Tool Introduction Document: [Click to view】
Tool Installation
Firmware Slap can be run directly in a virtual environment and has been fully tested in the Python 3.6 environment. Users can directly use the following commands to complete the installation of the tool:
sudo apt install python3-virtualenv
virtualenv -p python3 fwslap
source fwslap/bin/activate
Or, you can also use the following commands to complete the download, installation, and project build (configuration) of Firmware Slap:
cd ~
mkdir .virtualenvs
pip install virtualenv
which virtualenv # note path warnings
pip install virtualenvwrapper
echo "export PATH=$PATH:~/.local/bin" >> ~/.bashrc
echo "export WORKON_HOME=~/.virtualenvs" >> ~/.bashrc
echo "source ~/.local/bin/virtualenvwrapper.sh" >> ~/.bashrc
# Usually best here to open a new terminal
mkvirtualenv fwslap -p /usr/bin/python3
workon fwslap
Finally, run the following command to complete the installation using setup.py:
python setup.py installAt this time, we also need to install rabbitmq, Docker, and Radare2 or Ghidra:
# Ubuntu
sudo apt install rabbitmq-server docker.io
# OSX
brew install rabbitmq
# Radare2
git clone https://github.com/radare/radare2.git
sudo https://www.freebuf.com/articles/endpoint/radare2/sys/install.sh
# Ghidra
wget https://ghidra-sre.org/ghidra_9.0.4_PUBLIC_20190516.zip
unzip ghidra_9.0.4_PUBLIC_20190516.zip -d ghidra
echo "export PATH=$PATH:$PWD/ghidra/ghidra_9.0.4/support" >> ~/.bashrc
If you choose Ghidra, you also need to install JDK 11:
sudo apt install default-jdk
java --version
If you want to use the Elastic search feature, you also need to run the Elasticsearch_and_kibana.sh script.
Tool usage
Firstly, we need to ensure that rabbitmq-server is running:
# In a Separate terminal, run this in the top level "Firmware_Slap" directory
celery -A firmware_slap.celery_tasks worker --loglevel=info
# Basic buffer overflow
Discover_And_Dump.py examples/iwconfig -D iwconfig_results
Load_And_View_Results.py iwconfig_results.all.pickle
# Click management on the left pane
# Click Saved Objects
# Click Import
# Select 'elastic_export.json' under the elastic directory in firmware slap
# Navigate to dashboards on the left pane and select 'Overview Dashboard'
Load_And_View_Results.py iwconfig_results.all.pickle -s
# Command injection
tar -xvf examples/Almond_libs.tar.gz
Vuln_Discover_Celery.py examples/upload.cgi -L Almond_Root/lib/
Next, use the following command to obtain the firmware sample for analysis:
# Get the firmware used for examples
wget https://firmware.securifi.com/AL3_64MB/AL3-R024-64MB
binwalk -Mre AL3-R024-64MB
Select the root directory of the project and then start the Celery task:
# In a separate terminal
celery -A firmware_slap.celery_tasks worker --loglevel=info
Open another new terminal window, then run a vulnerability scan task:
$ Vuln_Discover_Celery.py Almond_Root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L Almond_Root/lib/
[+] Getting argument functions
[+] Analyzing 1 functions
0%| | 0/1 [00:01<?, ?it/s]
{ 'Injected_Location': { 'base': '0x7ffefde8',}}
........................ SNIP ......................
'type': 'Command Injection'
Python 3.5.2 (default, Nov 12 2018, 13:43:14)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.3.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]:
The returned vulnerability object
The above command will return an object in the 'result' variable, which is a dictionary object containing a large amount of information about the firmware vulnerability, including three main key data: function parameters, memory information, and injection location.
In [3]: result.keys()
Out[3]: dict_keys(['args', 'file_name', 'type', 'mem', 'Injected_Location'])
Function parameters
The 'args' parameter contains detailed information about the recovery parameters and parameter values, which can be used to reproduce the vulnerability. In the above example, the tool discovered a parameter that we can use to trigger command execution:
In [1]: result['args']
Out[1]:
[{'base':
'a1',
'type': 'int',
'value': "0x0 -> b'`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00'"}
Memory Information
The memory component in the returned object can help researchers track target memory values, which can be used to trigger vulnerabilities, and also includes the offset of the stack address and the .text address:
In [2]: result['mem']
Out[2]:
[{'BBL_ADDR': '0x401138',
'BBL_DESC': {'DESCRIPTION': 'mtd_write_firmware+0x0 in upload_bootloader.cgi (0x401138)',
'DISASSEMBLY': ['0x401138:\tlui\t$gp, 0x42',
'0x40113c:\taddiu\t$sp, $sp, -0x228',
'0x401140:\taddiu\t$gp, $gp, -0x5e90',
'0x401144:\tlw\t$t9, -0x7f84($gp)',
'0x401148:\tsw\t$a2, 0x10($sp)',
'0x40114c:\tlui\t$a2, 0x40',
'0x401150:\tmove\t$a3, $a1',
'0x401154:\tsw\t$ra, 0x224($sp)',
'0x401158:\tsw\t$gp, 0x18($sp)',
'0x40115c:\tsw\t$a0, 0x14($sp)',
'0x401160:\taddiu\t$a1, $zero, 0x200',
'0x401164:\taddiu\t$a0, $sp, 0x20',
'0x401168:\tjalr\t$t9',
'0x40116c:\taddiu\t$a2, $a2, 0x196c']},
'DATA': Please reboot the system.0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'
'DATA_ADDRS': ['0x0']},
{'BBL_ADDR': '0x401170',
'BBL_DESC': {'DESCRIPTION': 'mtd_write_firmware+0x38 in upload_bootloader.cgi (0x401170)',
'DISASSEMBLY': ['0x401170:\tlw\t$gp, 0x18($sp)',
'0x401174:\tnop\t',
'0x401178:\tlw\t$t9, -0x7f68($gp)',
'0x40117c:\tnop\t',
'0x401180:\tjalr\t$t9',
'0x401184:\taddiu\t$a0, $sp, 0x20']},
'DATA': "b'/bin/mtd_write -o 0 -l 0 write `reboot`'",
'DATA_ADDRS': ['0x7ffefe07']}
Command Injection
It is very easy to implement command injection in our demonstration example, just for the convenience of demonstrating the injection location:
In [4]: result['Injected_Location']
Out[4]: {'base': '0x7ffefde8', 'type': 'char *', 'value': '/bin/mtd_write -o 0 -l 0 write `reboot`'}
Vulnerability Cluster Script Example
This script cluster script can attempt to use the functional modules in the script to scan for vulnerabilities, then build a k-means cluster to extract vulnerabilities from the firmware, and classify them with similar functions.
$ Vuln_Cluster_Celery.py -h
usage: Vuln_Cluster_Celery.py [-h] [-L LD_PATH] [-F FUNCTION] [-V VULN_PICKLE]
Directory
positional arguments:
Directory
optional arguments:
-h, --help show this help message and exit
-L LD_PATH, --LD_PATH LD_PATH
Path to libraries to load
-F FUNCTION, --Function FUNCTION
-V VULN_PICKLE, --Vuln_Pickle VULN_PICKLE
In the following commands, -F represents the known vulnerability function, -V represents the Pickle at all levels, -L represents the code library path, usage examples are as follows:
$ python Vuln_Cluster_Celery.py -F mtd_write_firmware -L Almond_Root/lib/ Almond_Root/etc_ro/lighttpd/www/cgi-bin/
[+] Reading Files
100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 2.80it/s]
Getting functions from executables
Starting main
... Snip ...
Project Address
Firmware Slap:【GitHub Gateway】
* Reference source:ChrisTheCoolHutFB editor Alpha_h4ck compiled, please indicate the source as FreeBuf.COM when转载
Build an information security visualization platform by yourself (Part Two) Missle Map
5. Contact physical devices but have permission to extract firmware:
Disable SSL Pinning (ssl_pinning_plugin)
IoT vulnerability research (Part 1) Firmware basics
Be alert to the incoming new ransomware, the ransom note information uses German!
评论已关闭