0:    and    rsp,0xfffffffffffffff0
   0x555555554bd4:    push   rax
   0x555555554bd5:    push   rsp
   0x555555554bd6:    lea    r8,[rip+0xfc3]        # 0x555555555ba0
   0x555555554bdd:    lea    rcx,[rip+0xf4c]        # 0x555555555b30
   0x555555554be4:    lea    rdi,[rip+0xffffffffffffff35]        # 0x555555554b20
gdb-peda$ p 0x555555554b20
$1 = 0x555555554b20
gdb-peda$ 
 
cs


저작자표시

'Pwnable!!' 카테고리의 다른 글

_dl_fini exploit (_rtld_global)  (0) 2019.10.09
[ 19.04 ] glibc 2.29 heap exploit 관련  (0) 2019.07.22
[glibc] malloc - fastbin size check 분석 : malloc(): memory corruption (fast)  (0) 2019.07.13
[x86 & x64] Return to dl resolve (rtdl)  (0) 2019.07.13
[18.04]glibc 2.27 이상에서 unsorted bin으로 main_areana leak 하는 법  (0) 2019.07.08

+ Recent posts

티스토리툴바