I kekahi mau lā i hala aku nei, ua hoʻoholo wau e hoʻohuli i ka ʻenekinia i ka firmware o kaʻu router me ka hoʻohana ʻana i ka binwalk.
Ua kūʻai au iaʻu iho . ʻAʻole ka mea alalai maikaʻi loa, akā lawa no kaʻu mau pono.
I kēlā me kēia manawa aʻu e kūʻai ai i router hou, hoʻokomo wau . He aha ke kumu? E like me ke kānāwai, ʻaʻole manaʻo nui nā mea hana e pili ana i ke kākoʻo ʻana i kā lākou mau mea hoʻokele a ma hope o ka manawa e lilo ai ka polokalamu i ka wā kahiko, ʻike ʻia nā nāwaliwali, a pēlā aku, ma ka laulā, loaʻa iā ʻoe ka manaʻo. No laila, makemake wau i ka OpenWRT firmware, i kākoʻo maikaʻi ʻia e ke kaiāulu open-source.
Ma hope o ka hoʻoiho ʻana iā OpenWRT, ʻo wau kekahi ma lalo o kaʻu Archer C7 hou mai ka pūnaewele mana a ua hoʻoholo e nānā iā ia. Maʻemaʻe no ka leʻaleʻa a kamaʻilio e pili ana i ka binwalk.
He aha ka binwalk?
He mea paahana wehe no ka nānā ʻana, ka ʻenekini hoʻohuli a me ka unuhi kiʻi firmware.
Hana ʻia i ka makahiki 2010 e Craig Heffner, hiki i ka binwalk ke nānā i nā kiʻi firmware a loaʻa i nā faila, ʻike a wehe i nā kiʻi ʻōnaehana faila, code executable, compressed archives, bootloaders and kernels, file formats e like me JPEG a me PDF, a ʻoi aku.
Hiki iā ʻoe ke hoʻohana i ka binwalk e hoʻohuli i ka ʻenekinia i ka firmware e hoʻomaopopo i ka hana ʻana. E ʻimi i nā faila binary no nā nāwaliwali, e unuhi i nā faila, a e ʻimi i nā puka hope a i ʻole nā palapala kikohoʻe. Hiki iā ʻoe ke loaʻa opcodes no ka hui o nā CPU like ʻole.
Hiki iā ʻoe ke unuhi i nā kiʻi ʻōnaehana waihona no ka ʻimi ʻana i nā faila huaʻōlelo kikoʻī (passwd, shadow, etc.) a hoʻāʻo e wāwahi i nā hashes password. Hiki iā ʻoe ke hana i ka parsing binary ma waena o ʻelua a ʻoi aku paha nā faila. Hiki iā ʻoe ke hana i ka nānā ʻana i ka entropy ma ka ʻikepili e ʻimi ai i ka ʻikepili i hoʻopaʻa ʻia a i ʻole nā kī hoʻopunipuni i hoʻopili ʻia. ʻO kēia a pau me ka ʻole o ka pono e komo i ke code kumu.
Ma keʻano laulā, aia nā mea a pau āu e makemake ai :)
Pehea ka hana ʻana o ka binwalk?
ʻO ka hiʻohiʻona nui o ka binwalk ʻo kāna hōʻailona hōʻailona. Hiki iā Binwalk ke nānā i ke kiʻi firmware e ʻimi i nā ʻano faila i kūkulu ʻia a me nā ʻōnaehana faila.
ʻIke paha ʻoe i ka pono laina kauoha file?
file /bin/bash
/bin/bash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=12f73d7a8e226c663034529c8dd20efec22dde54, strippedhui filenānā i ke poʻo waihona a ʻimi i kahi pūlima (helu kilokilo) e hoʻoholo ai i ke ʻano faila. No ka laʻana, inā hoʻomaka ka faila me ke kaʻina o nā bytes 0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A, ʻike ʻo ia he faila PNG. Ma ka Aia kahi papa inoa o nā pūlima faila maʻamau.
Hana like ʻo Binwalk. Akā ma kahi o ka ʻimi ʻana i nā pūlima wale nō ma ka hoʻomaka o ka faila, e nānā ʻo binwalk i ka faila holoʻokoʻa. Eia hou, hiki i ka binwalk ke unuhi i nā faila i loaʻa ma ke kiʻi.
Nā Mea Hana file и binwalk hoʻohana i ka waihona libmagic e ʻike i nā pūlima faila. Akā binwalk Kākoʻo pū kekahi i ka papa inoa o nā pūlima kupua maʻamau e ʻimi i nā faila i hoʻopaʻa ʻia/zipped, nā poʻomanaʻo firmware, nā kernels Linux, nā bootloaders, filesystems a pēlā aku.
E leʻaleʻa kāua?
Hoʻokomo ʻia ʻo Binwalk
Kākoʻo ʻia ʻo Binwalk ma nā kahua he nui me Linux, OSX, FreeBSD a me Windows.
No ka hoʻouka ʻana i ka mana hou o binwalk hiki iā ʻoe a hahai ai ole ia, , loaʻa ma ka pūnaewele papahana.
He nui nā ʻokoʻa like ʻole o Binwalk:
$ binwalk
Binwalk v2.2.0
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don't execute extraction utilities
-V, --subdirs Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-u, --similar Only display lines that are the same between all files
-w, --terse Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified portKiʻi kiʻi
E hoʻomaka kākou ma ka ʻimi ʻana i nā pūlima faila i loko o ke kiʻi (kiʻi mai ka pūnaewele ).
Ke holo nei i ka binwalk me ka --signature parameter:
$ binwalk --signature --term archer-c7.bin
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------
21876 0x5574 U-Boot version string, "U-Boot 1.1.4-g4480d5f9-dirty (May
20 2019 - 18:45:16)"
21940 0x55B4 CRC32 polynomial table, big endian
23232 0x5AC0 uImage header, header size: 64 bytes, header CRC:
0x386C2BD5, created: 2019-05-20 10:45:17, image size:
41162 bytes, Data Address: 0x80010000, Entry Point:
0x80010000, data CRC: 0xC9CD1E38, OS: Linux, CPU: MIPS,
image type: Firmware Image, compression type: lzma, image
name: "u-boot image"
23296 0x5B00 LZMA compressed data, properties: 0x5D, dictionary size:
8388608 bytes, uncompressed size: 97476 bytes
64968 0xFDC8 XML document, version: "1.0"
78448 0x13270 uImage header, header size: 64 bytes, header CRC:
0x78A267FF, created: 2019-07-26 07:46:14, image size:
1088500 bytes, Data Address: 0x80060000, Entry Point:
0x80060000, data CRC: 0xBB9D4F94, OS: Linux, CPU: MIPS,
image type: Multi-File Image, compression type: lzma,
image name: "MIPS OpenWrt Linux-3.3.8"
78520 0x132B8 LZMA compressed data, properties: 0x6D, dictionary size:
8388608 bytes, uncompressed size: 3164228 bytes
1167013 0x11CEA5 Squashfs filesystem, little endian, version 4.0,
compression:xz, size: 14388306 bytes, 2541 inodes,
blocksize: 65536 bytes, created: 2019-07-26 07:51:38
15555328 0xED5B00 gzip compressed data, from Unix, last modified: 2019-07-26
07:51:41I kēia manawa ua nui ka ʻike e pili ana i kēia kiʻi.
Hoʻohana kiʻi ma ke ʻano he bootloader (ke poʻo kiʻi ma 0x5AC0 a me kahi kiʻi bootloader paʻa ma 0x5B00). Ma muli o ke poʻo poʻomanaʻo uImage ma 0x13270, ʻike mākou he MIPS ka papa hana kaʻina hana a ʻo ka Linux kernel ka mana 3.3.8. A ma muli o ke kiʻi i loaʻa ma ka helu wahi 0x11CEA5, hiki iā mākou ke ʻike i kēlā rootfs he waihona waihona squashfs.
E wehe mākou i ka bootloader (U-Boot) me ke kauoha dd:
$ dd if=archer-c7.bin of=u-boot.bin.lzma bs=1 skip=23296 count=41162
41162+0 records in
41162+0 records out
41162 bytes (41 kB, 40 KiB) copied, 0,0939608 s, 438 kB/sNo ka mea ua paʻi ʻia ke kiʻi me ka hoʻohana ʻana iā LZMA, pono mākou e hoʻopau iā ia:
$ unlzma u-boot.bin.lzmaI kēia manawa, loaʻa iā mākou kahi kiʻi U-Boot:
$ ls -l u-boot.bin
-rw-rw-r-- 1 sprado sprado 97476 Fev 5 08:48 u-boot.binPehea e ʻike ai i ka waiwai paʻamau no bootargs?
$ strings u-boot.bin | grep bootargs
bootargs
bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128MU-Boot Environment Variable bootargs hoʻohana ʻia e hāʻawi i nā ʻāpana i ka kernel Linux. A mai luna aʻe, ua ʻoi aku ka maikaʻi o ka hoʻomaopopo ʻana i ka hoʻomanaʻo flash o ka hāmeʻa.
Pehea e wehe ai i ke kiʻi kernel Linux?
$ dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=1088572
1088572+0 records in
1088572+0 records out
1088572 bytes (1,1 MB, 1,0 MiB) copied, 1,68628 s, 646 kB/sHiki iā mākou ke nānā i ka lawe ʻia ʻana o ke kiʻi me ka hoʻohana ʻana i ke kauoha file:
$ file uImage
uImage: u-boot legacy uImage, MIPS OpenWrt Linux-3.3.8, Linux/MIPS, Multi-File Image (lzma), 1088500 bytes, Fri Jul 26 07:46:14 2019, Load Address: 0x80060000, Entry Point: 0x80060000, Header CRC: 0x78A267FF, Data CRC: 0xBB9D4F94ʻO ka format file uImage he kiʻi kernel Linux me kahi poʻomanaʻo hou. E wehe i kēia poʻomanaʻo e kiʻi i ke kiʻi kernel Linux hope loa:
$ dd if=uImage of=Image.lzma bs=1 skip=72
1088500+0 records in
1088500+0 records out
1088500 bytes (1,1 MB, 1,0 MiB) copied, 1,65603 s, 657 kB/sHoʻopili ʻia ke kiʻi, no laila e wehe kākou:
$ unlzma Image.lzmaI kēia manawa, loaʻa iā mākou kahi kiʻi kernel Linux:
$ ls -la Image
-rw-rw-r-- 1 sprado sprado 3164228 Fev 5 10:51 ImageHe aha kā mākou e hana ai me ke kiʻi kernel? Hiki iā mākou, no ka laʻana, hana i kahi hulina string ma ke kiʻi a ʻike i ka mana o ka Linux kernel a aʻo e pili ana i ke kaiapuni i hoʻohana ʻia e kūkulu i ka kernel:
$ strings Image | grep "Linux version"
Linux version 3.3.8 (leo@leo-MS-7529) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Mon May 20 18:53:02 CST 2019ʻOiai ua hoʻokuʻu ʻia ka firmware i ka makahiki i hala (2019), ke kākau nei au i kēia ʻatikala e hoʻohana ana ia i kahi mana kahiko o ka Linux kernel (3.3.8) i hoʻokuʻu ʻia ma 2012, i hui pū ʻia me kahi mana kahiko loa o GCC (4.6) mai 2012. !
(ma kahi.
Me ke koho --opcodes Hiki iā mākou ke hoʻohana i ka binwalk no ka nānā ʻana i nā ʻōlelo aʻoaʻo mīkini a hoʻoholo i ka hoʻolālā hana o ke kiʻi:
$ binwalk --opcodes Image
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2400 0x960 MIPS instructions, function epilogue
2572 0xA0C MIPS instructions, function epilogue
2828 0xB0C MIPS instructions, function epiloguePehea e pili ana i ka ʻōnaehana waihona kumu? Ma kahi o ka unuhi lima ʻana i ke kiʻi, e hoʻohana kākou i ke koho binwalk --extract:
$ binwalk --extract --quiet archer-c7.binE unuhi ʻia ka ʻōnaehana waihona kumu piha i kahi subdirectory:
$ cd _archer-c7.bin.extracted/squashfs-root/
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cat etc/banner
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (%C, %R)
---------------------------------------------------------------I kēia manawa hiki iā mākou ke hana i nā mea like ʻole.
Hiki iā mākou ke ʻimi i nā faila hoʻonohonoho, hashes password, nā kī cryptographic a me nā palapala hōʻoia. Hiki iā mākou ke kālailai i nā faila binary no a me nā nāwaliwali.
Me ke kōkuaʻana o и hiki iā mākou ke holo (emulate) i kahi hoʻokō mai ke kiʻi:
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cp /usr/bin/qemu-mips-static .
$ sudo chroot . ./qemu-mips-static bin/busybox
BusyBox v1.19.4 (2019-05-20 18:13:49 CST) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, adduser, arping, ash, awk, basename, cat, chgrp, chmod, chown, chroot, clear, cmp, cp, crond, crontab, cut, date, dd, delgroup, deluser, dirname, dmesg, echo, egrep, env, expr, false,
fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, id, ifconfig, init, insmod, kill, killall, klogd, ln, lock, logger, ls, lsmod, mac_addr, md5sum, mkdir, mkfifo, mknod, mktemp,
mount, mv, nice, passwd, pgrep, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh, sleep, sort, start-stop-daemon, strings,
switch_root, sync, sysctl, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, udhcpc, umount, uname, uniq, uptime, vconfig, vi, watchdog, wc, wget, which, xargs, yes, zcatNui! Akā e ʻoluʻolu e hoʻomaopopo ʻo BusyBox version 1.19.4. He mana kahiko loa kēia o BusyBox, hoʻokuʻu ʻia ma ʻApelila 2012.
No laila hoʻokuʻu ʻo TP-Link i kahi kiʻi firmware ma 2019 me ka hoʻohana ʻana i ka polokalamu (GCC toolchain, kernel, BusyBox, etc.) mai 2012!
I kēia manawa, maopopo anei iā ʻoe ke kumu e hoʻokomo mau ai au iā OpenWRT ma kaʻu mau mea ala?
ʻAʻole ʻo ia wale nō
Hiki iā Binwalk ke hana i ka nānā ʻana i ka entropy, paʻi i ka ʻikepili entropy maka, a hana i nā kiʻi entropy. ʻO ka mea maʻamau, ʻike ʻia ka entropy ʻoi aku ka nui o nā bytes o ke kiʻi. Hiki i kēia ke manaʻo aia i loko o ke kiʻi kahi faila i hoʻopili ʻia, paʻi ʻia, a i ʻole ʻia paha. kī hoʻopunipuni paʻakikī? Kainō.
Hiki iā mākou ke hoʻohana i ka ʻāpana --raw no ka huli ʻana i ke kaʻina byte maka maʻamau i ke kiʻi a i ʻole ka ʻāpana --hexdump e hana i kahi dump hex e hoʻohālikelike ana i ʻelua a ʻoi aku paha nā faila hoʻokomo.
hiki ke hoʻohui ʻia i ka binwalk ma o kahi faila maʻamau i kuhikuhi ʻia ma ka laina kauoha me ka hoʻohana ʻana i ka parameter --magic, a i ʻole ma ka hoʻohui ʻana iā lākou i ka papa kuhikuhi $ HOME / .config / binwalk / magic.
Hiki iā ʻoe ke ʻike hou aku e pili ana i ka binwalk ma .
hoʻonui binwalk
Aia binwalk, i hoʻokō ʻia ma ke ʻano he module Python i hiki ke hoʻohana ʻia e kekahi palapala Python e hana programmatically i kahi scan binwalk, a hiki ke hoʻohālikelike ʻia ka pono laina kauoha binwalk me nā laina ʻelua wale nō o ka code Python!
import binwalk
binwalk.scan()Ke hoʻohana nei i ka Python API hiki iā ʻoe ke hana e hoʻonohonoho a hoʻonui i ka binwalk.
Aia kekahi a me ka mana ao .
No laila no ke aha ʻoe e hoʻoiho ʻole ai i ke kiʻi firmware mai ka Pūnaewele a hoʻāʻo i ka binwalk? Hoʻohiki wau e hauʻoli nui ʻoe :)
Source: www.habr.com