Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
0 likes159 views
The document outlines a workshop led by Saumil Shah on debugging binaries using the emux IoT emulation framework. It covers concepts like remote debugging, the functions of a debugger, and utilizes tools like gdb and gef, with practical exercises involving an emulated target binary and attack scripts. Additional resources, including codes and documentation links, are provided for participants to enhance their learning experience.
![@therealsaumil
@_ringzer0
A few GDB/GEF commands
RECONNAISSANCE
vmmap [GEF] Display the process' memory layout
info target Information about the target being debugged (ELF binary)
info sharedlibrary Shared Libraries that are loaded with the binary
info functions List of functions that belong to the target binary
PROCESS EXECUTION
break Set a breakpoint
continue Resume process execution
rbreak Set multiple breakpoints using regular expressions
stepi / nexti Step Into / Next Instruction
CPU AND MEMORY
context [GEF] Better view of registers, stack, code, call stack, etc.
x Examine memory (many variations)
hexdump [GEF] When you want characters and bytes side by side
backtrace Display the call stack
info frame Inspect stack frames
disassemble Disassemble code
printf Formatted printing
LUXURIES
set logging Enable / Disable logging and redirect log output to a file
commands Execute multiple commands in sequence every time a breakpoint is reached](https://image.slidesharecdn.com/debugging-with-emux-back2workshops-2022-220708073557-d000f020/85/Debugging-with-EMUX-RIngzer0-BACK2WORKSHOPS-11-320.jpg)
![@therealsaumil
@_ringzer0
Start EMUX
./run-emux-docker
:
:
[+] Setting up forwarded ports 20080:80,20443:443,28080:8080,24433:4433,9999:9999
[+] mapping port 20080 -> 192.168.100.2:80
[+] mapping port 20443 -> 192.168.100.2:443
[+] mapping port 28080 -> 192.168.100.2:8080
[+] mapping port 24433 -> 192.168.100.2:4433
[+] mapping port 9999 -> 192.168.100.2:9999
___ __ __ _ __ __
/ __| / | | | / / by Saumil Shah | The Exploit Laboratory
| __| |/| | |_| ) ( @therealsaumil | emux.exploitlab.net
___|_| |_____/_/_
[EMUX-DOCKER !] ~$
1. Start the EMUX Docker Container](https://image.slidesharecdn.com/debugging-with-emux-back2workshops-2022-220708073557-d000f020/85/Debugging-with-EMUX-RIngzer0-BACK2WORKSHOPS-14-320.jpg)
![@therealsaumil
@_ringzer0
Launch the target
2. Run launcher and boot into Damn Vulnerable ARM Router
[EMUX-DOCKER !] ~$ launcher](https://image.slidesharecdn.com/debugging-with-emux-back2workshops-2022-220708073557-d000f020/85/Debugging-with-EMUX-RIngzer0-BACK2WORKSHOPS-15-320.jpg)
![@therealsaumil
@_ringzer0
Start Userspace
./emux-docker-shell
[emux-docker !] ~$
3. Open a new terminal window and attach to emux-docker-shell
[emux-docker !] ~$ userspace
4. Run userspace](https://image.slidesharecdn.com/debugging-with-emux-back2workshops-2022-220708073557-d000f020/85/Debugging-with-EMUX-RIngzer0-BACK2WORKSHOPS-16-320.jpg)
![@therealsaumil
@_ringzer0
Start nweb (our target binary)
Entering Damn Vulnerable ARM Router CONSOLE (/bin/sh)
[+] Logging enabled
[+] EMUX Debug log - /home/r0/workspace/logs/emuxdebug.log
[+] QEMU Console log - qemuconsole.log
[+] chroot /emux/DV-ARM/rootfs-arm /.emux/emuxshell
Script started, output log file is '/home/r0/workspace/logs/emuxdebug.log'.
BusyBox v1.23.2 (2021-10-14 18:26:48 IST) built-in shell (ash)
/ # nweb 80 /www/nweb/
6. Manually start the nweb web server from the Busybox prompt
./emux-docker-shell
[emux-docker !] ~$ curl http://192.168.100.2
<h1>Ringzer0 Hackme</h1>
7. Start another emux-docker-shell and test nweb](https://image.slidesharecdn.com/debugging-with-emux-back2workshops-2022-220708073557-d000f020/85/Debugging-with-EMUX-RIngzer0-BACK2WORKSHOPS-18-320.jpg)
![@therealsaumil
@_ringzer0
Grab the attack scripts!
[emux-docker !] ~$ cd workspace
[emux-docker !] ~/workspace$ wget https://saumil.net/tmp/attack1.py
--2022-07-07 14:12:48-- https://saumil.net/tmp/attack1.py
Resolving saumil.net (saumil.net)... 208.113.163.5
Connecting to saumil.net (saumil.net)|208.113.163.5|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 535 [text/plain]
Saving to: 'attack1.py'
attack1.py 100%[=======================>] 535 --.-KB/s in 0s
2022-07-07 14:12:50 (58.9 MB/s) - 'attack1.py' saved [535/535]
[emux-docker !] ~/workspace$ chmod +x attack1.py
8. From the emux-docker-shell grab the following attack scripts](https://image.slidesharecdn.com/debugging-with-emux-back2workshops-2022-220708073557-d000f020/85/Debugging-with-EMUX-RIngzer0-BACK2WORKSHOPS-19-320.jpg)
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
- 1. @therealsaumil @_ringzer0 debugging WITH EMUX SAUMIL SHAH @therealsaumil 7 JULY 2022 < BACK2 workshops` ringzer¿
- 2. @therealsaumil @_ringzer0 # WHO AM I Saumil Shah @therealsaumil educating, entertaining and exasperating audiences since 1999
- 3. @therealsaumil @_ringzer0 WHAT IS ARM + MIPS IoT Emulation Framework emux.exploitlab.net
- 4. @therealsaumil @_ringzer0 What Is This Workshop About An Introduction to debugging binaries on emulated targets Using GDB + gdbserver for remote debugging Hands-on examples How EMUX makes the debugging process easy
- 5. @therealsaumil @_ringzer0 EMUX docker container HOST EMUX DOCKER launcher EMULATED TARGET ON QEMU emux-docker-shell workspace (shared directory) nweb (target binary) 192.168.100.2 192.168.100.1 socat 80 20080 RINGZER0 HACKME
- 6. @therealsaumil @_ringzer0 Concepts Covered Functions of a Debugger How does Remote Debugging work EMUX's debugger wrappers Advantages of using GEF Debugging a webserver binary Crash Dump Analysis
- 7. @therealsaumil @_ringzer0 Functions of a Debugger Inspect the target Inspect the CPU state Examine Memory Control Process Execution Analyse Crashes and Exceptions Luxuries: Plugins, Macros, Logging
- 8. @therealsaumil @_ringzer0 Remote Debugging - how it works GDB multiarch nweb (target binary) 192.168.100.1 gdbserver :5000 --attach <PID> (gdb) target remote 192.168.100.2:5000 (gdb) set sysroot target:/path/to/rootfs (gdb) continue REMOTE HOST 192.168.100.2
- 9. @therealsaumil @_ringzer0 Remote Debugging - emuxgdb emux-docker-shell nweb (target binary) REMOTE HOST 192.168.100.1 gdbserver $ emuxgdb nweb (gdb) " Automatically looks up the PID of the target " Launches gdbserver on the remote host " Launches gdb-multiarch locally " Connects to remote gdbserver " Sets sysroot " Ready to debug! 192.168.100.2
- 10. @therealsaumil @_ringzer0 Plain ol GDB -vs- new & shiny GEF
- 11. @therealsaumil @_ringzer0 A few GDB/GEF commands RECONNAISSANCE vmmap [GEF] Display the process' memory layout info target Information about the target being debugged (ELF binary) info sharedlibrary Shared Libraries that are loaded with the binary info functions List of functions that belong to the target binary PROCESS EXECUTION break Set a breakpoint continue Resume process execution rbreak Set multiple breakpoints using regular expressions stepi / nexti Step Into / Next Instruction CPU AND MEMORY context [GEF] Better view of registers, stack, code, call stack, etc. x Examine memory (many variations) hexdump [GEF] When you want characters and bytes side by side backtrace Display the call stack info frame Inspect stack frames disassemble Disassemble code printf Formatted printing LUXURIES set logging Enable / Disable logging and redirect log output to a file commands Execute multiple commands in sequence every time a breakpoint is reached
- 12. @therealsaumil @_ringzer0 EMUX utilities emuxps List processes running in the emulated device emuxkill Terminate a process inside the emulated device emuxmaps Remote process virtual memory layout emuxgdb Attach gdb to a remote process in the emulated device emuxnetstat Remote netstat emuxhalt Shut down the emulated device monitor Attach to QEMU monitor
- 14. @therealsaumil @_ringzer0 Start EMUX ./run-emux-docker : : [+] Setting up forwarded ports 20080:80,20443:443,28080:8080,24433:4433,9999:9999 [+] mapping port 20080 -> 192.168.100.2:80 [+] mapping port 20443 -> 192.168.100.2:443 [+] mapping port 28080 -> 192.168.100.2:8080 [+] mapping port 24433 -> 192.168.100.2:4433 [+] mapping port 9999 -> 192.168.100.2:9999 ___ __ __ _ __ __ / __| / | | | / / by Saumil Shah | The Exploit Laboratory | __| |/| | |_| ) ( @therealsaumil | emux.exploitlab.net ___|_| |_____/_/_ [EMUX-DOCKER !] ~$ 1. Start the EMUX Docker Container
- 15. @therealsaumil @_ringzer0 Launch the target 2. Run launcher and boot into Damn Vulnerable ARM Router [EMUX-DOCKER !] ~$ launcher
- 16. @therealsaumil @_ringzer0 Start Userspace ./emux-docker-shell [emux-docker !] ~$ 3. Open a new terminal window and attach to emux-docker-shell [emux-docker !] ~$ userspace 4. Run userspace
- 17. @therealsaumil @_ringzer0 Enter the DVAR Console 5. Select "Enter the Damn Vulnerable ARM Router CONSOLE" option
- 18. @therealsaumil @_ringzer0 Start nweb (our target binary) Entering Damn Vulnerable ARM Router CONSOLE (/bin/sh) [+] Logging enabled [+] EMUX Debug log - /home/r0/workspace/logs/emuxdebug.log [+] QEMU Console log - qemuconsole.log [+] chroot /emux/DV-ARM/rootfs-arm /.emux/emuxshell Script started, output log file is '/home/r0/workspace/logs/emuxdebug.log'. BusyBox v1.23.2 (2021-10-14 18:26:48 IST) built-in shell (ash) / # nweb 80 /www/nweb/ 6. Manually start the nweb web server from the Busybox prompt ./emux-docker-shell [emux-docker !] ~$ curl http://192.168.100.2 <h1>Ringzer0 Hackme</h1> 7. Start another emux-docker-shell and test nweb
- 19. @therealsaumil @_ringzer0 Grab the attack scripts! [emux-docker !] ~$ cd workspace [emux-docker !] ~/workspace$ wget https://saumil.net/tmp/attack1.py --2022-07-07 14:12:48-- https://saumil.net/tmp/attack1.py Resolving saumil.net (saumil.net)... 208.113.163.5 Connecting to saumil.net (saumil.net)|208.113.163.5|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 535 [text/plain] Saving to: 'attack1.py' attack1.py 100%[=======================>] 535 --.-KB/s in 0s 2022-07-07 14:12:50 (58.9 MB/s) - 'attack1.py' saved [535/535] [emux-docker !] ~/workspace$ chmod +x attack1.py 8. From the emux-docker-shell grab the following attack scripts
- 21. @therealsaumil @_ringzer0 HERE BE THE GOODS CODE: https://github.com/therealsaumil/emux !- ANNOUNCEMENTS: @therealsaumil DOCS: https://emux.exploitlab.net/
- 22. @therealsaumil @_ringzer0 ringzer¿ AUGUST 6-9 REGISTRATIONS OPEN www.ringzer¿.training THE ARM IoT EXPLOIT LABORATORY
- 23. @therealsaumil @_ringzer0 THANK YOU! SAUMIL SHAH @therealsaumil 7 JULY 2022 < BACK2 workshops` ringzer¿