env: Linux Ubuntu 15.10 x86_64
安装HT文本编辑器:
apt-get install ht hexedit
安装QEMU:
依赖项:apt-get install libpcap-dev uml-utilities libelf-dev libelf1
QEMU: apt-get install qemu qemu-common qemuctl qemu-system \qemu-system-mips qemu-system-misc qemu-system-ppc qemu-system-x86
设置QEMU:
# cd /usr/share/qemu/
# mkdir ../openbios/
# mkdir ../slof/
# mkdir ../openhackware/ # cd ../openbios/
# wget https://github.com/qemu/qemu/raw/master/pc-bios/openbios-ppc
#wget https://github.com/qemu/qemu/raw/master/pc-bios/openbios-sparc32
# wget https://github.com/qemu/qemu/raw/master/pc-bios/openbios-sparc64
# cd ../openhackware/
# wget https://github.com/qemu/qemu/raw/master/pc-bios/ppc_rom.bin
# cd ../slof/
# wget https://github.com/qemu/qemu/raw/master/pc-bios/slof.bin
# wget https://github.com/qemu/qemu/raw/master/pc-bios/spapr-rtas.bin
下载Debian PowerPC镜像:
wget https://people.debian.org/~aurel32/qemu/powerpc/debian_wheezy_powerpc_standard.qcow2
启动QEMU,安装SSH:
qemu-host# qemu-system-ppc -m 768 -hda debian_wheezy_powerpc_standard.qcow2
qemu-guest# apt-get update
qemu-guest# apt-get install openssh-server gcc gdb build-essential binutils-multiarch binutils
设置SSH反向连接:
qemu-guest# vi /etc/ssh/sshd_config
qemu-guest# GatewayPorts yes
qemu-guest# /etc/init.d/ssh restart
qemu-guest# ssh -NfR 1234:localhost:22 root@192.168.132.128
安装Dynamips + GDB stub:
# git clone https://github.com/Groundworkstech/dynamips-gdb-mod
Cloning into ‘dynamips-gdb-mod’…
remote: Counting objects: 290, done.
remote: Total 290 (delta 0), reused 0 (delta 0), pack-reused 290 Receiving objects: 100% (290/290), 631.30 KiB | 0 bytes/s, done. Resolving deltas: 100% (73/73), done.
Checking connectivity… done.
# cd dynamips-gdb-mod/src
# DYNAMIPS_ARCH=amd64 make
Linking rom2c
cc: error: /usr/lib/libelf.a: No such file or directory make: *** [rom2c] Error 1
# updatedb
# locate libelf.a /usr/lib/x86_64-linux-gnu/libelf.a
# cat Makefile |grep “/usr/lib/libelf.a”
LIBS=-L/usr/lib -L. -ldl /usr/lib/libelf.a $(PTHREAD_LIBS)
LIBS=-L. -ldl /usr/lib/libelf.a -lpthread
# cat Makefile | sed -e ‘s#/usr/lib/libelf.a#/usr/lib/x86_64-linux-gnu/libelf.a#g’ >Makefile.1
# mv Makefile Makefile.bak
# mv Makefile.1 Makefile
# DYNAMIPS_ARCH=amd64 make
配置并启动Dynamips + GDB stub:
tunctl -t tap1
ifconfig tap1 up
ifconfig tap1 192.168.9.1/24
./dynamips -Z 6666 -j -P 2600 -t 2621 -s 0:0:tap:tap1 -s 0:1:linux_eth:eth0 /home/wayne/Desktop/C2600-BI.BIN
启动Debian下的gdb:
[debian@ppc ] # gdb -q
(gdb) target remote 192.168.9.1:6666
0xfff00100 in ?? ()
(gdb)
设置断点:
x/6i 0x803bd528
b *0x803bd534
c
配置路由器:
conf t
line con 0
logg sync
int fa0/0
ip addr 192.168.9.100 255.255.255.0
no shut
line vty 0 4
password 123
login
wr
telnet登录路由器:
查看内存:
x/s $r3
x/s $r4
参考:
http://www.nthelp.com/cisco_undoc.htm
http://www.securityfocus.com/archive/82/495441/30/0/threaded
http://wenxuecn.blog.163.com/blog/static/220834520071041159533/
http://7200emu.hacki.at/viewtopic.php?p=32425&sid=4c1fcde0115e71686b6335f848df1cb5
http://2014.ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf
2 comments
大佬你好,请问下,在cisco调试中,这个ASA充当的是什么角色啊?必须有这个吗,我只下载了dynamips然后运行那段命令,再直接用gdb连接不可以吗?跪求大佬帮助下….
@aa:这篇文章里没有ASA吧,ASA是思科一款硬件防火墙,如何动态调试ASA我博客里有另外一篇文章。而这篇只是针对调试思科路由器的。