ARM环境搭建

1.安装qemu,multiarch,和依赖库

1
2
3
4
5
apt-get install qemu-user
apt-get install qemu-use-binfmt qemu-user-binfmt:i386
apt-get install gdb-multiarch
apt-get install qemu-user-static
apt install gcc-arm-linux-gnueabi gcc-aarch64-linux-gnu

2.安装对应架构的共享库,使用apt来搜索一下

1
2
apt search "libc6-" | grep "arm" # aarch64
apt install libc6-arm64-cross

3.交叉编译

1
2
3
4
5
6
7
apt search "gcc-" | grep "arm"   # aarch64
apt install gcc-arm-linux-gnueabi
# arm-linux-gnueabihf-gcc
# aarch64-linux-gnu-gcc
# mips-linux-gnu-gcc
# riscv64-linux-gnu-gcc
# powerpc64-linux-gnu-gcc

4.本地调试脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from pwn import *
from sys import argv
import argparse
from pwnlib.util import misc

s = lambda data: io.send(data)
sa = lambda delim, data: io.sendafter(delim, data)
sl = lambda data: io.sendline(data)
sla = lambda delim, data: io.sendlineafter(delim, data)
r = lambda num=4096: io.recv(num)
ru = lambda delims, drop=True: io.recvuntil(delims, drop)
itr = lambda: io.interactive()
uu32 = lambda data: u32(data.ljust(4, '\0'))
uu64 = lambda data: u64(data.ljust(8, '\0'))
leak = lambda name, addr: log.success('{} = {:#x}'.format(name, addr))

if __name__ == '__main__':
    pwn_arch ='arm' #riscv riscv32 
    link_dir = "/usr/arm-linux-gnueabi/"
    pwnfile = './ret2libc_arm'
    port= "8888" 
    debug = 1
    if debug == 1 :
        io = process(["qemu-" + pwn_arch , "-L" , link_dir ,"-g",port, pwnfile])
    elif debug == 0:
        io = process(["qemu-" + pwn_arch , "-L" , link_dir, pwnfile])
    elif debug == 2: 
        io = remote('192.168.2.177',12346 )
    else:
        exit(0)
        
        
    elf = ELF(pwnfile)
    rop = ROP(pwnfile)
    context.binary = pwnfile
    #context.gdbinit = "~/.gdbinit"
    context.terminal = ['tmux', 'splitw', '-h']
    libcfile = link_dir + "lib/libc.so.6"
    #libcfile = "./libc-2.28.so"
    libc = ELF(libcfile)
    #libc=ELF('./libc-2.27.so')
    #pause()
    
    if debug == 1:
        # payload_search_pid = "ps -A|grep 'qemu'|awk '{print $1}'"
        # pid = os.popen(payload_search_pid).readline().replace("\r","").replace("\n","")
        # print("pid is :", pid)
        # print(io.pid)
        # assert(str(io.pid) == pid)
        # pid = str(io.pid)
        # payload_search_libcbaseaddr = "cat /proc/" + pid + "/maps |grep libc-|awk -F \- '{if(NR==1) print \"0x\" $1}'"
        # print(payload_search_libcbaseaddr)
        # libc_base_addr = os.popen(payload_search_libcbaseaddr).readline().replace("\r","").replace("\n","")
        # libc_base_addr = int(libc_base_addr ,16)
        # print( "libc addr is :" , hex(libc_base_addr))
        # payload_search_libcpath = "cat /proc/" + pid  + "/maps |grep libc-|awk  '{if(NR==1) print $6}'"
        # libc_file_path = os.popen(payload_search_libcpath).readline().replace("\r","").replace("\n","")
        # print("libc file path is:" , libc_file_path)
        # print(io.libc.path)

        attach_payload ="""
        gdb-multiarch  \
        -ex "file {0}"\
        -ex "set  architecture {2}" \
        -ex "target remote 127.0.0.1:{1} "\
        """.format(pwnfile , port , pwn_arch) 
        pwnlib.util.misc.run_in_new_terminal(attach_payload)