pattern create 2000 pattern create 2000 input
pset arg '”A”*200' pset arg 'cyclic_pattern(200)'
pset env EGG 'cyclic_pattern(200)'
context reg
context code
context stack
vmmap vmmap binary / libc vmmap 0xb7d88000
xinfo register eax xinfo 0xb7d88000
telescope 40 telescope 0xb7d88000 40
pattern offset $pc
pattern search
jmpcall jmpcall eax jmpcall esp libc
gennop 500 gennop 500 “\x90”
shellcode x86/linux exec
assemble
skeleton argv exploit.py
set exec-wrapper ./exploit.py
find “/bin/sh” libc find 0xdeadbeef all find “..\x04\x08” 0x08048000 0x08049000
refsearch “/bin/sh” refsearch 0xdeadbeef
lookup address stack libc
lookup pointer stack ld-2
asmsearch “int 0x80” asmsearch “add esp, ?” libc
ropsearch “pop eax” ropsearch “xchg eax, esp” libc
dumprop
dumprop binary “pop”
ropgadget ropgadget libc
elfheader elfheader .got readelf libc .text
elfsymbol elfsymbol printf
payload copybytes payload copybytes target “/bin/sh” payload copybytes 0x0804a010 offset
dumpmem libc.mem libc
loadmem stack.mem 0xbffdf000
cmpmem 0x08049000 0x0804a000 data.mem
xormem 0x08049000 0x0804a000 “thekey”
patch $esp 0xdeadbeef patch $eax “the long string” pattern patch 0xdeadbeef 100 patch (multiple lines)
strings strings binary 4
hexdump $sp 64 hexdump $sp /20
hexprint $sp 64 hexprint $sp /20
pdisass main pdisass $pc /20
nearpc 20 nearpc 0x08048484
pltbreak cpy
deactive setresuid deactive chdir
unptrace
stepuntil cmp stepuntil xor nextcall cpy nextjmp
tracecall tracecall “cpy,printf” tracecall “-puts,fflush”
traceinst 20 traceinst “cmp,xor”
waitfor waitfor myprog -c
snapshot save snapshot restore
assemble $pc
mov al, 0xb int 0x80 end
procinfo
procinfo fd
pshow
pshow option context
pset option context “code,stack”
pset option badchars “\r\n”
pyhelp peda pyhelp hex2str
gdb-peda$ python print peda.get_vmmap() gdb-peda$ python
status = peda.get_status() while status == “BREAKPOINT”:
peda.execute(“continue”)
end
# myscript.py
def myrun(size):
argv = cyclic_pattern(size)
peda.execute(“set arg %s” % argv)
peda.execute(“run”)
gdb-peda$ source myscript.py
gdb-peda$ python myrun(100)
PEDA.execute()
PEDA.execute_redirect()
PEDACmd._is_running()
PEDACmd._missing_argument()
utils.execute_external_command()
utils.reset_cache()
class PEDACmd():
def mycommand(self, *arg):
(arg1, arg2) = normalize_argv(arg, 2)
if not arg1:
self._missing_argument()
if not self._is_running():
return
pid = peda.getpid()
msg("My command: %d" % pid)
return