1. Upload the file$ adb push gdbserver /sdcard
2. Enter a shell and become root
$ adb shell
$ su
3. Remount /system as read/write
$ mount -o rw,remount /system
4. Copy file to /system/xbin (or /system/bin)
$ cp /sdcard/gdbserver /system/xbin
5. Change permissions to ensure that it is executable
$ chmod 555 /system/xbin
6. Clean up
$ mount -o ro,remount /system
$ rm /sdcard/gdbserver
7. Download and compile gdb
$ wget http://ftp.gnu.org/gnu/gdb/gdb-7.7.tar.bz2
$ bunzip2 gdb-7.7.tar.bz2
$ tar xf gdb-7.7.tar
$ cd gdb-7.7/
$ ./configure –target=arm-linux-gnueabi
$ make
8. Find the keystore pid
$ ps | grep key
$ cd /proc/228
9. Find the heap
What we’ll normally find are is the code that makes up the process and its libraries and then a copy of the important bits of the process:
– heap – memory assigned by the VM or by the kernel for data storage
– stack – memory used during function calls etc.
So above we can see that the heap runs from 0xb7712000(start of heap) – 0xb771f000(end of heap)
10. Start gdbserver on the process listening on a port on the device
$ gdbserver –attach :1234 228
1234 => any Port
228 => any PID
11. Use adb to forward the port on the device to a local port
$ adb forward tcp:1234 tcp:1234
This will now allow us to talk to the device on port 1234/tcp by connecting to 1234/tcp on the host device.
12. Use a third party program to forward the local port to the device where you will be running gdb
> Use program “Port Forwarding for Windows” to forward from my native OS to the virtual machine I run gdb on
13. Connect via gdb
$ ./gdb
$ gdb> target remote 192.168.0.41:1234
14. Dump the memory
$ gdb> dump memory /tmp/heapout 0xb7712000 0xb771f000
15. Look for some strings that can be user, password
$ strings /tmp/heapout | more
Check Also
Howto: use Metasploit in Kali2
1. Initial metasploit database (First time Only) # systemctl start postgresql # msfdb init # …