概述:Firmadyne是一款自动化和可裁剪的嵌入式Linux系统固件分析框架。它支持系统固件逆向QEMU嵌入式系统模拟执行。使用它模拟路由器固件执行路由器,然后可以基于模拟环境进行路由器漏洞挖掘、渗透攻防。本文详细讲解了firmadyne环境搭建及使用其进行无线路由器逆向分析的方法。
Firmadyne是一款自动化和可裁剪的嵌入式Linux系统固件分析框架。它支持系统固件逆向QEMU嵌入式系统模拟执行。使用它模拟路由器固件执行路由器,然后可以基于模拟环境进行路由器漏洞挖掘、渗透攻防。
它包含以下组件:
修改过的便于防火墙程序执行的kernels (MIPS: v2.6.32, ARM: v4.1, v3.10);
一个用户空间的 NVRAM library,用于模拟NVRAM硬件;
一个固件提取器(extractor), 用于提取嵌入式firmware固件的filesystem 和kernel;
一个小console应用,用于另启一个shell进行调试;
一个 scraper,用于下载 firmware固件(从 42+ 不同供应商).
系统在github上可以下载:https://github.com/firmadyne/firmadyne
框架如下图:
属主虚拟机ubuntu14.04
2.1. 安装metasploit framework
2.1.1. 安装依赖库
root@aflfuzz:~# apt-get update && apt-getupgrade
root@aflfuzz:~# apt-get installbuild-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-devopenjdk-7-jre subversion git-core autoconf postgresql pgadmin3 curl zlib1g-devlibxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3
root@aflfuzz:~# gem install wirble sqlite3bundler
2.1.2. 安装Nmap
mkdir ~/Development
cd ~/Development
svn co https://svn.nmap.org/nmap
cd nmap
./configure
make
sudo make install
make clean
2.1.3. 配置Postgres SQL Server
切换到postgres用户
sudo -s
su postgres
createuser msf -P -S -R –D #密码用msf
createdb -O msf msf
exit
exit
2.1.4. 安装metasploit framework
cd /opt
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln-s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
2.1.5. 安装armitage
wgethttp://www.fastandeasyhacking.com/download/armitage150813.tgz
tar zxvf armitage150813.tgz
ln -s /opt/armitage/armitage/usr/local/bin/armitage
ln -s /opt/armitage/teamserver/usr/local/bin/teamserver
mkdir /usr/local/share/Armitage
cp armitage/ teamserver /usr/local/share/teamserver
echo java -jar /usr/local/share/armitage/armitage.jar\$\* > /usr/local/share/armitage/armitage
perl -pi -e's/armitage.jar/\/usr\/local\/share\/armitage\/armitage.jar/g'/usr/local/share/armitage/teamserver
2.1.6. 安装ruby2
yyj@aflfuzz:~$ gpg --keyserverhkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -L https://get.rvm.io | bash -s stable
或者
sudo curl -sSL https://get.rvm.io | bash -sstable
root@aflfuzz:~# source/etc/profile.d/rvm.sh
root@aflfuzz:~# rvm autolibs enable
更改rvm更新源为淘宝更新源
root@aflfuzz:~# rvm pkg install readline
安装ruby 2.4.1
rvm install 2.4.1--with-readline-dir=$rvm_path/usr
设置rvm缺省ruby
rvm 2.4.1 --default
此处会安装rubygems-2.6.11
2.1.7. 安装适当的gem版本
root@aflfuzz:/opt/metasploit-framework# geminstall bundler
root@aflfuzz:/opt/metasploit-framework# gemupdate
root@aflfuzz:/opt/metasploit-framework#bundle install
编辑database.yml文件
nano /opt/metasploit-framework/database.yml
production:
adapter: postgresql
database: msf
username: msf
password: msf
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5
编辑/etc/profile
添加exportMSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml
执行:source /etc/profile
安装pcaprub模板
cd /opt/metasploit-framework/external/
root@aflfuzz:/opt/metasploit-framework/external/pcaprub#gem install pcaprub
测试metasploit framework是否安装成功
2.2. Firmadyne依赖库安装
apt-get install busybox-static fakeroot gitkpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilitiesutil-linux vlan
2.3. 安装Firmadyne
root@aflfuzz:~# git clone --recursive https://github.com/firmadyne/firmadyne.git
2.3.1. 如果没有安装binwalk则安装
git clonehttps://github.com/devttys0/binwalk.git
cd binwalk
./deps.sh
python ./setup.py install
For Python 2.x, apt-get install python-lzma
pip installgit+https://github.com/ahupp/python-magic
pip install git+https://github.com/sviehb/Jefferson
2.3.2. 安装配置数据库
apt-get install postgresql
sudo -u postgres createuser -P firmadyne ##withpassword firmadyne
sudo -u postgres createdb -O firmadynefirmware
sudo -u postgres psql -d firmware <./firmadyne/database/schema
2.3.3. 下载安装二进制版firmadyne
cd ./firmadyne; ./download.sh
2.3.4. 安装qemu
root@aflfuzz:~# apt-get installqemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils qemu-system-mipsel
apt-get install libfdt-dev
在firemadyne目录修改firmadyne.config中的FIRMWARE_DIR为当前目录
3.1. 分析netgear防火墙
3.1.1. 固件自动提取与虚拟化运行
1) 下载 firmware 固件镜像如:Netgear WNAP320 v2.0.3.
wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip
2) 使用extractor提取filesystem
-nk:no kernel,不提取内核;
-np:no parallel operation,没有并行操作;
-sql:将镜像信息表存储到数据库127.0.0.1 ;
-b:with the Netgear brand ();
Images:存储压缩文件在images.
./sources/extractor/extractor.py -b Netgear-sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
>> Database Image ID: 1
/root/firmadyne/WNAP320 Firmware Version2.0.3.zip
>> MD5:51eddc7046d77a752ca4b39fbda50aff
>> Tag: 1
>> Temp: /tmp/tmp0IdyGR
>> Status: Kernel: True, Rootfs:False, Do_Kernel: False, Do_Rootfs: True
>>>> Zip archive data, at leastv2.0 to extract, compressed size: 1197, uncompressed size: 2667, name:ReleaseNotes_WNAP320_fw_2.0.3.HTML
>> Recursing into archive ...
/tmp/tmp0IdyGR/_WNAP320 Firmware Version2.0.3.zip.extracted/WNAP320_V2.0.3_firmware.tar
>>MD5: 6b66d0c845ea6f086e0424158d8e5f26
>>Tag: 1
>>Temp: /tmp/tmpzzJmsI
>>Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True
>>>>POSIX tar archive (GNU), owner user name: "gz.uImage"
>>Recursing into archive ...
/tmp/tmpzzJmsI/_WNAP320_V2.0.3_firmware.tar.extracted/kernel.md5
>>MD5: 0e15e5398024c854756d3e5f7bc78877
>>Skipping: text/plain...
/tmp/tmpzzJmsI/_WNAP320_V2.0.3_firmware.tar.extracted/root_fs.md5
>>MD5: b43dc86ce23660652d37d97651ba1c77
>>Skipping: text/plain...
/tmp/tmpzzJmsI/_WNAP320_V2.0.3_firmware.tar.extracted/rootfs.squashfs
>>MD5: 7ce95b252346d2486d55866a1a9782be
>>Tag: 1
>>Temp: /tmp/tmp16WDxR
>>Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True
>>Recursing into archive ...
>>>>Squashfs filesystem, big endian, lzma signature, version 3.1, size: 4433988bytes, 1247 inodes, blocksize: 65536 bytes, created: 2011-06-23 10:46:19
>>>>Found Linux filesystem in/tmp/tmp16WDxR/_rootfs.squashfs.extracted/squashfs-root!
>>Skipping: completed!
>>Cleaning up /tmp/tmp16WDxR...
>>Skipping: completed!
>>Cleaning up /tmp/tmpzzJmsI...
>> Skipping: completed!
>> Cleaning up /tmp/tmp0IdyGR...
提取后文件如下:
如果想修改默认IP地址就修改1.tar.gz中的default-config文件中的默认ip address及网关等配置
3) 识别防火墙的架构
识别防火墙1.tar.gz文件架构,并存储结果到数据库
./scripts/getArch.sh ./images/1.tar.gz
4) 装载防火墙文件系统内容存储对象到imagetables
./scripts/tar2db.py -i 1 -f./images/1.tar.gz
5) 创建防火墙1的qemu磁盘镜像
./scripts/makeImage.sh 1
6) 指定防火墙的网络配置并将信息记录到./scratch/1/qemu.initial.serial.log
./scripts/inferNetwork.sh 1
7) 使用指定的网络配置模拟运行防火墙
这将通过产生TAP设备增加route修改主机系统配置
./scratch/1/run.sh
系统已经运行,属主机可以访问,系统信息被记录到./scratch/1/qemu.final.serial.log.
8) 通过snmp脚本探测防火墙信息
./analyses/snmpwalk.sh 10.0.0.100
9) 测试防火墙web接口
./analyses/webAccess.py 1 10.0.0.100log.txt
可访问目录会存储在log.txt文件中
3.1.2. 使用nmap扫描firmadyne虚拟环境运行的防火墙
root@aflfuzz:~/firmadyne# nmap -O -sV 10.0.0.100
Starting Nmap 7.40SVN ( https://nmap.org )at 2017-04-20 11:13 CST
Nmap scan report for localhost (10.0.0.100)
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)
80/tcp open http lighttpd 1.4.18
443/tcp open ssl/http lighttpd 1.4.18
MAC Address: 52:54:00:12:34:56 (QEMUvirtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE:cpe:/o:linux:linux_kernel
OS and Service detection performed. Pleasereport any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scannedin 68.30 seconds
3.1.3. 使用nmap vuln脚本探测防火墙漏洞
root@aflfuzz:~/firmadyne# nmap--script=vuln -O -sV 10.0.0.100
Starting Nmap 7.40SVN ( https://nmap.org )at 2017-04-20 11:22 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for localhost (10.0.0.100)
Host is up (0.0014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)
80/tcp open http lighttpd 1.4.18
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRFvulnerabilities.
|_http-dombased-xss: Couldn't find any DOMbased XSS.
| http-enum:
|_ /test.php: Test page
|_http-phpself-xss: ERROR: Script executionfailed (use -d to debug)
|_http-server-header: lighttpd/1.4.18
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server openand hold
| them open as long as possible. Itaccomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, itstarves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any storedXSS vulnerabilities.
443/tcp open ssl/http lighttpd 1.4.18
|_http-aspnet-debug: ERROR: Scriptexecution failed (use -d to debug)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRFvulnerabilities.
|_http-dombased-xss: Couldn't find any DOMbased XSS.
| http-enum:
|_ /test.php: Test page
|_http-phpself-xss: ERROR: Script executionfailed (use -d to debug)
|_http-server-header: lighttpd/1.4.18
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server openand hold
| them open as long as possible. Itaccomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, itstarves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any storedXSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection"vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| http://www.cvedetails.com/cve/2014-0224
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 OSVDB:113251
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.imperialviolet.org/2014/10/14/poodle.html
| http://osvdb.org/113251
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| sslv2-drown:
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| vulns:
| CVE-2016-0703:
| title: OpenSSL: Divide-and-conquer session key recovery in SSLv2
| state: VULNERABLE
| ids:
| CVE:CVE-2016-0703
| description:
| The get_client_master_keyfunction in s2_srvr.c in the SSLv2 implementation in
| OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and1.0.2 before
| 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for anarbitrary
| cipher, which allows man-in-the-middle attackers to determine theMASTER-KEY value
| and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSApadding oracle, a
| related issue to CVE-2016-0800.
|
| refs:
| https://www.openssl.org/news/secadv/20160301.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703
| CVE-2016-0800:
| title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)
| state: VULNERABLE
| ids:
| CVE:CVE-2016-0800
| description:
| The SSLv2 protocol, as used inOpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
| other products, requires a server to send a ServerVerify message beforeestablishing
| that a client possesses certain plaintext RSA data, which makes iteasier for remote
| attackers to decrypt TLS ciphertext data by leveraging a BleichenbacherRSA padding
| oracle, aka a "DROWN" attack.
|
| refs:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
|_ https://www.openssl.org/news/secadv/20160301.txt
MAC Address: 52:54:00:12:34:56 (QEMUvirtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE:cpe:/o:linux:linux_kernel
OS and Service detection performed. Pleasereport any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scannedin 192.14 seconds
3.1.4. firmadyne对防火墙使用msf进行渗透
runExploits.py会自动使用metasploit中存在的路由器的攻击脚本进行自动攻击,执行结果会存储在exploits目录
root@aflfuzz:~/firmadyne# chmod +xanalyses/*.py
root@aflfuzz:~/firmadyne#mkdir exploits;
root@aflfuzz:~/firmadyne#./analyses/runExploits.py-t 192.168.0.100 -o exploits/exploit -e x (requires Metasploit Framework)
为了简化firmware的使用,以root登录,密码是password,删除 /etc/securetty。
使用下面的命令挂载或卸载fireware. 执行这两命令前确保模拟fireware未运行。sudo./scripts/mount.sh 1
sudo ./scripts/umount.sh 1
3.2. 分析wrt54gv2防火墙
3.2.1. 使用extractor提取filesystem
-nk:no kernel,不提取内核;
-np:no parallel operation,没有并行操作;
-sql:将镜像信息表存储到数据库127.0.0.1 ;
-b:with the Netgear brand ();
Images:存储压缩文件在images.
root@aflfuzz:~/firmadyne#./sources/extractor/extractor.py -b Linksys -sql 127.0.0.1 -np -nk"WRT54GV3.1_4.00.7_US_code.bin" images
>> Database Image ID: 2
/root/firmadyne/WRT54GV3.1_4.00.7_US_code.bin
>> MD5:7fbac72ff1ba352a37dff33255494896
>> Tag: 2
>> Temp: /tmp/tmpdYfvsI
>> Status: Kernel: True, Rootfs:False, Do_Kernel: False, Do_Rootfs: True
>> Recursing into archive ...
>>>> Squashfs filesystem,little endian, version 2.0, size: 2185198 bytes, 298 inodes, blocksize: 65536bytes, created: 2005-04-26 15:38:37
>>>> Found Linux filesystem in/tmp/tmpdYfvsI/_WRT54GV3.1_4.00.7_US_code.bin.extracted/squashfs-root!
>> Skipping: completed!
>> Cleaning up /tmp/tmpdYfvsI...
提取后文件如下:
3.2.2. 识别防火墙框架
root@aflfuzz:~/firmadyne#./scripts/getArch.sh ./images/2.tar.gz
./bin/busybox: mipsel
Password for user firmadyne:
3.2.3. 装载防火墙文件系统内容存储对象到image tables
root@aflfuzz:~/firmadyne#./scripts/tar2db.py -i 2 -f ./images/2.tar.gz
3.2.4. 创建防火墙2的qemu磁盘镜像
./scripts/makeImage.sh 2
3.2.5. 指定防火墙的网络配置并将信息记录到./scratch/2/qemu.initial.serial.log
./scripts/inferNetwork.sh 2
3.2.6. 使用指定的网络配置模拟运行防火墙
这将通过产生TAP设备增加route修改主机系统配置
./scratch/2/run.sh
3.2.7. 使用burpesuite测试firmadyne运行的防火墙
发现apply.cgi存在xss漏洞。在单独对apply.cgi进行测试时出现防火墙崩溃死机