-
-
[原创]自动化固件逆向框架firmadyne使用详细教程
-
发表于: 2017-6-4 08:49
-
Cloud4986
Acorn IoTSecLab
根据管理员建议,现将全文贴出。但图片一直粘贴不上来。大家可以先看看内容,如果觉得有参考价值,再下载附件中的word文档
概述:Firmadyne是一款自动化和可裁剪的嵌入式Linux系统固件分析框架。它支持系统固件逆向QEMU嵌入式系统模拟执行。使用它模拟路由器固件执行路由器,然后可以基于模拟环境进行路由器漏洞挖掘、渗透攻防。本文详细讲解了firmadyne环境搭建及使用其进行无线路由器逆向分析的方法。
1. Firmadyne介绍
Firmadyne是一款自动化和可裁剪的嵌入式Linux系统固件分析框架。它支持系统固件逆向QEMU嵌入式系统模拟执行。使用它模拟路由器固件执行路由器,然后可以基于模拟环境进行路由器漏洞挖掘、渗透攻防。
它包含以下组件:
修改过的便于防火墙程序执行的kernels (MIPS: v2.6.32, ARM: v4.1, v3.10);
一个用户空间的 NVRAM library,用于模拟NVRAM硬件;
一个固件提取器(extractor), 用于提取嵌入式firmware固件的filesystem 和kernel;
一个小console应用,用于另启一个shell进行调试;
一个 scraper,用于下载 firmware固件(从 42+ 不同供应商).
系统在github上可以下载:a5aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6X3K9i4u0E0j5h3c8&6L8X3g2Q4x3V1k6X3K9i4u0E0j5h3c8&6L8X3f1`.
框架如下图:
2. 环境搭建
属主虚拟机ubuntu14.04
2.1. 安装metasploit framework
2.1.1. 安装依赖库
root@aflfuzz:~# apt-get update && apt-getupgrade
root@aflfuzz:~# apt-get installbuild-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-devopenjdk-7-jre subversion git-core autoconf postgresql pgadmin3 curl zlib1g-devlibxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3
root@aflfuzz:~# gem install wirble sqlite3bundler
2.1.2. 安装Nmap
mkdir ~/Development
cd ~/Development
svn co 9f8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6N6X3&6Q4x3X3g2F1L8h3q4H3i4K6u0W2L8%4u0Y4i4K6u0r3L8X3#2S2M7l9`.`.
cd nmap
./configure
make
sudo make install
make clean
2.1.3. 配置Postgres SQL Server
切换到postgres用户
sudo -s
su postgres
createuser msf -P -S -R –D #密码用msf
createdb -O msf msf
exit
exit
2.1.4. 安装metasploit framework
cd /opt
git clone 52bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6J5j5i4m8A6k6o6N6Q4x3V1k6E0k6i4c8S2M7%4m8D9L8$3W2@1i4K6u0V1k6Y4u0S2L8h3g2%4L8%4u0C8i4K6u0W2k6$3W2@1
cd metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln-s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
2.1.5. 安装armitage
wgetf30K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6S2M7%4c8S2L8X3c8W2j5i4y4&6K9r3q4U0K9$3W2F1k6#2)9J5k6h3y4G2L8g2)9J5c8X3c8G2N6$3&6D9L8$3q4V1i4K6u0r3j5i4u0E0K9i4c8S2k6$3f1I4y4e0l9^5x3e0y4Q4x3X3g2@1k6%4Z5`.
tar zxvf armitage150813.tgz
ln -s /opt/armitage/armitage/usr/local/bin/armitage
ln -s /opt/armitage/teamserver/usr/local/bin/teamserver
mkdir /usr/local/share/Armitage
cp armitage/ teamserver /usr/local/share/teamserver
echo java -jar /usr/local/share/armitage/armitage.jar\$\* > /usr/local/share/armitage/armitage
perl -pi -e's/armitage.jar/\/usr\/local\/share\/armitage\/armitage.jar/g'/usr/local/share/armitage/teamserver
2.1.6. 安装ruby2
yyj@aflfuzz:~$ gpg --keyserverhkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -L 920K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4k6i4c8Q4x3X3g2J5N6X3#2Q4x3X3g2A6L8#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4y4@1x3`. bash -s stable
或者
sudo curl -sSL 895K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4k6i4c8Q4x3X3g2J5N6X3#2Q4x3X3g2A6L8#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4y4@1x3`. bash -sstable
root@aflfuzz:~# source/etc/profile.d/rvm.sh
root@aflfuzz:~# rvm autolibs enable
更改rvm更新源为淘宝更新源
root@aflfuzz:~# rvm pkg install readline
安装ruby 2.4.1
rvm install 2.4.1--with-readline-dir=$rvm_path/usr
设置rvm缺省ruby
rvm 2.4.1 --default
此处会安装rubygems-2.6.11
2.1.7. 安装适当的gem版本
root@aflfuzz:/opt/metasploit-framework# geminstall bundler
root@aflfuzz:/opt/metasploit-framework# gemupdate
root@aflfuzz:/opt/metasploit-framework#bundle install
编辑database.yml文件
nano /opt/metasploit-framework/database.yml
production:
adapter: postgresql
database: msf
username: msf
password: msf
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5
编辑/etc/profile
添加exportMSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml
执行:source /etc/profile
安装pcaprub模板
cd /opt/metasploit-framework/external/
root@aflfuzz:/opt/metasploit-framework/external/pcaprub#gem install pcaprub
测试metasploit framework是否安装成功
2.2. Firmadyne依赖库安装
apt-get install busybox-static fakeroot gitkpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilitiesutil-linux vlan
2.3. 安装Firmadyne
root@aflfuzz:~# git clone --recursive 0beK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6X3K9i4u0E0j5h3c8&6L8X3g2Q4x3V1k6X3K9i4u0E0j5h3c8&6L8X3g2Q4x3X3g2Y4K9i4b7`.
2.3.1. 如果没有安装binwalk则安装
git clonefc2K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6V1k6i4k6@1N6s2W2K6x3q4)9J5c8X3u0A6L8Y4N6S2L8r3E0Q4x3X3g2Y4K9i4b7`.
cd binwalk
./deps.sh
python ./setup.py install
For Python 2.x, apt-get install python-lzma
pip installgit+0afK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6S2K9s2g2H3M7q4)9J5c8Y4m8&6N6r3S2G2L8W2)9J5k6r3#2S2k6$3W2U0
pip install git+7d9K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6K6N6X3W2W2K9r3u0Q4x3V1k6v1k6h3k6X3k6i4u0K6L8$3^5`.
2.3.2. 安装配置数据库
apt-get install postgresql
sudo -u postgres createuser -P firmadyne ##withpassword firmadyne
sudo -u postgres createdb -O firmadynefirmware
sudo -u postgres psql -d firmware <./firmadyne/database/schema
2.3.3. 下载安装二进制版firmadyne
cd ./firmadyne; ./download.sh
2.3.4. 安装qemu
root@aflfuzz:~# apt-get installqemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils qemu-system-mipsel
apt-get install libfdt-dev
3. Firmadyne使用
在firemadyne目录修改firmadyne.config中的FIRMWARE_DIR为当前目录
3.1. 分析netgear防火墙
3.1.1. 固件自动提取与虚拟化运行
1) 下载 firmware 固件镜像如:Netgear WNAP320 v2.0.3.
wget 2adK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3c8G2N6$3&6D9L8$3q4V1M7#2)9J5k6h3&6W2N6r3N6W2j5i4u0Q4x3X3g2U0L8$3#2Q4x3V1k6X3K9h3I4W2M7#2)9J5c8V1N6p5b7#2)9J5c8W2N6z5b7g2l9K6x3U0m8Q4x3V1k6i4e0V1q4b7x3K6t1H3i4K6t1#2x3U0m8r3K9i4u0E0N6$3q4J5k6g2)9J5y4e0t1H3g2X3g2J5M7$3W2G2L8W2)9J5y4e0t1H3x3W2)9J5k6e0m8Q4x3X3f1K6i4K6u0W2P5X3W2H3
2) 使用extractor提取filesystem
-nk:no kernel,不提取内核;
-np:no parallel operation,没有并行操作;
-sql:将镜像信息表存储到数据库127.0.0.1 ;
-b:with the Netgear brand ();
Images:存储压缩文件在images.
./sources/extractor/extractor.py -b Netgear-sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
>> Database Image ID: 1
/root/firmadyne/WNAP320 Firmware Version2.0.3.zip
>> MD5:51eddc7046d77a752ca4b39fbda50aff
>> Tag: 1
>> Temp: /tmp/tmp0IdyGR
>> Status: Kernel: True, Rootfs:False, Do_Kernel: False, Do_Rootfs: True
>>>> Zip archive data, at leastv2.0 to extract, compressed size: 1197, uncompressed size: 2667, name:ReleaseNotes_WNAP320_fw_2.0.3.HTML
>> Recursing into archive ...
/tmp/tmp0IdyGR/_WNAP320 Firmware Version2.0.3.zip.extracted/WNAP320_V2.0.3_firmware.tar
>>MD5: 6b66d0c845ea6f086e0424158d8e5f26
>>Tag: 1
>>Temp: /tmp/tmpzzJmsI
>>Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True
>>>>POSIX tar archive (GNU), owner user name: "gz.uImage"
>>Recursing into archive ...
/tmp/tmpzzJmsI/_WNAP320_V2.0.3_firmware.tar.extracted/kernel.md5
>>MD5: 0e15e5398024c854756d3e5f7bc78877
>>Skipping: text/plain...
/tmp/tmpzzJmsI/_WNAP320_V2.0.3_firmware.tar.extracted/root_fs.md5
>>MD5: b43dc86ce23660652d37d97651ba1c77
>>Skipping: text/plain...
/tmp/tmpzzJmsI/_WNAP320_V2.0.3_firmware.tar.extracted/rootfs.squashfs
>>MD5: 7ce95b252346d2486d55866a1a9782be
>>Tag: 1
>>Temp: /tmp/tmp16WDxR
>>Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True
>>Recursing into archive ...
>>>>Squashfs filesystem, big endian, lzma signature, version 3.1, size: 4433988bytes, 1247 inodes, blocksize: 65536 bytes, created: 2011-06-23 10:46:19
>>>>Found Linux filesystem in/tmp/tmp16WDxR/_rootfs.squashfs.extracted/squashfs-root!
>>Skipping: completed!
>>Cleaning up /tmp/tmp16WDxR...
>>Skipping: completed!
>>Cleaning up /tmp/tmpzzJmsI...
>> Skipping: completed!
>> Cleaning up /tmp/tmp0IdyGR...
提取后文件如下:
如果想修改默认IP地址就修改1.tar.gz中的default-config文件中的默认ip address及网关等配置
3) 识别防火墙的架构
识别防火墙1.tar.gz文件架构,并存储结果到数据库
./scripts/getArch.sh ./images/1.tar.gz
4) 装载防火墙文件系统内容存储对象到imagetables
./scripts/tar2db.py -i 1 -f./images/1.tar.gz
5) 创建防火墙1的qemu磁盘镜像
./scripts/makeImage.sh 1
6) 指定防火墙的网络配置并将信息记录到./scratch/1/qemu.initial.serial.log
./scripts/inferNetwork.sh 1
7) 使用指定的网络配置模拟运行防火墙
这将通过产生TAP设备增加route修改主机系统配置
./scratch/1/run.sh
系统已经运行,属主机可以访问,系统信息被记录到./scratch/1/qemu.final.serial.log.
8) 通过snmp脚本探测防火墙信息
./analyses/snmpwalk.sh 10.0.0.100
9) 测试防火墙web接口
./analyses/webAccess.py 1 10.0.0.100log.txt
可访问目录会存储在log.txt文件中
3.1.2. 使用nmap扫描firmadyne虚拟环境运行的防火墙
root@aflfuzz:~/firmadyne# nmap -O -sV 10.0.0.100
Starting Nmap 7.40SVN ( 65eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6F1L8h3q4H3i4K6u0W2L8%4u0Y4i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5z5h3q4@1 2017-04-20 11:13 CST
Nmap scan report for localhost (10.0.0.100)
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)
80/tcp open http lighttpd 1.4.18
443/tcp open ssl/http lighttpd 1.4.18
MAC Address: 52:54:00:12:34:56 (QEMUvirtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE:cpe:/o:linux:linux_kernel
OS and Service detection performed. Pleasereport any incorrect results at 152K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6F1L8h3q4H3i4K6u0W2L8%4u0Y4i4K6u0r3M7%4g2T1L8h3W2@1i4K6u0r3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6b7`.`.
Nmap done: 1 IP address (1 host up) scannedin 68.30 seconds
3.1.3. 使用nmap vuln脚本探测防火墙漏洞
root@aflfuzz:~/firmadyne# nmap--script=vuln -O -sV 10.0.0.100
Starting Nmap 7.40SVN ( a44K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6F1L8h3q4H3i4K6u0W2L8%4u0Y4i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5z5h3q4@1 2017-04-20 11:22 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for localhost (10.0.0.100)
Host is up (0.0014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)
80/tcp open http lighttpd 1.4.18
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRFvulnerabilities.
|_http-dombased-xss: Couldn't find any DOMbased XSS.
| http-enum:
|_ /test.php: Test page
|_http-phpself-xss: ERROR: Script executionfailed (use -d to debug)
|_http-server-header: lighttpd/1.4.18
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server openand hold
| them open as long as possible. Itaccomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, itstarves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| 359K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6X3g2Q4x3X3g2E0K9i4c8J5k6g2)9J5k6h3!0J5k6#2)9J5c8X3y4Y4K9g2)9J5k6r3u0A6L8W2)9J5c8X3y4$3k6h3&6S2L8h3g2Q4x3X3g2U0k6$3W2Q4x3@1k6F1j5h3#2W2i4K6y4p5b7#2k6q4i4K6u0V1x3U0l9H3y4#2)9J5k6o6j5%4y4e0l9`.
|_ a51K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2S2i4K6u0W2j5$3E0W2M7Y4y4Q4x3X3g2G2M7X3N6Q4x3V1k6K6L8r3!0%4L8r3!0J5K9i4y4Q4x3V1j5`.
|_http-stored-xss: Couldn't find any storedXSS vulnerabilities.
443/tcp open ssl/http lighttpd 1.4.18
|_http-aspnet-debug: ERROR: Scriptexecution failed (use -d to debug)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRFvulnerabilities.
|_http-dombased-xss: Couldn't find any DOMbased XSS.
| http-enum:
|_ /test.php: Test page
|_http-phpself-xss: ERROR: Script executionfailed (use -d to debug)
|_http-server-header: lighttpd/1.4.18
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server openand hold
| them open as long as possible. Itaccomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, itstarves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| 22dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6X3g2Q4x3X3g2E0K9i4c8J5k6g2)9J5k6h3!0J5k6#2)9J5c8X3y4Y4K9g2)9J5k6r3u0A6L8W2)9J5c8X3y4$3k6h3&6S2L8h3g2Q4x3X3g2U0k6$3W2Q4x3@1k6F1j5h3#2W2i4K6y4p5b7#2k6q4i4K6u0V1x3U0l9H3y4#2)9J5k6o6j5%4y4e0l9`.
|_ f95K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2S2i4K6u0W2j5$3E0W2M7Y4y4Q4x3X3g2G2M7X3N6Q4x3V1k6K6L8r3!0%4L8r3!0J5K9i4y4Q4x3V1j5`.
|_http-stored-xss: Couldn't find any storedXSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection"vulnerability.
|
| References:
| 648K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3!0H3k6h3&6K6M7$3I4Q4x3X3g2G2M7X3N6Q4x3V1k6F1k6i4N6K6i4K6u0r3M7$3g2U0j5h3c8$3i4K6g2X3x3U0l9I4y4o6l9$3x3o6g2Q4x3X3g2@1P5s2b7`.
| 2c7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4$3k6h3c8W2N6r3q4A6L8s2y4Q4x3X3g2U0L8$3#2Q4x3V1k6U0N6X3g2Q4x3V1j5J5x3o6p5@1i4K6u0V1x3o6t1J5y4l9`.`.
|_ b51K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6X3g2Q4x3X3g2E0K9i4c8J5k6g2)9J5k6h3!0J5k6#2)9J5c8X3y4Y4K9g2)9J5k6r3u0A6L8W2)9J5c8X3y4$3k6h3&6S2L8h3g2Q4x3X3g2U0k6$3W2Q4x3@1k6F1j5h3#2W2i4K6y4p5b7#2k6q4i4K6u0V1x3U0l9I4y4q4)9J5k6o6l9J5x3U0b7`.
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 OSVDB:113251
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| 9f0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2G2M7r3g2F1M7%4y4D9i4K6u0W2L8%4u0Y4i4K6u0r3i4K6N6q4j5X3!0V1L8#2)9J5c8Y4y4K6L8q4)9J5k6s2m8G2L8$3c8D9k6g2)9J5k6i4m8V1k6R3`.`.
| 761K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2A6L8i4m8W2M7X3W2S2L8s2k6A6L8$3I4W2N6q4)9J5k6h3!0J5k6#2)9J5c8U0t1H3x3e0c8Q4x3V1j5I4x3q4)9J5c8U0p5@1i4K6u0r3M7r3!0G2k6r3I4W2i4K6u0W2K9s2c8E0L8l9`.`.
| b22K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3!0K6N6X3c8T1i4K6u0W2L8%4u0Y4i4K6u0r3x3e0p5K6x3U0f1I4
|_ 07aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6X3g2Q4x3X3g2E0K9i4c8J5k6g2)9J5k6h3!0J5k6#2)9J5c8X3y4Y4K9g2)9J5k6r3u0A6L8W2)9J5c8X3y4$3k6h3&6S2L8h3g2Q4x3X3g2U0k6$3W2Q4x3@1k6F1j5h3#2W2i4K6y4p5b7#2k6q4i4K6u0V1x3U0l9I4y4q4)9J5k6o6x3#2y4U0j5`.
| sslv2-drown:
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| vulns:
| CVE-2016-0703:
| title: OpenSSL: Divide-and-conquer session key recovery in SSLv2
| state: VULNERABLE
| ids:
| CVE:CVE-2016-0703
| description:
| The get_client_master_keyfunction in s2_srvr.c in the SSLv2 implementation in
| OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and1.0.2 before
| 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for anarbitrary
| cipher, which allows man-in-the-middle attackers to determine theMASTER-KEY value
| and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSApadding oracle, a
| related issue to CVE-2016-0800.
|
| refs:
| e27K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2G2M7r3g2F1M7%4y4D9i4K6u0W2L8%4u0Y4i4K6u0r3L8X3g2%4M7#2)9J5c8Y4y4W2j5$3q4V1N6W2)9J5c8U0t1H3x3e0j5H3x3K6l9I4i4K6u0W2N6s2S2@1
| 164K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6X3g2Q4x3X3g2E0K9i4c8J5k6g2)9J5k6h3!0J5k6#2)9J5c8X3y4Y4K9g2)9J5k6r3u0A6L8W2)9J5c8X3y4$3k6h3&6S2L8h3g2Q4x3X3g2U0k6$3W2Q4x3@1k6F1j5h3#2W2i4K6y4p5b7#2k6q4i4K6u0V1x3U0l9I4y4W2)9J5k6o6l9%4x3o6x3`.
| CVE-2016-0800:
| title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)
| state: VULNERABLE
| ids:
| CVE:CVE-2016-0800
| description:
| The SSLv2 protocol, as used inOpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
| other products, requires a server to send a ServerVerify message beforeestablishing
| that a client possesses certain plaintext RSA data, which makes iteasier for remote
| attackers to decrypt TLS ciphertext data by leveraging a BleichenbacherRSA padding
| oracle, aka a "DROWN" attack.
|
| refs:
| c3aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0N6X3g2Q4x3X3g2E0K9i4c8J5k6g2)9J5k6h3!0J5k6#2)9J5c8X3y4Y4K9g2)9J5k6r3u0A6L8W2)9J5c8X3y4$3k6h3&6S2L8h3g2Q4x3X3g2U0k6$3W2Q4x3@1k6F1j5h3#2W2i4K6y4p5b7#2k6q4i4K6u0V1x3U0l9I4y4W2)9J5k6o6l9^5x3o6l9`.
|_ ed7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2G2M7r3g2F1M7%4y4D9i4K6u0W2L8%4u0Y4i4K6u0r3L8X3g2%4M7#2)9J5c8Y4y4W2j5$3q4V1N6W2)9J5c8U0t1H3x3e0j5H3x3K6l9I4i4K6u0W2N6s2S2@1
MAC Address: 52:54:00:12:34:56 (QEMUvirtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE:cpe:/o:linux:linux_kernel
OS and Service detection performed. Pleasereport any incorrect results at eadK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6F1L8h3q4H3i4K6u0W2L8%4u0Y4i4K6u0r3M7%4g2T1L8h3W2@1i4K6u0r3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6b7`.`.
Nmap done: 1 IP address (1 host up) scannedin 192.14 seconds
3.1.4. firmadyne对防火墙使用msf进行渗透
runExploits.py会自动使用metasploit中存在的路由器的攻击脚本进行自动攻击,执行结果会存储在exploits目录
root@aflfuzz:~/firmadyne# chmod +xanalyses/*.py
root@aflfuzz:~/firmadyne#mkdir exploits;
root@aflfuzz:~/firmadyne#./analyses/runExploits.py-t 192.168.0.100 -o exploits/exploit -e x (requires Metasploit Framework)
为了简化firmware的使用,以root登录,密码是password,删除 /etc/securetty。
使用下面的命令挂载或卸载fireware. 执行这两命令前确保模拟fireware未运行。sudo./scripts/mount.sh 1
sudo ./scripts/umount.sh 1
3.2. 分析wrt54gv2防火墙
3.2.1. 使用extractor提取filesystem
-nk:no kernel,不提取内核;
-np:no parallel operation,没有并行操作;
-sql:将镜像信息表存储到数据库127.0.0.1 ;
-b:with the Netgear brand ();
Images:存储压缩文件在images.
root@aflfuzz:~/firmadyne#./sources/extractor/extractor.py -b Linksys -sql 127.0.0.1 -np -nk"WRT54GV3.1_4.00.7_US_code.bin" images
>> Database Image ID: 2
/root/firmadyne/WRT54GV3.1_4.00.7_US_code.bin
>> MD5:7fbac72ff1ba352a37dff33255494896
>> Tag: 2
>> Temp: /tmp/tmpdYfvsI
>> Status: Kernel: True, Rootfs:False, Do_Kernel: False, Do_Rootfs: True
>> Recursing into archive ...
>>>> Squashfs filesystem,little endian, version 2.0, size: 2185198 bytes, 298 inodes, blocksize: 65536bytes, created: 2005-04-26 15:38:37
>>>> Found Linux filesystem in/tmp/tmpdYfvsI/_WRT54GV3.1_4.00.7_US_code.bin.extracted/squashfs-root!
>> Skipping: completed!
>> Cleaning up /tmp/tmpdYfvsI...
提取后文件如下:
3.2.2. 识别防火墙框架
root@aflfuzz:~/firmadyne#./scripts/getArch.sh ./images/2.tar.gz
./bin/busybox: mipsel
Password for user firmadyne:
3.2.3. 装载防火墙文件系统内容存储对象到image tables
root@aflfuzz:~/firmadyne#./scripts/tar2db.py -i 2 -f ./images/2.tar.gz
3.2.4. 创建防火墙2的qemu磁盘镜像
./scripts/makeImage.sh 2
3.2.5. 指定防火墙的网络配置并将信息记录到./scratch/2/qemu.initial.serial.log
./scripts/inferNetwork.sh 2
3.2.6. 使用指定的网络配置模拟运行防火墙
这将通过产生TAP设备增加route修改主机系统配置
./scratch/2/run.sh
3.2.7. 使用burpesuite测试firmadyne运行的防火墙
发现apply.cgi存在xss漏洞。在单独对apply.cgi进行测试时出现防火墙崩溃死机
