æ°æ¥åãbinwalk ã䜿çšããŠã«ãŒã¿ãŒã®ãã¡ãŒã ãŠã§ã¢ããªããŒã¹ ãšã³ãžãã¢ãªã³ã°ããããšã«ããŸããã
èªåã§è²·ã£ã
æ°ããã«ãŒã¿ãŒã賌å
¥ãããã³ã«ã€ã³ã¹ããŒã«ããŸã
OpenWRT ãããŠã³ããŒãããã®ã§ã
ãã³ãŠã©ãŒã¯ãšã¯äœã§ããïŒ
2010 幎㫠Craig Heffner ã«ãã£ãŠäœæããã binwalk ã¯ããã¡ãŒã ãŠã§ã¢ ã€ã¡ãŒãžãã¹ãã£ã³ããŠãã¡ã€ã«ãæ€çŽ¢ãããã¡ã€ã« ã·ã¹ãã ã€ã¡ãŒãžãå®è¡å¯èœã³ãŒããå§çž®ã¢ãŒã«ã€ããããŒãããŒããŒãšã«ãŒãã«ãJPEG ã PDF ãªã©ã®ãã¡ã€ã«åœ¢åŒãªã©ãèå¥ããŠæœåºããããšãã§ããŸãã
binwalk ã䜿çšããŠãã¡ãŒã ãŠã§ã¢ããªããŒã¹ ãšã³ãžãã¢ãªã³ã°ãããã¡ãŒã ãŠã§ã¢ãã©ã®ããã«æ©èœããããç解ã§ããŸãã ãã€ã㪠ãã¡ã€ã«ã®è匱æ§ãæ€çŽ¢ãããã¡ã€ã«ãæœåºããŠãããã¯ãã¢ãããžã¿ã«èšŒææžãæ¢ããŸãã èŠã€ããããšãã§ããŸã opcodes
ããŸããŸãª CPU ã®æã«å¯Ÿå¿ããŸãã
ãã¡ã€ã«ã·ã¹ãã ã€ã¡ãŒãžãæœåºããŠãç¹å®ã®ãã¹ã¯ãŒã ãã¡ã€ã« (passwdãshadow ãªã©) ãæ¢ãããã¹ã¯ãŒã ããã·ã¥ã®è§£èªãè©Šã¿ãããšãã§ããŸãã XNUMX ã€ä»¥äžã®ãã¡ã€ã«éã§ãã€ããªè§£æãå®è¡ã§ããŸãã ããŒã¿ã®ãšã³ããããŒåæãå®è¡ããŠãå§çž®ããŒã¿ãŸãã¯ãšã³ã³ãŒããããæå·åããŒãæ€çŽ¢ã§ããŸãã ããããã¹ãŠããœãŒã¹ ã³ãŒãã«ã¢ã¯ã»ã¹ããå¿ èŠã¯ãããŸããã
äžè¬çã«ãå¿ èŠãªãã®ã¯ãã¹ãŠããã«ãããŸã:)
ãã³ãŠã©ãŒã¯ã¯ã©ã®ããã«æ©èœããŸãã?
binwalk ã®äž»ãªæ©èœã¯ã眲åã¹ãã£ã³ã§ãã Binwalk ã¯ãã¡ãŒã ãŠã§ã¢ ã€ã¡ãŒãžãã¹ãã£ã³ããŠãããŸããŸãªçµã¿èŸŒã¿ãã¡ã€ã« ã¿ã€ããšãã¡ã€ã« ã·ã¹ãã ãæ€çŽ¢ã§ããŸãã
ã³ãã³ãã©ã€ã³ãŠãŒãã£ãªãã£ããåç¥ã§ãã file
?
file /bin/bash
/bin/bash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=12f73d7a8e226c663034529c8dd20efec22dde54, stripped
ããŒã file
ãã¡ã€ã«ã®ããããŒã調ã¹ã眲å (ããžã㯠ãã³ããŒ) ãæ¢ããŠãã¡ã€ã«ã®çš®é¡ãå€æããŸãã ããšãã°ããã¡ã€ã«ããã€ãã®ã·ãŒã±ã³ã¹ã§å§ãŸãå Žåã 0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A
ãããã PNG ãã¡ã€ã«ã§ããããšãããããŸãã ã®äž
ãã³ãŠã©ãŒã¯ãåãããã«æ©èœããŸãã ãã ãããã¡ã€ã«ã®å é ã ãã§çœ²åãæ¢ãã®ã§ã¯ãªããbinwalk ã¯ãã¡ã€ã«å šäœãã¹ãã£ã³ããŸãã ããã«ãbinwalk ã¯ã€ã¡ãŒãžå ã«ãããã¡ã€ã«ãæœåºã§ããŸãã
ããŒã« file
О binwalk
å³æžé€šãå©çšãã libmagic
ãã¡ã€ã«ã®çœ²åãèå¥ããŸãã ããã binwalk
ããã«ãå§çž®/zip ãã¡ã€ã«ããã¡ãŒã ãŠã§ã¢ ããããŒãLinux ã«ãŒãã«ãããŒãããŒããŒããã¡ã€ã« ã·ã¹ãã ãªã©ãæ€çŽ¢ããããã®ã«ã¹ã¿ã ããžã㯠ã·ã°ããã£ã®ãªã¹ãããµããŒãããŠããŸãã
楜ãããïŒ
ãã³ãŠã©ãŒã¯ã®ã€ã³ã¹ããŒã«
Binwalk ã¯ãLinuxãOSXãFreeBSDãWindows ãªã©ã®è€æ°ã®ãã©ãããã©ãŒã ã§ãµããŒããããŠããŸãã
ææ°ããŒãžã§ã³ã® binwalk ãã€ã³ã¹ããŒã«ããã«ã¯ã次ã®ããã«ããŸãã
Binwalk ã«ã¯ããŸããŸãªãã©ã¡ãŒã¿ããããŸãã
$ binwalk
Binwalk v2.2.0
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don't execute extraction utilities
-V, --subdirs Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-u, --similar Only display lines that are the same between all files
-w, --terse Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified port
ç»åã¹ãã£ã³
ãŸãã¯ç»åå
ã®ãã¡ã€ã«çœ²åãæ€çŽ¢ããŠã¿ãŸããã (ãµã€ãããã®ç»å)
--signature ãã©ã¡ãŒã¿ãŒãæå®ã㊠binwalk ãå®è¡ããŸãã
$ binwalk --signature --term archer-c7.bin
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------
21876 0x5574 U-Boot version string, "U-Boot 1.1.4-g4480d5f9-dirty (May
20 2019 - 18:45:16)"
21940 0x55B4 CRC32 polynomial table, big endian
23232 0x5AC0 uImage header, header size: 64 bytes, header CRC:
0x386C2BD5, created: 2019-05-20 10:45:17, image size:
41162 bytes, Data Address: 0x80010000, Entry Point:
0x80010000, data CRC: 0xC9CD1E38, OS: Linux, CPU: MIPS,
image type: Firmware Image, compression type: lzma, image
name: "u-boot image"
23296 0x5B00 LZMA compressed data, properties: 0x5D, dictionary size:
8388608 bytes, uncompressed size: 97476 bytes
64968 0xFDC8 XML document, version: "1.0"
78448 0x13270 uImage header, header size: 64 bytes, header CRC:
0x78A267FF, created: 2019-07-26 07:46:14, image size:
1088500 bytes, Data Address: 0x80060000, Entry Point:
0x80060000, data CRC: 0xBB9D4F94, OS: Linux, CPU: MIPS,
image type: Multi-File Image, compression type: lzma,
image name: "MIPS OpenWrt Linux-3.3.8"
78520 0x132B8 LZMA compressed data, properties: 0x6D, dictionary size:
8388608 bytes, uncompressed size: 3164228 bytes
1167013 0x11CEA5 Squashfs filesystem, little endian, version 4.0,
compression:xz, size: 14388306 bytes, 2541 inodes,
blocksize: 65536 bytes, created: 2019-07-26 07:51:38
15555328 0xED5B00 gzip compressed data, from Unix, last modified: 2019-07-26
07:51:41
çŸåšããã®ç»åã«é¢ããå€ãã®æ å ±ãåŸãããŠããŸãã
ç»åã®çšé 0x5AC0
ããã³å§çž®ãããããŒãããŒã㌠ã€ã¡ãŒãž 0x5B00
ïŒã 0x13270 ã® uImage ããããŒã«åºã¥ããŠãããã»ããµ ã¢ãŒããã¯ãã£ã MIPS ã§ãããLinux ã«ãŒãã«ãããŒãžã§ã³ 3.3.8 ã§ããããšãããããŸãã ãããŠãã¢ãã¬ã¹ã§èŠã€ãã£ãç»åã«åºã¥ããŠã 0x11CEA5
ããããããããŸã rootfs
ãã¡ã€ã«ã·ã¹ãã ã§ã squashfs
.
次ã®ã³ãã³ãã䜿çšããŠããŒãããŒã㌠(U-Boot) ãæœåºããŸãããã dd
:
$ dd if=archer-c7.bin of=u-boot.bin.lzma bs=1 skip=23296 count=41162
41162+0 records in
41162+0 records out
41162 bytes (41 kB, 40 KiB) copied, 0,0939608 s, 438 kB/s
ç»å㯠LZMA ã䜿çšããŠå§çž®ãããŠããããã解åããå¿ èŠããããŸãã
$ unlzma u-boot.bin.lzma
ããã§ãU-Boot ã€ã¡ãŒãžãå®æããŸããã
$ ls -l u-boot.bin
-rw-rw-r-- 1 sprado sprado 97476 Fev 5 08:48 u-boot.bin
ã®ããã©ã«ãå€ãèŠã€ããŠã¯ã©ãã§ãããã bootargs
?
$ strings u-boot.bin | grep bootargs
bootargs
bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128M
U-Boot ç°å¢å€æ° bootargs
Linux ã«ãŒãã«ã«ãã©ã¡ãŒã¿ãæž¡ãããã«äœ¿çšãããŸãã äžèšã®ããšãããããã€ã¹ã®ãã©ãã·ã¥ ã¡ã¢ãªã«ã€ããŠã®ç解ãæ·±ãŸããŸããã
Linux ã«ãŒãã«ã€ã¡ãŒãžãæœåºããŠã¿ãŠã¯ãããã§ãããã?
$ dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=1088572
1088572+0 records in
1088572+0 records out
1088572 bytes (1,1 MB, 1,0 MiB) copied, 1,68628 s, 646 kB/s
次ã®ã³ãã³ãã䜿çšããŠãç»åãæ£åžžã«æœåºãããããšã確èªã§ããŸãã file
:
$ file uImage
uImage: u-boot legacy uImage, MIPS OpenWrt Linux-3.3.8, Linux/MIPS, Multi-File Image (lzma), 1088500 bytes, Fri Jul 26 07:46:14 2019, Load Address: 0x80060000, Entry Point: 0x80060000, Header CRC: 0x78A267FF, Data CRC: 0xBB9D4F94
uImage ãã¡ã€ã«åœ¢åŒã¯ãåºæ¬çã«ãè¿œå ã®ããããŒãåãã Linux ã«ãŒãã« ã€ã¡ãŒãžã§ãã ãã®ããããŒãåé€ããŠãæçµç㪠Linux ã«ãŒãã« ã€ã¡ãŒãžãååŸããŸãããã
$ dd if=uImage of=Image.lzma bs=1 skip=72
1088500+0 records in
1088500+0 records out
1088500 bytes (1,1 MB, 1,0 MiB) copied, 1,65603 s, 657 kB/s
ç»åã¯å§çž®ãããŠããã®ã§ã解åããŠã¿ãŸãããã
$ unlzma Image.lzma
ããã§ãLinux ã«ãŒãã« ã€ã¡ãŒãžãå®æããŸããã
$ ls -la Image
-rw-rw-r-- 1 sprado sprado 3164228 Fev 5 10:51 Image
ã«ãŒãã«ã€ã¡ãŒãžã䜿ã£ãŠäœãã§ããã§ãããã? ããšãã°ãã€ã¡ãŒãžå ã§æååæ€çŽ¢ãå®è¡ã㊠Linux ã«ãŒãã«ã®ããŒãžã§ã³ãèŠã€ããã«ãŒãã«ã®æ§ç¯ã«äœ¿çšãããç°å¢ã«ã€ããŠç¥ãããšãã§ããŸãã
$ strings Image | grep "Linux version"
Linux version 3.3.8 (leo@leo-MS-7529) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Mon May 20 18:53:02 CST 2019
ãã®ãã¡ãŒã ãŠã§ã¢ã¯æšå¹Ž (2019 幎) ã«ãªãªãŒã¹ãããŸãããããã®èšäºãæžããŠããæç¹ã§ã¯ã3.3.8 幎ã«ãªãªãŒã¹ãããå€ãããŒãžã§ã³ã® Linux ã«ãŒãã« (2012) ã䜿çšããŠãããããã 4.6 幎以éã«éåžžã«å€ãããŒãžã§ã³ã® GCC (2012) ã§ã³ã³ãã€ã«ãããŠããŸãã ïŒ
(ããããã®ç¿»èš³ããªãã£ã¹ãèªå®
ã®ã«ãŒã¿ãŒããŸã ä¿¡é ŒããŠããŸãã?)
ãªãã·ã§ã³ãã --opcodes
binwalk ã䜿çšããŠãã·ã³åœä»€ãæ€çŽ¢ããã€ã¡ãŒãžã®ããã»ããµ ã¢ãŒããã¯ãã£ã決å®ããããšãã§ããŸãã
$ binwalk --opcodes Image
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2400 0x960 MIPS instructions, function epilogue
2572 0xA0C MIPS instructions, function epilogue
2828 0xB0C MIPS instructions, function epilogue
ã«ãŒããã¡ã€ã«ã·ã¹ãã ã¯ã©ããªãã®ã§ããããïŒ ç»åãæåã§æœåºãã代ããã«ããªãã·ã§ã³ã䜿çšããŸããã binwalk --extract
:
$ binwalk --extract --quiet archer-c7.bin
å®å šãªã«ãŒã ãã¡ã€ã«ã·ã¹ãã ããµããã£ã¬ã¯ããªã«æœåºãããŸãã
$ cd _archer-c7.bin.extracted/squashfs-root/
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cat etc/banner
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (%C, %R)
---------------------------------------------------------------
ä»ã§ã¯ãããŸããŸãªããšãã§ããããã«ãªããŸããã
æ§æãã¡ã€ã«ããã¹ã¯ãŒã ããã·ã¥ãæå·åããŒãããžã¿ã«èšŒææžãæ€çŽ¢ã§ããŸãã ãã€ããªãã¡ã€ã«ãåæã§ããŸã
ãšãšãââã«
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cp /usr/bin/qemu-mips-static .
$ sudo chroot . ./qemu-mips-static bin/busybox
BusyBox v1.19.4 (2019-05-20 18:13:49 CST) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, adduser, arping, ash, awk, basename, cat, chgrp, chmod, chown, chroot, clear, cmp, cp, crond, crontab, cut, date, dd, delgroup, deluser, dirname, dmesg, echo, egrep, env, expr, false,
fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, id, ifconfig, init, insmod, kill, killall, klogd, ln, lock, logger, ls, lsmod, mac_addr, md5sum, mkdir, mkfifo, mknod, mktemp,
mount, mv, nice, passwd, pgrep, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh, sleep, sort, start-stop-daemon, strings,
switch_root, sync, sysctl, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, udhcpc, umount, uname, uniq, uptime, vconfig, vi, watchdog, wc, wget, which, xargs, yes, zcat
çŽ æŽãããïŒ ãã ããBusyBox ã®ããŒãžã§ã³ã¯ 1.19.4 ã§ããããšã«æ³šæããŠãã ããã ãã㯠BusyBox ã®éåžžã«å€ãããŒãžã§ã³ã§ãã2012幎XNUMXæã«çºå£²ãããŸããã
ããã§ãTP-Link 㯠2019 幎ã®ãœãããŠã§ã¢ (GCC ããŒã«ãã§ãŒã³ãã«ãŒãã«ãBusyBox ãªã©) ã䜿çšããŠã2012 幎ã«ãã¡ãŒã ãŠã§ã¢ ã€ã¡ãŒãžããªãªãŒã¹ããŸãã
ç§ãã«ãŒã¿ã«åžžã« OpenWRT ãã€ã³ã¹ããŒã«ããçç±ãããããŸããã?
ããããã¹ãŠã§ã¯ãããŸãã
Binwalk ã¯ããšã³ããããŒåæãå®è¡ããçã®ãšã³ããã㌠ããŒã¿ãåºåãããšã³ããã㌠ã°ã©ããçæããããšãã§ããŸãã éåžžãç»åå ã®ãã€ããã©ã³ãã ã§ããå Žåããã倧ããªãšã³ããããŒã芳å¯ãããŸãã ããã¯ãã€ã¡ãŒãžã«æå·åãå§çž®ããŸãã¯é£èªåããããã¡ã€ã«ãå«ãŸããŠããããšãæå³ããå¯èœæ§ããããŸãã ããŒãã³ã¢æå·åããŒ? ãªãã ãã§ããã
ãã©ã¡ãŒã¿ã䜿çšããããšãã§ããŸã --raw
ç»åãŸãã¯ãã©ã¡ãŒã¿å
ã®ã«ã¹ã¿ã ã®çã®ãã€ã ã·ãŒã±ã³ã¹ãèŠã€ããã«ã¯ --hexdump
XNUMX ã€ä»¥äžã®å
¥åãã¡ã€ã«ãæ¯èŒãã XNUMX é²ãã³ããå®è¡ããŸãã
--magic
ããŸãã¯ãã£ã¬ã¯ããªã«è¿œå ããããšã«ãã£ãŠ $ HOME / .config / binwalk / magic
.
binwalk ã®è©³çŽ°ã«ã€ããŠã¯ã次ã®ãµã€ããåç
§ããŠãã ããã
ãã³ãŠã©ãŒã¯æ¡åŒµ
ããã«
import binwalk
binwalk.scan()
Python API ã䜿çšãããšã次ã®ããã«äœæããããšãã§ããŸãã
ãããŸã
ããã§ã¯ãã€ã³ã¿ãŒããããããã¡ãŒã ãŠã§ã¢ ã€ã¡ãŒãžãããŠã³ããŒãããŠãbinwalk ãè©ŠããŠã¿ãŠã¯ãããã§ããããã ãšãŠã楜ããæéãéããããšããçŽæããŸã:)
åºæïŒ habr.com