Error when trying to attach GDB to Qiling GDB server

[nahueldsanchez]

Hi Qiling team, I really like the project! Thanks for such effort developing it.

UPDATE
I've checked at this other similar issue and based on xwings comment searched for potential forks that could be the cause of the issue. I did not find any fork.

I've done further testing and found the function in the binary which is being problematic (entry at 0x47baac0). I've hooked it with Qiling and once the emulation reaches it I've set the PC to the function that I wanted to debug: hedwigcgi_main (0x0040bfc0). I've modified the code in gdbserver.py to put a breakpoint there as by default it sets it to self.entry_point.

With GDB multiarch I'm still having the same issue.

I've tested with IDA PRO 6.95.160808 following the steps suggested in the docs and debugging is working.

*Describe the bug
I'm trying to debug a MIPS binary using the builtin GDB support as explained in the documentation. Trying to reproduce what was presented in the HITB workshop.

To test my setup I've started modifying the "hello_mips32el_linux_debug.py" and enabled debugging. I'm able to attach to the debugger with GDB multiarch (I'm facing another issue here that I'll describe later).

Qiling version: commit c1fc9af
GDB multiarch version: GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git

(qiling_framework) python hello_mips32el_linux_debug.py 
[+] load 0x400000 - 0x48d000
[+] load 0x49d000 - 0x4a2000
[+] mem_start: 0x400000 mem_end: 0x4a2000
[+] mmap_address is : 0x774bf000
debugger> Initializing load_address 0x0
debugger> Listening on 127.0.0.1:9999

GDB Multiarch

...
(gdb) target remote 127.0.0.1:9999
Remote debugging using 127.0.0.1:9999
warning: while parsing target description: no element found
warning: Could not load XML target description; ignoring
...
warning: Read returned 1484, but 1480 bytes.
0x00000000 in ?? ()
(gdb)

However when I perform the same steps with the binary previously mentioned I got this answer:

Qiling

debugger> Initializing load_address 0x0
debugger> Listening on 127.0.0.1:9999
gdb> Breakpoint added at: 0x4025c0
[+] log mmap - mmap(0x0, 0x1000, 0x3, 0x802, 2146682536, 2146682540)
[+] log mmap - mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | 2048, 2146682536, 2146682540)
[+] log mmap - return addr : 0x774bf000
[+] log mmap - addr range  : 0x774bf000 - 0x774c0000
[+] log mmap - mapping needed
[+] mmap_base 0x774bf000  length 0x1000
mmap(0x0, 0x1000, 0x3, 0x802, -1, 0) = 0x774bf000
[+] mmap_base is 0x774bf000
open(/lib/libgcc_s.so.1, 0x0, 0o0) = 3
[+] open(/lib/libgcc_s.so.1, O_RDONLY, 0o0) = 3
[+] File Found: /lib/libgcc_s.so.1
fstat(3, 0x7ff3bcf0) = 0
[+] fstat write completed
[+] log mmap - mmap(0x0, 0x1000, 0x3, 0x802, 2146679984, 2146679988)
[+] log mmap - mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | 2048, 2146679984, 2146679988)
[+] log mmap - return addr : 0x774c0000
[+] log mmap - addr range  : 0x774c0000 - 0x774c1000
[+] log mmap - mapping needed
[+] mmap_base 0x774c0000  length 0x1000
mmap(0x0, 0x1000, 0x3, 0x802, -1, 0) = 0x774c0000
[+] mmap_base is 0x774c0000
read(3, 0x774c0000, 0x1000) = 4096
[+] log mmap - mmap(0x0, 0x3a000, 0x0, 0x802, 2146679968, 2146679972)
[+] log mmap - mmap(0x0, 0x3a000, PROT_NONE, MAP_PRIVATE | 2048, 2146679968, 2146679972)
[+] log mmap - return addr : 0x774c1000
[+] log mmap - addr range  : 0x774c1000 - 0x774fb000
[+] log mmap - mapping needed
[+] mmap_base 0x774c1000  length 0x3a000
mmap(0x0, 0x3a000, 0x0, 0x802, -1, 0) = 0x774c1000
[+] mmap_base is 0x774c1000
[+] log mmap - mmap(0x774c1000, 0x2860c, 0x5, 0x12, 2146679952, 2146679956)
[+] log mmap - mmap(0x774c1000, 0x2860c, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_FIXED, 2146679952, 2146679956)
[+] log mmap - return addr : 0x774c1000
[+] log mmap - addr range  : 0x774c1000 - 0x774ea000
[+] mmap_base 0x774c1000  length 0x29000
[+] log mem wirte : 0x2860c
[+] log mem mmap  : /folder/_DIR645A1_FW103RUB08.bin.extracted/squashfs-root/lib/libgcc_s.so.1
mmap(0x774c1000, 0x2860c, 0x5, 0x12, 3, 0) = 0x774c1000
[+] mmap_base is 0x774c1000
[+] log mmap - mmap(0x774fa000, 0x960, 0x3, 0x12, 2146679936, 2146679940)
[+] log mmap - mmap(0x774fa000, 0x960, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED, 2146679936, 2146679940)
[+] log mmap - return addr : 0x774fa000
[+] log mmap - addr range  : 0x774fa000 - 0x774fb000
[+] mmap_base 0x774fa000  length 0x1000
[+] log mem wirte : 0x960
[+] log mem mmap  : /folder/_DIR645A1_FW103RUB08.bin.extracted/squashfs-root/lib/libgcc_s.so.1
mmap(0x774fa000, 0x960, 0x3, 0x12, 3, 167936) = 0x774fa000
[+] mmap_base is 0x774fa000
close(3) = 0
munmap(0x774c0000, 0x1000) = 0
open(/lib/libc.so.0, 0x0, 0o0) = 3
[+] open(/lib/libc.so.0, O_RDONLY, 0o0) = 3
[+] File Found: /lib/libc.so.0
fstat(3, 0x7ff3bce0) = 0
[+] fstat write completed
[+] log mmap - mmap(0x0, 0x1000, 0x3, 0x802, 2146679968, 2146679972)
[+] log mmap - mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | 2048, 2146679968, 2146679972)
[+] log mmap - return addr : 0x774fb000
[+] log mmap - addr range  : 0x774fb000 - 0x774fc000
[+] log mmap - mapping needed
[+] mmap_base 0x774fb000  length 0x1000
mmap(0x0, 0x1000, 0x3, 0x802, -1, 0) = 0x774fb000
[+] mmap_base is 0x774fb000
read(3, 0x774fb000, 0x1000) = 4096
[+] log mmap - mmap(0x0, 0x74000, 0x0, 0x802, 2146679952, 2146679956)
[+] log mmap - mmap(0x0, 0x74000, PROT_NONE, MAP_PRIVATE | 2048, 2146679952, 2146679956)
[+] log mmap - return addr : 0x774fc000
[+] log mmap - addr range  : 0x774fc000 - 0x77570000
[+] log mmap - mapping needed
[+] mmap_base 0x774fc000  length 0x74000
mmap(0x0, 0x74000, 0x0, 0x802, -1, 0) = 0x774fc000
[+] mmap_base is 0x774fc000
[+] log mmap - mmap(0x774fc000, 0x5d3e0, 0x5, 0x12, 2146679936, 2146679940)
[+] log mmap - mmap(0x774fc000, 0x5d3e0, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_FIXED, 2146679936, 2146679940)
[+] log mmap - return addr : 0x774fc000
[+] log mmap - addr range  : 0x774fc000 - 0x7755a000
[+] mmap_base 0x774fc000  length 0x5e000
[+] log mem wirte : 0x5d3e0
[+] log mem mmap  : /folder/_DIR645A1_FW103RUB08.bin.extracted/squashfs-root/lib/libuClibc-0.9.30.1.so
mmap(0x774fc000, 0x5d3e0, 0x5, 0x12, 3, 0) = 0x774fc000
[+] mmap_base is 0x774fc000
[+] log mmap - mmap(0x77569000, 0x1e54, 0x3, 0x12, 2146679920, 2146679924)
[+] log mmap - mmap(0x77569000, 0x1e54, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED, 2146679920, 2146679924)
[+] log mmap - return addr : 0x77569000
[+] log mmap - addr range  : 0x77569000 - 0x7756b000
[+] mmap_base 0x77569000  length 0x2000
[+] log mem wirte : 0x1e54
[+] log mem mmap  : /folder/_DIR645A1_FW103RUB08.bin.extracted/squashfs-root/lib/libuClibc-0.9.30.1.so
mmap(0x77569000, 0x1e54, 0x3, 0x12, 3, 380928) = 0x77569000
[+] mmap_base is 0x77569000
[+] log mmap - mmap(0x7756b000, 0x4910, 0x3, 0x812, 2146679904, 2146679908)
[+] log mmap - mmap(0x7756b000, 0x4910, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | 2048, 2146679904, 2146679908)
[+] log mmap - return addr : 0x7756b000
[+] log mmap - addr range  : 0x7756b000 - 0x77570000
[+] mmap_base 0x7756b000  length 0x5000
mmap(0x7756b000, 0x4910, 0x3, 0x812, -1, 0) = 0x7756b000
[+] mmap_base is 0x7756b000
close(3) = 0
munmap(0x774fb000, 0x1000) = 0
open(/lib/libc.so.0, 0x0, 0o0) = 3
[+] open(/lib/libc.so.0, O_RDONLY, 0o0) = 3
[+] File Found: /lib/libc.so.0
fstat(3, 0x7ff3bcd0) = 0
[+] fstat write completed
close(3) = 0
stat(/lib/ld-uClibc.so.0, 0x7ff3c714) = 0
[+] stat() write completed
mprotect(0x77569000, 0x1000, 0x1) = 0
[+] mprotect(0x77569000, 0x1000, PROT_READ) = 0
mprotect(0x47ce000, 0x1000, 0x1) = 0
[+] mprotect(0x47ce000, 0x1000, PROT_READ) = 0
ioctl(0x0, 0x540d, 0x7ff3c5f8) = -1
ioctl(0x1, 0x540d, 0x7ff3c5f8) = -1
gdb> Breakpoint found, stop at address: 0x4025c0
gdb> received: qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386
gdb> send: $PacketSize=3fff;QPassSignals+;QProgramSignals+;QStartupWithShell+;QEnvironmentHexEncoded+;QEnvironmentReset+;QEnvironmentUnset+;QSetWorkingDir+;QCatchSyscalls+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;ConditionalTracepoints+;TraceStateVariables+;TracepointSource+;DisconnectedTracing+;StaticTracepoints+;InstallInTrace+;qXfer:statictrace:read+;qXfer:traceframe-info:read+;EnableDisableTracepoints+;QTBuffer:size+;tracenz+;ConditionalBreakpoints+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+#71
gdb> received: qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+;xmlRegisters=i386
gdb> send: $PacketSize=3fff;QPassSignals+;QProgramSignals+;QStartupWithShell+;QEnvironmentHexEncoded+;QEnvironmentReset+;QEnvironmentUnset+;QSetWorkingDir+;QCatchSyscalls+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;ConditionalTracepoints+;TraceStateVariables+;TracepointSource+;DisconnectedTracing+;StaticTracepoints+;InstallInTrace+;qXfer:statictrace:read+;qXfer:traceframe-info:read+;EnableDisableTracepoints+;QTBuffer:size+;tracenz+;ConditionalBreakpoints+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+#71
gdb> received: vMustReplyEmpty
Traceback (most recent call last):
  File "multithreading_mips32el_linux.py", line 61, in <module>
    my_sandbox(["/folder/_DIR645A1_FW103RUB08.bin.extracted/squashfs-root/htdocs/hedwig.cgi"], "/folder/_DIR645A1_FW103RUB08.bin.extracted/squashfs-root")
  File "multithreading_mips32el_linux.py", line 57, in my_sandbox
    ql.run()
  File "/home/bleh/.virtualenv/qiling_framework/lib/python3.6/site-packages/qiling-1.2.dev0-py3.6.egg/qiling/core.py", line 203, in run
    self.remote_debug.run()
  File "/home/bleh/.virtualenv/qiling_framework/lib/python3.6/site-packages/qiling-1.2.dev0-py3.6.egg/qiling/extensions/debugger/gdbserver/gdbserver.py", line 749, in run
    commands[cmd](subcmd)
  File "/home/bleh/.virtualenv/qiling_framework/lib/python3.6/site-packages/qiling-1.2.dev0-py3.6.egg/qiling/extensions/debugger/gdbserver/gdbserver.py", line 592, in handle_v
    self.send("")
  File "/home/bleh/.virtualenv/qiling_framework/lib/python3.6/site-packages/qiling-1.2.dev0-py3.6.egg/qiling/extensions/debugger/gdbserver/gdbserver.py", line 790, in send
    self.send_raw('$%s#%.2x' % (msg, checksum(msg)))
  File "/home/bleh/.virtualenv/qiling_framework/lib/python3.6/site-packages/qiling-1.2.dev0-py3.6.egg/qiling/extensions/debugger/gdbserver/gdbserver.py", line 799, in send_raw
    self.netout.flush()
  File "/usr/lib/python3.6/socket.py", line 604, in write
    return self._sock.send(b)
BrokenPipeError: [Errno 32] Broken pipe

Based on this last output looks like that the emulation starts and at some point breaks (not sure why).

GDB Multiarch

Remote replied unexpectedly to 'vMustReplyEmpty': PacketSize=3fff;QPassSignals+;QProgramSignals+;QStartupWithShell+;QEnvironmentHexEncoded+;QEnvironmentReset+;QEnvironmentUnset+;QSetWorkingDir+;QCatchSyscalls+;qXfer:libraries-svr4:read+;augmented-libraries-svr4-read+;qXfer:auxv:read+;qXfer:spu:read+;qXfer:spu:write+;qXfer:siginfo:read+;qXfer:siginfo:write+;qXfer:features:read+;QStartNoAckMode+;qXfer:osdata:read+;multiprocess+;fork-events+;vfork-events+;exec-events+;QNonStop+;QDisableRandomization+;qXfer:threads:read+;ConditionalTracepoints+;TraceStateVariables+;TracepointSource+;DisconnectedTracing+;StaticTracepoints+;InstallInTrace+;qXfer:statictrace:read+;qXfer:traceframe-info:read+;EnableDisableTracepoints+;QTBuffer:size+;tracenz+;ConditionalBreakpoints+;BreakpointCommands+;QAgent+;swbreak+;hwbreak+;qXfer:exec-file:read+;vContSupported+;QThreadEvents+;no-resumed+

Binary I'm trying to debug: cgibin.zip (mentioned here: https://www.exploit-db.com/exploits/33863)

Expected behavior

GDB attachs to the debugged process and allows for remote debugging

Additional context
I would like to try and help you fixing this, so if in the meantime you could point me on where to start looking I'll give a try. Thanks!

[kabeor]

@nahueldsanchez
Hi! looks like gdb is timeout, try to input 'set remotetimeout 100' for gdb and run again. If that can't work, input 'set debug remote 1' for gdb first and run, then send gdb outputs to us plz.

[nahueldsanchez]

@kabeor THANKS!

It worked smoothly adding that timeout to GDB.

Thanks again for the tip, keep the good work awesome project!