RPC via GDB - a primer/discussion

[orgcandman]

I don't know how useful this might actually be on pentests. It's recently come up a few times in work, and also a few times on IRC, so I thought I'd write a little script and primer on using GDB and bash scripting to invoke remote procedures. In this case, remote is defined as "arbitrary process space," ie: remote is really not inter-system, but rather inter-process. I guess you might call this IPC, but there's almost nothing stopping you from using netcat + gdbserver, etc. You get the idea, I hope.

Also, this is not exactly *NEW* information, but it's also not widely disseminated information. More precisely, it's one of those techniques which is either 1) completely useless except for as a toy, or 2) incredibly useful and powerful in niche situations. I can't really decide which, at the moment.

So, without further ado, a resource link:
http://aconole.brad-x.com/projects/rpc-hack

What does this technique provide?
Arbitrary process shell-code injection via gdb + bash, aka a "more pretty interface"

What does this technique NOT provide?
Generally speaking, you must already have privileges to debug the process, meaning you are possibly also in a position to stop, modify, and restart the process (but not always).

Cases where this has been useful?
- "I forgot to set a shell environment and now must restart a process which has a long (5+ minute) initial startup time"
- "I ran some non-interactive program in the wrong working directory and need to move cwd"
- "I need to dump some known internal data structures to the screen, or modify them on the fly without being -too- intrusive"

-Aaron

[gunrunr]

Nice job Orgcandman, good examples and explanation on your blog.