Want to Join Us ?

you'll be able to discuss, share and send private messages.

Tutorial (Ida Pro) Debug any remote device via telnet and Ida Pro

Discussion in 'Debuggers' started by storm shadow, Jun 14, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    I had some time today and wanted to test if i could debug my Set Top box Vu + Ultimo running Enigma firmware.

    I know the target is MIPS.

    So thinking how to do this, target dont have a shell like a linux computer.

    So im thinking telnet, since almost every device that connect to web or localhost have telnet support.

    Next problem is my set Top Box since it dosent have a shell , it would hard to build gdbserver, not at least using gcc to have it build.

    Android NDK to the rescue. :)
    The NDK have alot of prebuild targets, including mips x86/x64
    found in the prebuild folder.

    [​IMG]

    well mips is mips, gonna try the android mips x86.( im cheating i allready knew what my target is)
    i have upload all the targets here
    https://mega.co.nz/#!H90zHTLJ!ht96FhUqZdEohW_rx3x8_Js51-HVpsuVEDObhSN0ccc


    luckely my set top box have ftp support.
    I ftp gdbserver to /etc folder on the box.
    proberly there are ways to do this with telnet also.

    now we connect to box.
    i use putty, but you can use windows telnet also but you have to activate it.

    after username and passworrd we have telnet shell.

    we cd to gdbserver folder

    Code (CSS):
    # cd /etc
    set gdbserver permissions.

    Code (Text):
    # chmod 777 ./gdbserver
    now the tricky part of opening you ports.

    first we wanna know what local ip we have on the box.

    in telnet shell type
    Code (CSS):

    ifconfig
     
    eth0 Link encap:Ethernet HWaddr **************
    inet addr:10.0.0.1 Bcast:***** Mask:255.255.255.0
    so local port is 10.0.0.1

    ida uses port 23946 so we gonna try forwarding that.

    there apparently are many ways of doing this.

    here is a ref how to do this with ssh.
    http://www.linuxhorizon.ro/ssh-tunnel.html

    or this one wich i think is little easyer
    http://www.slashroot.in/ssh-port-forwarding-linux-configuration-and-examples




    check wich ports are open

    Code (Text):
    root@vuultimo:~# netstat -nat | grep LISTEN
     
    tcp     0     0 0.0.0.0:2049            0.0.0.0:*              LISTEN
    tcp     0     0 0.0.0.0:8001            0.0.0.0:*              LISTEN
    tcp     0     0 0.0.0.0:57515          0.0.0.0:*               LISTEN
    tcp     0     0 0.0.0.0:139          0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:111          0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:21            0.0.0.0:*            LISTEN
    tcp     0     0 0.0.0.0:22            0.0.0.0:*            LISTEN
    tcp     0     0 0.0.0.0:23            0.0.0.0:*            LISTEN
    tcp     0     0 0.0.0.0:46201          0.0.0.0:*               LISTEN
    tcp     0     0 0.0.0.0:445          0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:58527          0.0.0.0:*               LISTEN
    tcp     0     0 :::22                  :::*                 LISTEN
    root@vuultimo:~#
     
    we try open 23946 port

    we try both cases
    Code (CSS):
    ssh -L 23946:10.0.0.41:23946
    Code (CSS):
    root@vuultimo:/etc# ssh -L 23946:localhost:23 10.0.0.1
     
    Host '10.0.0.1' is not in the trusted hosts file.
    (fingerprint md5 :**:**:**)
    Do you want to continue connecting? (y/n) y
    root@10.0.0.1's password:
    root@vuultimo:~#  ssh -L 23946:localhost:23 10.0.0.1
     
    we check open ports again.

    Code (Text):
    root@vuultimo:~# netstat -nat | grep LISTEN
     
    tcp     0     0 0.0.0.0:2049            0.0.0.0:*              LISTEN
    tcp     0     0 0.0.0.0:8001            0.0.0.0:*              LISTEN
    tcp     0     0 127.0.0.1:23946      0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:57515          0.0.0.0:*               LISTEN
    tcp     0     0 0.0.0.0:139          0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:111          0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:21            0.0.0.0:*            LISTEN
    tcp     0     0 0.0.0.0:22            0.0.0.0:*            LISTEN
    tcp     0     0 0.0.0.0:23            0.0.0.0:*            LISTEN
    tcp     0     0 0.0.0.0:46201          0.0.0.0:*               LISTEN
    tcp     0     0 0.0.0.0:445          0.0.0.0:*             LISTEN
    tcp     0     0 0.0.0.0:58527          0.0.0.0:*               LISTEN
    tcp     0     0 :::22                  :::*                 LISTEN
    root@vuultimo:~#
     
    Okay looks like its open.

    It littly tricky if you are not used to opening ports via unix shell

    i think in some cases you can also even manuelly open your ports in the router, like you do for games.



    lets run gdbserver.
    make sure you still in the etc folder

    next open new telent shell.

    type
    Code (CSS):
    root@vuultimo:~# ps -A
      PID TTY         TIME CMD
        1 ?     00:00:04 init
        2 ?     00:00:00 kthreadd
        3 ?     00:00:02 ksoftirqd/0
        4 ?     00:00:00 kworker/0:0
        5 ?     00:00:00 kworker/0:0H
        7 ?     00:00:00 kworker/u:0H
        8 ?     00:00:01 migration/0
        9 ?     00:00:00 rcu_bh
       10 ?     00:00:00 rcu_sched
       11 ?     00:00:00 migration/1
       12 ?     00:00:00 ksoftirqd/1
       14 ?     00:00:00 kworker/1:0H
       15 ?     00:00:00 khelper
       16 ?     00:00:00 kdevtmpfs
       17 ?     00:00:00 bdi-default
       18 ?     00:00:00 kblockd
       19 ?     00:00:00 ata_sff
       20 ?     00:00:00 khubd
       21 ?     00:00:00 cfg80211
       22 ?     00:00:00 kworker/0:1
       23 ?     00:00:00 rpciod
       24 ?     00:00:01 kworker/1:1
       25 ?     00:00:00 kswapd0
       26 ?     00:00:00 fsnotify_mark
       27 ?     00:00:00 unionfs_siod
       28 ?     00:00:00 nfsiod
       29 ?     00:00:00 crypto
       43 ?     00:00:00 scsi_eh_0
       44 ?     00:00:00 scsi_eh_1
       45 ?     00:00:00 kworker/u:1
       47 ?     00:00:00 deferwq
       48 ?     00:00:00 kworker/u:3
       50 ?     00:00:00 ubi_bgt0d
       51 ?     00:00:00 ubifs_bgt0_0
       73 ?     00:00:00 sched
       74 ?     00:00:00 sched_low
       75 ?     00:01:12 sched_high
       76 ?     00:00:00 sched_idle
       78 ?     00:00:00 brcmv
       79 ?     00:00:00 fbt0
       80 ?     00:00:00 ci_kthread
       81 ?     00:00:00 ci_kthread
      111 ?     00:00:00 udevd
      283 ?     00:00:00 kworker/0:1H
      478 ?     00:00:00 kworker/1:1H
      479 ?     00:00:00 kjournald
      542 ?     00:00:00 nmbd
      544 ?     00:00:00 smbd
      563 ?     00:00:00 smbd
      576 ?     00:00:00 portmap
      582 ?     00:00:00 crond
      592 ?     00:00:00 dbus-daemon
      596 ?     00:00:00 dropbear
      708 ?     00:00:01 automount
      764 ?     00:00:00 blackholesocker
      777 ?     00:00:00 inetd
      802 ?     00:00:00 lockd
      803 ?     00:00:00 nfsd
      804 ?     00:00:00 nfsd
      805 ?     00:00:00 nfsd
      806 ?     00:00:00 nfsd
      807 ?     00:00:00 nfsd
      808 ?     00:00:00 nfsd
      809 ?     00:00:00 nfsd
      810 ?     00:00:00 nfsd
      812 ?     00:00:00 rpc.mountd
      814 ?     00:00:00 rpc.statd
      819 ?     00:00:00 syslogd
      821 ?     00:00:00 klogd
      831 ?     00:00:00 avahi-daemon
      833 ?     00:00:00 avahi-daemon
      847 ?     00:00:00 enigma2.sh
      851 ?     00:05:03 enigma2
      856 ?     00:00:00 ca08
      859 ?     00:00:00 ci_kthread
      871 ?     00:00:00 telnetd
      872 pts/0 00:00:00 sh
      927 ?     00:00:12 hbbtv.app
      956 ?     00:00:02 kdvb-ad-0-fe-0
    1179 ?      00:00:00 telnetd
    1180 pts/1  00:00:00 sh
    2478 ?      00:00:00 kworker/1:0
    2604 pts/1  00:00:00 ssh
    2605 ?      00:00:00 dropbear
    2614 pts/2  00:00:00 sh
    2709 ?      00:00:00 flush-ubifs_0_0
    2750 pts/2  00:00:00 ps
    root@vuultimo:~#
     
    also try

    Code (CSS):
    root@vuultimo:~# ps aux
    USER       PID %CPU %MEM    VSZ   RSS TTY     STAT START   TIME COMMAND
    root         1  0.1  0.2   1780   624 ?     Ss   12:44   0:04 init [3]
    root         2  0.0  0.0      0  0 ?        S   12:44   0:00 [kthreadd]
    root         3  0.0  0.0      0  0 ?        S   12:44   0:02 [ksoftirqd/0]
    root         4  0.0  0.0      0  0 ?        S   12:44   0:00 [kworker/0:0]
    root         5  0.0  0.0      0  0 ?        S<   12:44   0:00 [kworker/0:0H]
    root         7  0.0  0.0      0  0 ?        S<   12:44   0:00 [kworker/u:0H]
    root         8  0.0  0.0      0  0 ?        S   12:44   0:01 [migration/0]
    root         9  0.0  0.0      0  0 ?        S   12:44   0:00 [rcu_bh]
    root        10  0.0  0.0      0  0 ?        S   12:44   0:00 [rcu_sched]
    root        11  0.0  0.0      0  0 ?        S   12:44   0:00 [migration/1]
    root        12  0.0  0.0      0  0 ?        S   12:44   0:00 [ksoftirqd/1]
    root        14  0.0  0.0      0  0 ?        S<   12:44   0:00 [kworker/1:0H]
    root        15  0.0  0.0      0  0 ?        S<   12:44   0:00 [khelper]
    root        16  0.0  0.0      0  0 ?        S   12:44   0:00 [kdevtmpfs]
    root        17  0.0  0.0      0  0 ?        S   12:44   0:00 [bdi-default]
    root        18  0.0  0.0      0  0 ?        S<   12:44   0:00 [kblockd]
    root        19  0.0  0.0      0  0 ?        S<   12:44   0:00 [ata_sff]
    root        20  0.0  0.0      0  0 ?        S   12:44   0:00 [khubd]
    root        21  0.0  0.0      0  0 ?        S<   12:44   0:00 [cfg80211]
    root        22  0.0  0.0      0  0 ?        S   12:44   0:00 [kworker/0:1]
    root        23  0.0  0.0      0  0 ?        S<   12:44   0:00 [rpciod]
    root        24  0.0  0.0      0  0 ?        S   12:44   0:01 [kworker/1:1]
    root        25  0.0  0.0      0  0 ?        S   12:44   0:00 [kswapd0]
    root        26  0.0  0.0      0  0 ?        S   12:44   0:00 [fsnotify_mark]
    root        27  0.0  0.0      0  0 ?        S<   12:44   0:00 [unionfs_siod]
    root        28  0.0  0.0      0  0 ?        S<   12:44   0:00 [nfsiod]
    root        29  0.0  0.0      0  0 ?        S<   12:44   0:00 [crypto]
    root        43  0.0  0.0      0  0 ?        S   12:44   0:00 [scsi_eh_0]
    root        44  0.0  0.0      0  0 ?        S   12:44   0:00 [scsi_eh_1]
    root        45  0.0  0.0      0  0 ?        S   12:44   0:00 [kworker/u:1]
    root        47  0.0  0.0      0  0 ?        S<   12:44   0:00 [deferwq]
    root        48  0.0  0.0      0  0 ?        S   12:44   0:00 [kworker/u:3]
    root        50  0.0  0.0      0  0 ?        S   12:44   0:00 [ubi_bgt0d]
    root        51  0.0  0.0      0  0 ?        S   12:44   0:00 [ubifs_bgt0_0]
    root        73  0.0  0.0      0  0 ?        S   12:44   0:00 [sched]
    root        74  0.0  0.0      0  0 ?        S   12:44   0:00 [sched_low]
    root        75  2.1  0.0      0  0 ?        S   12:44   1:13 [sched_high]
    root        76  0.0  0.0      0  0 ?        S   12:44   0:00 [sched_idle]
    root        78  0.0  0.0      0  0 ?        S   12:44   0:00 [brcmv]
    root        79  0.0  0.0      0  0 ?        S   12:44   0:00 [fbt0]
    root        80  0.0  0.0      0  0 ?        S   12:44   0:00 [ci_kthread]
    root        81  0.0  0.0      0  0 ?        S   12:44   0:00 [ci_kthread]
    root       111  0.0  0.2   2240   676 ?     S<s  12:44   0:00 udevd --daemon
    root       283  0.0  0.0      0  0 ?        S<   12:44   0:00 [kworker/0:1H]
    root       478  0.0  0.0      0  0 ?        S<   12:44   0:00 [kworker/1:1H]
    root       479  0.0  0.0      0  0 ?        S   12:44   0:00 [kjournald]
    root       542  0.0  0.5   3876  1492 ?     Ss   12:44   0:00 nmbd -D
    root       544  0.0  0.8   6808  2300 ?     Ss   12:44   0:00 smbd -D
    root       563  0.0  0.3   6808  1020 ?     S   12:44   0:00 smbd -D
    daemon   576  0.0  0.1   1868   484 ?       Ss   12:44   0:00 /sbin/portmap
    root       582  0.0  0.1   2460   540 ?     Ss   12:44   0:00 /usr/sbin/crond -c /etc/bhcron/
    999     592  0.0  0.2   2824   820 ?        Ss   12:44   0:00 /usr/bin/dbus-daemon --system
    root       596  0.0  0.1   2472   504 ?     Ss   12:44   0:00 /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_
    root       708  0.0  0.2   2320   744 ?     Ss   12:44   0:01 /usr/sbin/automount --pid-file=/var/run/autofs/_a
    root       764  0.0  0.1   1624   360 ?     Ss   12:44   0:00 /usr/bin/blackholesocker
    root       777  0.0  0.2   2824   692 ?     Ss   12:44   0:00 /usr/sbin/inetd
    root       802  0.0  0.0      0  0 ?        S   12:44   0:00 [lockd]
    root       803  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       804  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       805  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       806  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       807  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       808  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       809  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       810  0.0  0.0      0  0 ?        S   12:44   0:00 [nfsd]
    root       812  0.0  0.1   2408   532 ?     Ss   12:44   0:00 /usr/sbin/rpc.mountd -f /etc/exports
    root       814  0.0  0.2   2108   808 ?     Ss   12:44   0:00 /usr/sbin/rpc.statd
    root       819  0.0  0.2   2460   648 ?     Ss   12:44   0:00 /sbin/syslogd -n -O /var/log/messages
    root       821  0.0  0.2   2460   616 ?     Ss   12:44   0:00 /sbin/klogd -n
    avahi     831  0.0  0.5   3464  1540 ?      S   12:44   0:00 avahi-daemon: running [vuultimo.local]
    avahi     833  0.0  0.1   3464   496 ?      S   12:44   0:00 avahi-daemon: chroot helper
    root       847  0.0  0.2   2460   560 ?     Ss   12:44   0:00 /bin/sh /usr/bin/enigma2.sh
    root       851  8.9 28.7 146936 79152 ?     Sl   12:44   5:07 /usr/bin/enigma2
    root       856  0.0  0.0      0  0 ?        S   12:44   0:00 [ca08]
    root       859  0.0  0.0      0  0 ?        S   12:44   0:00 [ci_kthread]
    root       871  0.0  0.2   2780   800 ?     Ss   12:44   0:00 telnetd
    root       872  0.0  0.3   2776   888 pts/0 Ss+  12:44   0:00 -sh
    root       927  0.3  5.8  84432 16100 ?     Sl   12:45   0:12 /usr/local/hbb-browser/lib/hbbtv.app restart
    root       956  0.0  0.0      0  0 ?        S   12:45   0:02 [kdvb-ad-0-fe-0]
    root      1179  0.0  0.2   2780   800 ?     Ss   12:51   0:00 telnetd
    root      1180  0.0  0.3   2776   892 pts/1 Ss   12:51   0:00 -sh
    root      1574  2.1  1.1 130008  3192 ?     Ssl  13:03   0:48 /usr/bin/CCcam_230
    root      2478  0.0  0.0      0  0 ?        S   13:32   0:00 [kworker/1:0]
    root      2604  0.1  0.4   3164  1208 pts/1 S+   13:36   0:00 ssh -L 23946:localhost:23 10.0.0.1
    root      2605  0.2  0.4   3396  1312 ?     Ss   13:36   0:00 /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_
    root      2614  0.0  0.3   2776   884 pts/2 Ss   13:36   0:00 -sh
    root      2709  0.0  0.0      0  0 ?        S   13:39   0:00 [flush-ubifs_0_0]
    root      2756  0.0  0.0      0  0 ?        S   13:40   0:00 [kworker/1:2]
    root      2778  0.0  0.3   2640   968 pts/2 R+   13:41   0:00 ps aux
    root@vuultimo:~#
     

    gonna try pid 856 wich is the CA modul for the satelittle card.

    form shell.

    Code (CSS):
    root@vuultimo:/etc# ./gdbserver --multi localhost:23946
    Listening on port 23946
    now fire up ida i use with admin rights.
    goto debugger >> attach remote GDB server.

    select Debug options and then set spesific options

    [​IMG]




    in spesific options choose mips architecture..

    [​IMG]

    press ok ok ok

    now we back to first gdb screen.
    we need the info from the command ifconfig we made before.

    [​IMG]

    i had local ip 10.0.0.1

    we go along press ok

    it then ask what PID to attch to.

    [​IMG]

    we have pid runing before with the ps commands.
    pid 865

    success

    [​IMG]

    :D

    I could use some hints of how to forward TCP/UDP better via shell.

    But the tut should work for any devices that have telnet, so basiclly everything :)
    just remember to have the right gdbserver build (same as target)
     
    Last edited: Jun 14, 2015
    Rip Cord likes this.
Top