DWR-932_fw_revB_2_02_eu_en_20150709 固件漏洞分析调试

dreamingctf · 发表于 2021-12-2 19:39

固件介绍
某路由器有漏洞的固件，搜索名字，在官网上能够下载到对应版本

分析过程中使用的工具总结
binwalk、fcrackzip、unyaffs、hashcat、John the Ripper、firmwalker

第一步：破解密码

[Asm] 纯文本查看 复制代码

fcrackzip 破解工具的使用
得到 zip 解压密码：beUT9Z

第二步：用unyaffs 解压固件

[Asm] 纯文本查看 复制代码

mkdir test1
cp  2K-mdm-image-mdm9625.yaffs2 test1
└─# unyaffs 2K-mdm-image-mdm9625.yaffs2
                                                                                                                                      
┌──(root&#128128;kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# ls
2K-mdm-image-mdm9625.yaffs2  boot        cache   config2  disk  home  linuxrc  mnt   sbin    sys  usr  WEBSERVER
bin                          build.prop  config  dev      etc   lib   media    proc  sdcard  tmp  var  www

第三步：信息挖掘

[Asm] 纯文本查看 复制代码

└─# find . -name "*.conf"
└─# find . -name "shadow"
└─# find . -name "passwd"
└─# find . -name "*config*"
└─# find . -name "*history*"
└─# find . -name "*ssh*config*"
└─# find . -name "*ssh*host*"

第四步：寻找关键配置信息

[Asm] 纯文本查看 复制代码

cat ./etc/inadyn-mt.conf
cat ./etc/shadow
cat ./etc/passwd

从中发现某些用户名账号和口令，以及root 账户的用户名和密码HASH

第五步：使用 John 工具来破解 HASH

[Asm] 纯文本查看 复制代码

这里使用的 John 爆破的密码
┌──(root&#128128;kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# echo "root:aRDiHrJ0OkehM:16270:0:99999:7:::" > hash.txt
                                                                                                                                      
┌──(root&#128128;kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# ls
2K-mdm-image-mdm9625.yaffs2  boot        cache   config2  disk  hash.txt  lib      media  proc  sdcard  tmp  var        www
bin                          build.prop  config  dev      etc   home      linuxrc  mnt    sbin  sys     usr  WEBSERVER
                                                                                                                                      
┌──(root&#128128;kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# cat hash.txt    
root:aRDiHrJ0OkehM:16270:0:99999:7:::
                                                                                                                                      
┌──(root&#128128;kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 327 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
1234             (root)
1g 0:00:00:00 DONE 2/3 (2021-12-01 21:57) 100.0g/s 1857Kp/s 1857Kc/s 1857KC/s 123456..betabeta
Use the "--show" option to display all of the cracked passwords reliably
Session completed

第六步：使用 firmwalker

[Asm] 纯文本查看 复制代码

firmwalker
A simple bash script for searching the extracted or mounted firmware file system.
It will search through the extracted or mounted firmware file system for things of interest such as:
* etc/shadow and etc/passwd
* list out the etc/ssl directory
* search for SSL related files such as .pem, .crt, etc.
* search for configuration files
* look for script files
* search for other .bin files
* look for keywords such as admin, password, remote, etc.
* search for common web servers used on IoT devices
* search for common binaries such as ssh, tftp, dropbear, etc.
* search for URLs, email addresses and IP addresses
* Experimental support for making calls to the Shodan API using the Shodan CLI

***Firmware Directory***
../test1
***Search for password files***
##################################### passwd
1/bin/passwd
1/etc/passwd
1/var/lib/opkg/alternatives/passwd

...

第七步：查看启动项

[Asm] 纯文本查看 复制代码

cd etc/init.d
ls -l

第八步：分析 start_appmgr 脚本

[Asm] 纯文本查看 复制代码

cat start_appmgr

#Sandro { for telnetd debug...
start-stop-daemon -S -b -a /bin/logmaster
#if [ -e /config2/telnetd ]; then
    start-stop-daemon -S -b -a /sbin/telnetd
#fi
#Sandro }

# Get the vendor_id, [Generic|Pure]
VENDOR_ID=$(grep vendor_id /etc/versions 2>/dev/null | awk -F"=" '{print $2}')


case "$1" in
    start)
        if [ "$VENDOR_ID" = "Pure" ]; then
            echo -n "Starting btnd: "
            start-stop-daemon -S -b -a /bin/btnd
            echo "done"
        else
            echo -n "Starting appmgr: "
            start-stop-daemon -S -b -a /bin/appmgr
            echo "done"
        fi
        ;;
    stop)
        if [ "$VENDOR_ID" = "Pure" ]; then
            echo -n "Stopping btnd: "
            start-stop-daemon -K -n btnd
            echo "done"
        else
            echo -n "Stopping appmgr: "
            start-stop-daemon -K -n appmgr
            echo "done"
        fi
        ;;
    restart)
        $0 stop
        $0 start
        ;;
    *)
        echo "Usage appmgr { start | stop | restart}" >&2
        exit 1
        ;;
esac

其功能是开启 telnetd、btnd、appmgr 等服务

第九步：分析 appmgr 二进制文件

[Asm] 纯文本查看 复制代码

file appmgr                                                          1 &#10799;
appmgr: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped

图片.png

相关学习链接：
学习链接1
学习链接2
https://github.com/PacktPublishing/IoT-Penetration-Testing-Cookbook

h81632468 · 发表于 2022-4-27 00:05

谢谢大佬无私贡献

h81632468 · 发表于 2022-5-3 00:54

感谢分享

spawn_fly · 发表于 2022-5-7 08:52

谢谢分享！！谢谢

huixiang · 发表于 2022-12-30 07:49

感谢大佬，厉害厉害👍🏻

BG3SPD · 发表于 2022-12-30 09:16

谢谢分享

ijack2001 · 发表于 2022-12-30 09:18

感謝大佬，厲害厲害

帐号		自动登录	找回密码
密码			注册[Register]

[漏洞分析] DWR-932_fw_revB_2_02_eu_en_20150709 固件漏洞分析调试

免费评分