tutorial 1
WELCOME TO COMP6447!
In order to prepare you for this course we have put together a list of tools you will need to have installed and begun familiarise yourself with by the start of week 1.
To further help you learn how to use these tools, we have also included a few simple, introductory challenges to practice with.
Required Resources
Linux
If you already have some form of Linux installed, you can ignore this section. Otherwise you have two options to install Linux.
The majority of tooling for exploitation development is designed for linux. You will most likely run into serious incompatibility problems if you use your base Mac or Windows linux subsystem.
- Install a Virtual Machine and your choice of linux flavour, and install it yourself
- Use docker to run linux on your machine in a container.
NOTE: The majority of the course was designed using the latest version of Ubuntu.
Tooling
- pwndbg: additions to vanilla GDB to assist with debugging exploits.
- pwntools: used to connect and communciate with challenges running remotely.
- binary ninja (or decompiler of your choice): used to disassemble binaries and view call graphs.
Useful Commands
pwndbg
b 0x1337 - break at address 1337
c - continue until next breakpoint/end program
si - step by a single instruction
fin - go until end of current function
x 0x1337 - examine at 0x1337
x/20wx 0x1337 - examine 20 words from 0x1337
x/s 0x1337 - examine string at 0x1337
att 1234 - attach to running process 1234
set $reg=value - set register = value ie: set $ebx=1
# Heap Commands #
heap - view overview of heap
bins - view current heap bins
vis_heap_chunks 0x1234 5 - view 5 heap chunks from 0x1234
pwntools
# connecting to a process
p = process("filename/path") # start local process
p = remote("IP",PORT) # connect to remote process at IP on port
# sending/receiving data
p.recvuntil("string",timeout=0.5) # receive from process until string or timeout occurs
p.sendline("string") # send string to process -> /n included
p.sendlineafter("abcd", "string") # send string to process after receiving abcd
# changing data format
p32(0x12345678) = "\x78\x56\x34\x12" # pack 32bit number into little endian format
p64(0xdeadbeef12345678) = "\x78\x56\x34\x12\xef\xbe\xad\xde" # pack 64bit number into little endian format
u32("\x78\x56\x34\x12") = 0x12345678 # unpack 32bit number from little endian format to decimal
u64("\x00\x00\x00\x00\x78\x56\x34\x12") = 0x12345678 # unpack 64bit number from little endian format to decimal
# misc
log.info("text") # Show regular (blue) log text on screen
log.critical("text") # Show critical (red) log text on screen
pause() # Pause python process
p.interactive() # Give user an interactive shell
unix
objdump -d binary # Dump Assembly Instructions
strace ./binary # Trace the syscalls during process execution
ltrace ./binary # Trace the library calls during process execution
strings binary # Print out all strings found in file
checksec binary # Check security implemented in binary
file binary # Type of file
rabin2 -x binary # List strings and relative addresses in data section
xxd binary # View binary as hex
rop chain tooling
IMPORTANT NOTE: You should only use these tools to find the raw gadgets
DO NOT USE AUTOMATED ROP CHAIN GENERATORS IN THIS COURSE!
Other Resources
Lab Challenge
In lab 1, your tutor will work through this challenge with you.