技术共享——Cisco IOS进程调试
command, too bad. Maybe not...
I started looking for undocumented and hidden commands and found quite a bunch of them.
Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.
The IOS gdb command offers three subcommands:
gdb
debug PID
examine PID
kernel
the kernel subcommand works only on the console.
However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.
scep#gdb debug 27
||||
oops..
Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.
mkdir m68k-cisco
../configure --target m68k-cisco
make
if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.
now type make install and you should have a m68-cisco-gdb binary in your path.
fire# m68k-cisco-gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=m68k-cisco".
(cisco-68k-gdb)
my cisco 1600 is connected to /dev/ttyS0,
scep>en
Password:
scep#gdb debug 18
scep#
As you can see it bails out if you hit return. while examine works it seems.
scep#gdb examine 18
||||
now the console seems locked.
go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.
added.
IOS gdbserver implementation
Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.
I didn't have to test every command by hand.. let's just say I have reliable sources and I know that in IOS 11.2-8 (hum hum), the following commands are supported:
Request Packet
read registers g
write regs GXX..XX Each byte of register data
is described by two hex digits.
Registers are in the internal order
for GDB, and the bytes in a register
are in the same order the machine uses.
I started looking for undocumented and hidden commands and found quite a bunch of them.
Among all the stupid hidden command, the best candidate for taking full control of the cisco is 'gdb'.
The IOS gdb command offers three subcommands:
gdb
debug PID
examine PID
kernel
the kernel subcommand works only on the console.
However 'examine' and 'debug' works perfectly; the debug subcommand is a bit tricky to use though.
scep#gdb debug 27
||||
oops..
Ok grab a copy of gdb-4.18 and try to compile a version for your cisco.
mkdir m68k-cisco
../configure --target m68k-cisco
make
if you have a mips based cisco, just s/m68k/mips64/ the above 4 lines.
now type make install and you should have a m68-cisco-gdb binary in your path.
fire# m68k-cisco-gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=m68k-cisco".
(cisco-68k-gdb)
my cisco 1600 is connected to /dev/ttyS0,
scep>en
Password:
scep#gdb debug 18
scep#
As you can see it bails out if you hit return. while examine works it seems.
scep#gdb examine 18
||||
now the console seems locked.
go back to our gdb-4.18 source tree and check out gdb/remote.c which contains a nice documentation of the gdb remote communication protocol.
added.
IOS gdbserver implementation
Don't get too excited, IOS gdbserver supports only a limited subset of those commands. I'll grab a binary of IOS 12 and check if new commands were added.
I didn't have to test every command by hand.. let's just say I have reliable sources and I know that in IOS 11.2-8 (hum hum), the following commands are supported:
Request Packet
read registers g
write regs GXX..XX Each byte of register data
is described by two hex digits.
Registers are in the internal order
for GDB, and the bytes in a register
are in the same order the machine uses.
天下网吧·网吧天下
闽公网安备35010202000238号