debug-vm分析

debug-vm分析

分析下强网杯的虚拟机题目。

1
2
3
程序大到看不懂,字符串查看
T%02xthread:%02x;
发现是gdb server stub
1
2
3
4

ncat -vc ./debug-vm -kl 0.0.0.0 4444
挂起程序
gdb远程连接上去
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Could not check ASLR: Couldn't get randomize_va_space
Could not check ASLR: Couldn't get personality
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[──────────────────────────────────REGISTERS───────────────────────────────────]
 EAX  0 ◂— 0x0
 EBX  0 ◂— 0x0
 ECX  0 ◂— 0x0
 EDX  0 ◂— 0x0
 EDI  0 ◂— 0x0
 ESI  0 ◂— 0x0
 EBP  0 ◂— 0x0
 ESP  0 ◂— 0x0
 EIP  0 ◂— 0x0
[────────────────────────────────────DISASM────────────────────────────────────]
 ► 0x0     inc    edx
   0x1     add    byte ptr [ecx], al
   0x3     add    byte ptr [eax], al
   0x5     add    byte ptr [edx + 1], al
   0x8     add    dword ptr [eax], eax
   0xa     add    byte ptr [eax], al
   0xc     inc    edx
   0xd     add    al, byte ptr [eax]
   0xf     add    byte ptr [eax], al
   0x11    add    byte ptr [eax + 2], cl
   0x14    add    byte ptr fs:[eax], al
[────────────────────────────────────STACK─────────────────────────────────────]
00:0000│ eax ebx ecx edx edi esi ebp esp eip eflags  0 ◂— 0x0
01:0004│                                             4 ◂— 0x4
[──────────────────────────────────BACKTRACE───────────────────────────────────]
 ► f 0        0
1
2
3
4
5
6
7
逆向花了好大功夫,网上神一句不难,这东西魔改过,不能照着字符串直接搜。


首先搜索$符号找到gdb_read_byte
然后顺着这个函数找到调用的函数gdb_handlesig
gdb_read_byte里面有个输出字符的函数put_buffer 
下面是gdb_handle_packet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
gdb通信协议
协议定义
        GDB RemoteSerial Protocol(RSP)是一种简单的,通过串口线、网络等至少支持半双工通信的媒介进行ASCII消息传输的协议。

        RSP包以$符号作为数据包的开始,后跟一个或多个用于组成要发送的消息的ASCII字节,并以#作为数据包的结束。再#后,还有两个16进制的ASCII字符作为要发送的消息的校验和。一个完整的RSP协议数据包如下:

 

$m4015bc,2#5a

 

        消息的接收方会立即返回‘+’表示正确接收数据,或‘-’表示没有正确接收数据。当返回‘-’时,GDB会将错误码返回给用户,并无条件挂起GDB进程。

目标机按接收到的指令次序,依次将信息输出在GDB的console中。除非GDB进程中有其他的命令正在执行,否则来自目标机的信息将会在任意时刻输出在console中。



set debug remote 1查看交互信息
Sending packet: $T1#85...Ack
Packet received: OK
Sending packet: $m5624f000,1#91...Ack
Packet received: E14
Sending packet: $me6b53000,1#bf...Ack
Packet received: E14
0x00000000 in ?? ()
Sending packet: $m5624f888,4#ac...Ack
Packet received: E14
Sending packet: $me6b5314d,4#fb...Ack
Packet received: E14
Sending packet: $me6b5314d,4#fb...Ack
Packet received: E14
Sending packet: $m65,4#38...Ack
Packet received: 00000000
Sending packet: $m0,4#fd...Ack
Packet received: 42000100
Sending packet: $m10042,4#c4...Ack
Packet received: E14
Sending packet: $m0,4#fd...Ack
Packet received: 42000100
Sending packet: $m10042,4#c4...Ack
Packet received: E14
Sending packet: $m0,4#fd...Ack
Packet received: 42000100
Sending packet: $m10042,4#c4...Ack
Packet received: E14
Sending packet: $m0,4#fd...Ack
Packet received: 42000100

附上rsp协议。https://blog.csdn.net/HMSIWTV/article/details/8759129

然后是虚拟机的漏洞挖掘,不特别,不搞了。