This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.

http://www.securitytube-training.com/online-courses/offensive-internet-of-things- exploitation/index.html

Student ID: IoTE-728

 

In this post I will show how I debugged an application with gdb remotely.

The application can be debugged on the IoT device. In this case the gdb should be installed on the device. If the capabilities of the device is limited, this might not be feasible. However we can install gdbserver and debug the application remotely. The size of the gdbserver is less, than the size of gdb and this might be able to solve the limited capabilities problem, but the architecture of the computer, from where we debug is not necessarily the same (My host machine is a Mac and the target machine is MIPS). We should use gdb-multiarch to solve this second problem.

It is possible to modify the execution flow of the program with debugging. For example we can bypass a password check. For this exercise I created the following sample application:

logincheck.c

#include <stdio.h>
#include <string.h>

#define BUFFERSIZE	256


int main()
{
	const char password[] = "p@ss";
	char string[BUFFERSIZE];

	// Read the password from the stdin
	printf("Type password: ");
	fgets(string, BUFFERSIZE, stdin);

	// Remove trailing newline character
	string[ strlen(string) - 1 ] = 0;

	// Check password
	if ( strcmp(string, password) )
	{
		printf("Wrong password!\n");
		return -1;
	}

	// Login OK
	printf("Login OK\n");

	return 0;
}

 

MIPS Creator Ci40 comes with a pre-installed OpenWRT image. I configured the device and network first, then I installed the necessary packages for development. The necessary packages can also be installed with the help of the admin page (http://<IP_address_of_the_device>/cgi-bin/luci/admin/system/packages).

After these steps I was able to compile the source code on the device with the following command line:

gcc main.c -ggdb -lletmecreate_core -o logincheck

 

On the target machine I started the compiled binary with gdbserver:

gdbserver host:1234 logincheck

 

On my Mac I started gdb-multiarch, which is capable of debug MIPS binaries. Then I connected to the target machine.

gdb-multiarch logincheck

(gdb) target remote <IP_assress_of_the_target_machine>:1234

 

I set a breakpoint before the check and started the application in gdb. I was able to modify the behaviour of the program by modifying the value of the registers.