小声:因为nvram那里我实在搞不定了,如果有愿意帮忙的师傅欢迎联系!
环境
md5sum
c3eb8f8c004d466796a05b4c60503162 R8300-V1.0.2.130_1.0.99.zip
binwalk
binwalk R8300-V1.0.2.130_1.0.99.chk
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
58 0x3A TRX firmware header, little endian, image size: 32653312 bytes, CRC32: 0x5CEAB739, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x21AB50, rootfs offset: 0x0
86 0x56 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5470272 bytes
2206602 0x21AB8A Squashfs filesystem, little endian, version 4.0, compression:xz, size: 30443160 bytes, 1650 inodes, blocksize: 131072 bytes, created: 2018-12-13 04:36:38
查找upnpd
iot@attifyos ~/t/f/_/_R8300-V1.0.2.130_1.0.99.chk.extracted> cd squashfs-root/
iot@attifyos ~/t/f/_/_/squashfs-root> ls
bin/ etc/ media@ opt/ sbin/ sys/ usr/ www/
dev/ lib/ mnt/ proc/ share/ tmp/ var@
iot@attifyos ~/t/f/_/_/squashfs-root> find . -name upnpd
./usr/sbin/upnpd
iot@attifyos ~/t/f/_/_/squashfs-root> file ./usr/sbin/upnpd
./usr/sbin/upnpd: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, stripped
fat模拟
./fat.py R8300-V1.0.2.130_1.0.99.zip
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.3
Offensive IoT Exploitation Training http://bit.do/offensiveiotexploitation
By Attify - https://attify.com | @attifyme
[+] Firmware: R8300-V1.0.2.130_1.0.99.zip
[+] Extracting the firmware...
[+] Image ID: 1
[+] Identifying architecture...
[+] Architecture: armel
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
[+] Network interfaces: []
[+] All set! Press ENTER to run the firmware...
[+] When running, press Ctrl + A X to terminate qemu
没有提供ip和端口的话,一般就不能自动处理了。
qemu user mode模拟
sudo chroot . ./qemu-arm-static ./usr/sbin/upnpd
或者
sudo chroot . ./qemu-arm-static --strace ./usr/sbin/upnpd
-strace QEMU_STRACE log system calls
33359 open("/var/run/upnpd.pid",O_RDWR|O_CREAT|O_TRUNC,0666) = -1 errno=2 (No such file or directory)
查看文件结构后
drwxr-xr-x 4 mrbelieve mrbelieve 4096 Oct 20 00:00 tmp
drwxrwxr-x 10 mrbelieve mrbelieve 4096 Dec 12 2018 usr
lrwxrwxrwx 1 mrbelieve mrbelieve 7 Dec 12 2018 var -> tmp/var
drwxr-xr-x 8 mrbelieve mrbelieve 24576 Dec 12 2018 www
通过mkdir -p ./tmp/var/run
解决,再次运行后显示大量
open("/dev/nvram",O_RDWR) = -1 errno=2 (No such file or directory)
或者
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
open: No such file or directory
均与
NVRAM
有关,该错误在进行IoT
设备仿真时会经常遇到。NVRAM
中保存了设备的一些配置信息,而程序运行时需要读取配置信息,由于缺少对应的外设,因此会报错。一种常见的解决方案是"劫持"
与NVRAM
读写相关的函数,通过软件的方式来提供相应的配置。网上有很多类似的模拟
NVRAM
行为的库,而Firmadyne
框架提供的libnvram
库:支持很多常见的api
,对很多嵌入式设备进行了适配,同时还会解析固件中默认的一些NVRAM
配置,实现方式比较优雅。采用该库,往往只需要做很少的改动,甚至无需改动,就可以满足需求。
libnvram文档。编译好后直接放在squashfs-root
编译可以使用buildroot,make menuconfig记得将"Target Architecture"改成ARM(little endian) ,最后使用
buildroot/output/host/usr/bin/arm-linux-gcc -Wall -fPIC -shared nvram.c -o libnvram.so.armel -nostdlib
即可具体选项来自libnvram的Makefile
sem_lock: Triggering NVRAM initialization!
nvram_init: Initializing NVRAM...
sem_get: Unable to get semaphore key!
sem_lock: Unable to get semaphore!
sem_get: Unable to get semaphore key!
sem_unlock: Unable to get semaphore!
nvram_init: Unable to mount tmpfs on mount point /firmadyne/libnvram/!
sem_get: Unable to get semaphore key!
sem_lock: Unable to get semaphore!
sem_get: Unable to get semaphore key!
sem_unlock: Unable to get semaphore!
nvram_get_buf: Unable to open key: /firmadyne/libnvram/upnpd_debug_level!
这样可以开始调nvram的配置了
这样我就实在调不来了。。。最终死在lan_ipaddr上面,怎么设置都不对。。。
qemu system mode模拟
过于麻烦,本质是起一个完整虚拟机然后再跑这个服务的样子(而且虚拟机很慢)
下面是ubuntu20环境,attifyOS还未测试成功过。
新建一个tap接口,并配置ip
sudo tunctl -t tap0 -u `whoami`
sudo ifconfig tap0 192.168.2.1/24
The tap networking backend makes use of a tap networking device in the host. It offers very good performance and can be configured to create virtually any type of network topology. Unfortunately, it requires configuration of that network topology in the host which tends to be different depending on the operating system you are using.
然后把vmlinuz-3.2.0-4-vexpress
, initrd.img-3.2.0-4-vexpress -drive
和debian_wheezy_armhf_standard.qcow2
放到当前目录下。前面几个东西的下载地址
armel and armhf
The ARM EABI (armel) port targets a range of older 32-bit ARM devices, particularly those used in NAS hardware and a variety of *plug computers. The newer ARM hard-float (armhf) port supports newer, more powerful 32-bit devices using version 7 of the ARM architecture specification.
qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic
关于这个root=/dev/mmcblk0p2
,我自己尝试直接将文件夹放进去会起不来。。。我的解决方法是先这样跑然后通过scp传进去
cp -r root@192.168.2.2 ./squashfs-root /home/user/squashfs-root
等待……
启动之后
- Root password: root
- User account: user
- User password: user
root@debian-armhf:/home/user# ifconfig eth0 192.168.2.2/24
root@debian-armhf:/home/user# ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:2178 (2.1 KiB)
Interrupt:47
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@debian-armhf:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian-armhf:/home/user# mount -t proc /proc ./squashfs-root/proc
root@debian-armhf:/home/user# mount -o bind /dev ./squashfs-root/dev
root@debian-armhf:/home/user# chroot ./squashfs-root/ sh #切换根目录后执行新目录结构下的 sh shell
BusyBox v1.7.2 (2018-12-13 12:34:27 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
uid=0 gid=0(root)
PS: 使用 chroot 后,系统读取的是新根下的目录和文件,也就是固件的目录和文件 chroot 默认不会切换 /dev 和 /proc, 因此切换根目录前需要先挂载这两个目录
-v, –invert-match select non-matching lines
没有任何信息就exit了
==咋调试出是open的问题的。。。==
创建了/var/run之后,就提示
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
分析参考
分析总结
PC寄存器在arm中的作用
Program Counter 存储下一条程序指令的地址。顺序执行的情况是存储当前地址+4
可用rasm2工具翻译汇编指令到机器指令
例子:
0030a0e1
这样可以在ida Patch program - Change byte里使用
多关注较危险函数
strcpy,等
strcpy拷贝的时候,如果n < src的长度,那只是将src的前几个字符复制到dest的前n个字符里,不会自动添加
\x00
。而如果src小于n,则会自动填充\x00
到dest直至复制完
未初始化的空间
函数与漏洞点之间路径较短
栈上数据不会发生太大变化,可以复用填充的rop gadgets
arm栈溢出之后好像可以一路覆盖到n个寄存器(有待详细确认
参考
分析参考
- https://paper.seebug.org/1311/#1
- https://cq674350529.github.io/2020/09/16/PSV-2020-0211-Netgear-R8300-UPnP%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
「真诚赞赏,手留余香」
真诚赞赏,手留余香
使用微信扫描二维码完成支付