Reversing share library written in C to extract port number with GDB

Question

I am looking for help with GDB to reverse engineer shared library written in C that is preloaded in /etc/ld.so.preload.

Current library hooks accept() call if source port is correct it returns reverse shell back to user.

Strings command doesn't give out source port, so my target is to try to find it within GDB.

Program consist of two files headers.h where I have my definitions and variable #define SECRET_PORT 11111 source.c contains accept hook with reverse shell.

My problem is I cannot figure out a way how to retrieve PORT within GDB - I can load mylib.so within gdb and run: info functions to see whats inside - I can see accept function but when I try to disass accept I only get instructions that I barely can understand.

1. Problem when I run mylib it gives out SIGSEGV (maybe thats the reason I cannot see variables) there is no main function where to set break and if I do set it on function accept is still gives SIGSEGV error.
2. I tested with starti instead of run then I got Program stopped 0xSOMEADRESGOESHERE in deregister_tm_clones() I don't even know if this is correct way to test .so file. maybe there are some oser switches.

Im thinking I need to find a way how to set BP in HTONS() checking function where if statement compares source port and extract values from there but so far no luck.

p.s. when mylib is loaded in gdb there is message No debugging symbols found. So I cannot run like list accept or anything like that to view a source.

Compilation code gcc -Wall -shared -fPIC mylib.c -o mylib.so -ldl

Answer 1

Im thinking I need to find a way how to set BP in HTONS() checking function where if statement compares source port and extract values from there

You don't need to do that -- the instructions will be the same whether you run the application, or disassemble the function without running.

Compilation code ...

So you are trying to reverse-engineer the library for which you have a source?
That makes it very easy to find the constant you are looking for.

Start by setting the constant to easily recognizable value, e.g. 0x12131415. Compile the library and disassemble it. Look for your constant.

If you don't see it, save the disassembled output, and rebuild the library with a different value, e.g. 0xA1B1C1D1. Disassemble it again and compare to previous disassembled output. It should be easy to spot the difference.

P.S. If you really want to debug this library with a live process, do this:

gdb ./myprog
(gdb) set env LD_PRELOAD /path/to/mylib.so
(gdb) run

At this point, you should be able to set breakpoints and observe your library "in action".

Answer 2

Ok managed solve this with a help

when running GDB on shared library You will have to check hex value for 11111 and it should be 2B67 so in registers this will become something like 0x2b67 & it will be passed to htons() as check for source port.

So let's assume I didn't have the source code I could still run: gdb -q *.so then: info functions and see with disass functionNameGoesHere where some accept / htons calls are made. Correct value should be found right above htons line. Then decoded hex to dec and thats how You can find it.

This took some while to figure out as I coudn't set BP's.

Again thanks for input from community! Cheers