pwndocker | Lantern's 小站

简介

由于比赛中经常要更换libc版本, 虚拟机总要切换来切去, 一会儿ubutnu 16.04, 一会儿ubuntu18.04的。

而pwndocker正是为了解决这个问题, 它继承了pwn的常用工具和各个版本的libc

官方项目: skysider/pwndocker

included software

pwntools —— CTF framework and exploit development library
pwndbg —— a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers
pwngdb —— gdb for pwn
ROPgadget —— facilitate ROP exploitation tool
roputils —— A Return-oriented Programming toolkit
one_gadget —— A searching one-gadget of execve(‘/bin/sh’, NULL, NULL) tool for amd64 and i386
angr —— A platform-agnostic binary analysis framework
radare2 —— A rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files
seccomp-tools —— Provide powerful tools for seccomp analysis
linux_server[64] —— IDA 7.0 debug server for linux
tmux —— a terminal multiplexer
ltrace —— trace library function call
strace —— trace system call

included glibc

Default compiled glibc path is ./glibc

2.19 —— ubuntu 12.04 default libc version
2.23 —— ubuntu 16.04 default libc version
2.24 —— introduce vtable check in file struct
2.27 —— pwndocker default glibc version
2.28~2.31 —— latest libc versions

How to run in custom libc version

cp /glibc/2.27/64/lib/ld-2.27.so /tmp/ld-2.27.so
patchelf --set-interpreter /tmp/ld-2.27.so ./test
LD_PRELOAD=./libc.so.6 ./test

from pwn import *
p = process(["/path/to/ld.so", "./test"], env={"LD_PRELOAD":"/path/to/libc.so.6"})

安装

docker安装

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $(whoami)

加完权限组以后记得注销或重启以生效

pwndocker安装

docker pull skysider/pwndocker

问题

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? : 运行命令sudo dockerd即可

容器管理

运行

docker run -d --privileged --name=pwner -v ~/work/pwner:/ctf/work skysider/pwndocker

--privileged 表示特权级运行, 不加gdb调试会没有权限
--name=pwner指定容器名字为pwner
~/work/pwner:/ctf/work 挂载~/work/pwner到容器/ctf/work目录, 方便我们在外部使用vscode编辑脚本

第二次直接看id后运行

docker ps -a
docker start docker_id

进入

docker exec -it docker_id bash

即可进入docker的shell

停止

docker stop docker_id

删除

docker rm docker_id

更换libc

这里借鉴nuoye大佬的shell脚本并稍作修改, 实现自动化:

id=pwner
libc=$1
PWD=/ctf/work
ELF=$2
EXP=$3
docker cp ./${EXP} ${id}:${PWD}
docker cp ./${ELF} ${id}:${PWD}
docker exec -it ${id} chmod 777 ${PWD}/${ELF}
docker exec -it ${id} chmod 777 ${PWD}/${EXP}
docker exec -it ${id} cp /glibc/${libc}/64/lib/ld-${libc}.so ${PWD}
docker exec -it ${id} cp /glibc/${libc}/64/lib/libc.so.6 ${PWD}
docker exec -it ${id} patchelf --set-interpreter ${PWD}/ld-${libc}.so ${PWD}/${ELF}
docker exec -it ${id} tmux

id按需要更换
$1 为传递的libc版本
$2 为文件
$3 为exp

示例:

./auto_libc.sh 2.23 freenote exp.py

具体功能就是将elf和python文件cp到docker上, 然后给予权限, 再将libc和ld（这里用2.29版本）移到/tmp下, 再用patchelf –set-interpreter修改elf的ld文件, 然后进入tmux

而在patch脚本中用如下指定libc执行:

from pwn import *
p = process("/tmp/elf", env={"LD_PRELOAD":"/tmp/libc.so.6"})
context.terminal = ['tmux', 'splitw', '-h']
p.interactive()

参考

Pwndocker篇