GDB动态调试Cisco路由器

env: Linux Ubuntu 15.10 x86_64

 

安装HT文本编辑器：

apt-get install ht hexedit

 

安装QEMU：

依赖项：apt-get install libpcap-dev uml-utilities libelf-dev libelf1

QEMU: apt-get install qemu qemu-common qemuctl qemu-system \qemu-system-mips qemu-system-misc qemu-system-ppc qemu-system-x86

 

设置QEMU：

# cd /usr/share/qemu/

# mkdir ../openbios/

# mkdir ../slof/

# mkdir ../openhackware/ # cd ../openbios/

# wget https://github.com/qemu/qemu/raw/master/pc-bios/openbios-ppc

#wget https://github.com/qemu/qemu/raw/master/pc-bios/openbios-sparc32

# wget https://github.com/qemu/qemu/raw/master/pc-bios/openbios-sparc64

# cd ../openhackware/

# wget https://github.com/qemu/qemu/raw/master/pc-bios/ppc_rom.bin

# cd ../slof/

# wget https://github.com/qemu/qemu/raw/master/pc-bios/slof.bin

# wget https://github.com/qemu/qemu/raw/master/pc-bios/spapr-rtas.bin

 

下载Debian PowerPC镜像:

wget https://people.debian.org/~aurel32/qemu/powerpc/debian_wheezy_powerpc_standard.qcow2

 

启动QEMU，安装SSH：

qemu-host# qemu-system-ppc -m 768 -hda debian_wheezy_powerpc_standard.qcow2

qemu-guest# apt-get update

qemu-guest# apt-get install openssh-server gcc gdb build-essential binutils-multiarch binutils

 

设置SSH反向连接：

qemu-guest# vi /etc/ssh/sshd_config

qemu-guest# GatewayPorts yes

qemu-guest# /etc/init.d/ssh restart

qemu-guest# ssh -NfR 1234:localhost:22 root@192.168.132.128

 

安装Dynamips + GDB stub：

# git clone https://github.com/Groundworkstech/dynamips-gdb-mod

Cloning into ‘dynamips-gdb-mod’…

remote: Counting objects: 290, done.

remote: Total 290 (delta 0), reused 0 (delta 0), pack-reused 290 Receiving objects: 100% (290/290), 631.30 KiB | 0 bytes/s, done. Resolving deltas: 100% (73/73), done.

Checking connectivity… done.

# cd dynamips-gdb-mod/src

# DYNAMIPS_ARCH=amd64 make

Linking rom2c

cc: error: /usr/lib/libelf.a: No such file or directory make: *** [rom2c] Error 1

# updatedb

# locate libelf.a /usr/lib/x86_64-linux-gnu/libelf.a

# cat Makefile |grep “/usr/lib/libelf.a”

LIBS=-L/usr/lib -L. -ldl /usr/lib/libelf.a $(PTHREAD_LIBS)

LIBS=-L. -ldl /usr/lib/libelf.a -lpthread

# cat Makefile | sed -e ‘s#/usr/lib/libelf.a#/usr/lib/x86_64-linux-gnu/libelf.a#g’ >Makefile.1

# mv Makefile Makefile.bak

# mv Makefile.1 Makefile

# DYNAMIPS_ARCH=amd64 make

 

配置并启动Dynamips + GDB stub：

tunctl -t tap1
ifconfig tap1 up
ifconfig tap1 192.168.9.1/24
./dynamips -Z 6666 -j -P 2600 -t 2621 -s 0:0:tap:tap1 -s 0:1:linux_eth:eth0 /home/wayne/Desktop/C2600-BI.BIN

 

启动Debian下的gdb：

[debian@ppc ] # gdb -q

(gdb) target remote 192.168.9.1:6666

0xfff00100 in ?? ()

(gdb)

 

设置断点：

x/6i 0x803bd528

b *0x803bd534

c

 

配置路由器：

conf t

line con 0

logg sync

int fa0/0

ip addr 192.168.9.100 255.255.255.0

no shut

line vty 0 4

password 123

login

wr

 

telnet登录路由器：

 

查看内存：

x/s $r3

x/s $r4

 

参考：

http://www.nthelp.com/cisco_undoc.htm

http://www.securityfocus.com/archive/82/495441/30/0/threaded

http://wenxuecn.blog.163.com/blog/static/220834520071041159533/ 

http://7200emu.hacki.at/viewtopic.php?p=32425&sid=4c1fcde0115e71686b6335f848df1cb5

http://2014.ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf