Firmadyne Install === --- ###### tags: `firmadyne` `security` 本篇記錄了安裝 firmadyne 的過程以及照著官方示範的方式做一次模擬 --- **目錄** [TOC] # Environment :::info No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic ::: # Setup 以下參考 https://github.com/firmadyne/firmadyne#setup https://computingforgeeks.com/how-to-install-metasploit-framework-on-ubuntu-18-04-debian-9/ ```shell== cd ~ sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan git clone --recursive https://github.com/firmadyne/firmadyne.git ``` ## Extrator ```shell== cd ~ git clone https://github.com/devttys0/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install sudo apt-get install python-lzma ``` - 接下來的步驟，官方是寫 ```shell== sudo -H pip install git+https://github.com/ahupp/python-magic ``` 可是 output 是 ```== Traceback (most recent call last): File "/usr/bin/pip", line 11, in <module> sys.exit(__main__._main()) AttributeError: 'module' object has no attribute '_main' ``` 所以我先改用 ```shell== sudo pip install python-magic ``` - 再來官方步驟是 ```shell== sudo -H pip install git+https://github.com/sviehb/jefferson ``` output 一樣出問題 ```== File "/usr/bin/pip", line 11, in <module> sys.exit(__main__._main()) AttributeError: 'module' object has no attribute '_main' ``` 參考 https://github.com/sviehb/jefferson 我改用以下方式 ```shell== cd ~ git clone https://github.com/sviehb/jefferson cd jefferson sudo pip install cstruct sudo python setup.py install ``` ## Database ```shell== sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne ``` 帳密設定為 firmadyne ```shell== sudo -u postgres createdb -O firmadyne firmware cd ~ sudo -u postgres psql -d firmware < ./firmadyne/database/schema ``` ## Binaries ```shell== cd ~/firmadyne; ./download.sh ``` ## QEMU ```shell== sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils ``` ## Metasploit ```shell== cd ~ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall ./msfinstall msfdb init msfconsole --version Framework Version: 5.0.27-dev- ``` 另外我遇到了幾個問題  解方 ``` sudo apt-get install gem ``` # 實際使用 https://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html ## 官方示範 WNAP320 Firmware Version 2.0.3 參考: https://github.com/firmadyne/firmadyne#usage https://github.com/firmadyne/firmadyne/issues/33 1. > Set `FIRMWARE_DIR` in `firmadyne.config` to point to the root of this repository. 2. > Download a firmware image, e.g. v2.0.3 for Netgear WNAP320. 直接下載他提供的範例，並放到 ~/firmadyne底下 3. > Use the extractor to recover only the filesystem, no kernel (-nk), no parallel operation (-np), populating the image table in the SQL server at 127.0.0.1 (-sql) with the Netgear brand (-b), and storing the tarball in images. ``` ./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images ``` 先 cd 到 firmadyne 底下再下指令 4. > Identify the architecture of firmware 1 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/1.tar.gz ``` 5. > Load the contents of the filesystem for firmware 1 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 1 -f ./images/1.tar.gz ``` 6. > Create the QEMU disk image for firmware 1. ``` sudo ./scripts/makeImage.sh 1 ``` 7. > Infer the network configuration for firmware 1. Kernel messages are logged to ./scratch/1/qemu.initial.serial.log. ``` ./scripts/inferNetwork.sh 1 ``` 這一個步驟 output 為 ``` Querying database for architecture... Password for user firmadyne: mipseb Running firmware 1: terminating after 60 secs... qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead. ``` 然後在這裡卡了約莫一分鐘後  8. 這裡不是官方的第 8 步驟，而改先 mount 此 firmware 的 file-system ``` cd ~/firmadyne sudo ./scripts/mount.sh 1 ``` 之後此 mounted file-system 會長在 ``` cd scratch/1/image/ ```  改名一下 /etc/securetty 後面步驟才能登入 ``` mv ./etc/securetty ./etc/securetty_backup ``` umount，不過遇到問題，見圖的左方 terminal ``` cd ~/firmadyne sudo ./scripts/umount.sh 1 ```  看了一下 scripts/mount.sh 就覺得要 umount 這樣就好了 ``` cd ~/firmadyne sudo umount ./scratch/1/image ``` 9. > Emulate firmware 1 with the inferred network configuration. This will modify the configuration of the host system by creating a TAP device and adding a route. ``` ./scratch/1/run.sh ``` 這裡有一部分輸出我挺在意的  中間有一部份是 ``` Mounting var to jffs2. [FAILED] ``` 看來是模擬成功了  10. > The system should be available over the network, and is ready for analysis. Kernel messages are mirrored to ./scratch/1/qemu.final.serial.log ``` ./analyses/snmpwalk.sh 192.168.0.100 ./analyses/webAccess.py 1 192.168.0.100 log.txt ``` 第 9 步驟的 terminal 就先擺著 創一個新的 terminal 來下這些指令  ``` mkdir exploits chmod 755 ./analyses/runExploits.py sudo ./analyses/runExploits.py -t 192.168.0.100 -o exploits/exploit -e x ```  ``` sudo nmap -O -sV 192.168.0.100 ```  來掃掃 port ``` sudo nmap -p 20-80 192.168.0.100 Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-07 13:18 PST Nmap scan report for 192.168.0.100 Host is up (0.30s latency). Not shown: 59 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 14.19 seconds ``` 11. > The default console should be automatically connected to the terminal. Note that Ctrl-c is sent to the guest; use the QEMU monitor command Ctrl-a + x to terminate emulation. For the sample firmware above, you will first need to delete the file /etc/securetty from the filesystem to login as root with password password. 但我按 Ctrl-a + x 跳不出 @@ /etc/securetty 在本篇 Usage 的第 8 步驟已經改名掉了 沒有 /etc/securetty 就能登 root 了 console 帳密是 root/password 網頁/ssh 的帳密是 admin/password 連連看 ssh ``` ssh admin@192.168.0.100 Unable to negotiate with 192.168.0.100 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 ``` 餵狗了一下，改打 ``` ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc admin@192.168.0.100 ```  12. > The following scripts can be used to mount/unmount the filesystem of firmware 1. Ensure that the emulated firmware is not running, and remember to unmount before performing any other operations. ``` sudo ./scripts/mount.sh 1 sudo ./scripts/umount.sh 1 ``` 下圖中 左上、左下、右邊 的視窗分別為 console、ssh、web 連線並登入成功的樣子  ## D-Link DAP-2360_REVA_FIRMWARE_1.12.B073 已經做過 Usage (WNAP320 Firmware Version 2.0.3) 後 繼續來試試看模擬其他 firmware 1. 請參考 Usage (WNAP320 Firmware Version 2.0.3) 的 1. 2. 下載 [DAP-2360_REVA_FIRMWARE_1.12.B073](ftp://ftp2.dlink.com/PRODUCTS/DAP-2360/REVA/DAP-2360_REVA_FIRMWARE_1.12.B073.ZIP) 3. recover only the filesystem ``` ./sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "DAP-2360_REVA_FIRMWARE_1.12.B073.ZIP" images ```  編號為2，1為剛剛操作的官方示範 WNAP320 Firmware Version 2.0.3 4. Identify the architecture of firmware 2 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/2.tar.gz ``` 5. Load the contents of the filesystem for firmware 2 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 2 -f ./images/2.tar.gz ``` 6. Create the QEMU disk image for firmware 2. ``` sudo ./scripts/makeImage.sh 2 ``` 7. Infer the network configuration for firmware 2. ``` ./scripts/inferNetwork.sh 2 ```  IP 為 192.168.0.50 8. mount 此 firmware 的 file-system，將 /etc/securetty 改名 ``` sudo ./scripts/mount.sh 2 ``` 阿不過發現他沒有 /etc/securetty，那就不用改了直接 umount ``` sudo umount ./scratch/2/image ``` 9. Emulate firmware 2 with the inferred network configuration. ``` ./scratch/2/run.sh ```  似乎是模擬成功 10. 測試連線 ``` ping 192.168.0.50 PING 192.168.0.50 (192.168.0.50) 56(84) bytes of data. 64 bytes from 192.168.0.50: icmp_seq=1 ttl=64 time=14.5 ms 64 bytes from 192.168.0.50: icmp_seq=2 ttl=64 time=1.82 ms ^C --- 192.168.0.50 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.826/8.198/14.570/6.372 ms ``` 可 ping 測試Web  OK, Web Server Working 掃 port 看看 ``` sudo nmap -p 20-1024 192.168.0.50 Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-07 15:56 PST Nmap scan report for 192.168.0.50 Host is up (0.00084s latency). Not shown: 1002 closed ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http 443/tcp open https MAC Address: 00:15:E9:2C:75:00 (D-Link) Nmap done: 1 IP address (1 host up) scanned in 74.35 seconds ``` 連連看 Https  也是可以連 測試看看 Web Server Default Account/Password   帳密 admin/(無) 連進去囉~ 測試看看 telnet 也試試看一樣的帳密 admin/(無)  也連進去囉~~ 打個 help 會有更多指令語法  11. 漏洞檢查 - analyses/snmpwalk.sh ``` ./analyses/snmpwalk.sh 192.168.0.50 Dumped to snmp.public.txt and snmp.private.txt! ``` 看看這兩個文件 ``` cat snmp.public.txt Timeout: No Response from 192.168.0.50 ``` ``` cat snmp.private.txt Timeout: No Response from 192.168.0.50 ``` 好ㄅ，試試其他的 - analyses/webAccess.py ```== ./analyses/webAccess.py 2 192.168.0.50 log.txt Accessing: http://192.168.0.50/locale/en/__file_is_processing.php... Skipping: pic/apply2.gif... Accessing: http://192.168.0.50/locale/en/st_stats_wl.php... -> Socket Timeout: timed out Skipping: pic/help.gif... Skipping: pic/delete.jpg... Accessing: http://192.168.0.50/sys/wrongImg.htm... -> Redirect Accessing: http://192.168.0.50/__action_adv.php... -> Redirect Skipping: pic/edit.jpg... Skipping: pic/file.gif... Accessing: http://192.168.0.50/index.php... -> Redirect Accessing: http://192.168.0.50/__sample.php... -> Redirect Accessing: http://192.168.0.50/sys_fw_invalid.php... -> Redirect Accessing: http://192.168.0.50/dap3690_display_new.php... Accessing: http://192.168.0.50/locale/en/wr_login_fail.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/bsc_ipv6.php... -> Redirect Accessing: http://192.168.0.50/dap2360_webdisplay.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/adv_dhcpd.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/sys/restart2.htm... -> Redirect Accessing: http://192.168.0.50/dap3520_display.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/dap2360_display_new.php... Accessing: http://192.168.0.50/sys_cfg_valid.php... -> Redirect Accessing: http://192.168.0.50/locale/en/adv_schedule.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/adv_mssid.php... -> Socket Timeout: timed out Skipping: pic/add1.gif... Accessing: http://192.168.0.50/sys/redirectlink.php... -> Redirect Accessing: http://192.168.0.50/adv_tr069v3.php... -> Redirect Accessing: http://192.168.0.50/WAP-N08A_display_new.php... Accessing: http://192.168.0.50/dap2690_display.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/logout.php... -> Socket Timeout: timed out Skipping: version.txt... Accessing: http://192.168.0.50/locale/en/login.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/tool_admin.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/__action.php... -> Redirect Accessing: http://192.168.0.50/comm/__msync.php... -> Redirect Accessing: http://192.168.0.50/locale/en/bsc_capwap.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/adv_qos.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/dap2553_display_new.php... Skipping: pic/check.gif... Accessing: http://192.168.0.50/locale/en/__active_msg.php... Accessing: http://192.168.0.50/locale/en/adv_partition.php... -> Socket Timeout: timed out Skipping: pic/line.gif... Accessing: http://192.168.0.50/locale/en/adv_rogue.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/__action_dhcp_server.php... -> Redirect Accessing: http://192.168.0.50/locale/en/adv_radiusclient.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/model/__show_info_version.php... Accessing: http://192.168.0.50/st_stats_lan.php... -> Redirect Accessing: http://192.168.0.50/locale/en/adv_trafficmanage.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/tool_fw.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/adv_radiusclient.php... -> Redirect Accessing: http://192.168.0.50/locale/en/__rebooting_msg.php... Accessing: http://192.168.0.50/main.php... -> Redirect Skipping: pic/dlink.jpg... Accessing: http://192.168.0.50/model/__button.php... -> Redirect Accessing: http://192.168.0.50/locale/en/login_fail.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/web_redirect.php... -> Redirect Accessing: http://192.168.0.50/dap2310_display_new.php... Accessing: http://192.168.0.50/adv_acl.php... -> Redirect Accessing: http://192.168.0.50/locale/en/permission.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/model/__lang_msg.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/web_redirect_out.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/permission_deny.php... -> Redirect Accessing: http://192.168.0.50/adv_arpspoofing.php... -> Redirect Accessing: http://192.168.0.50/dap1353b_display.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/adv_url_addr.php... -> Redirect Skipping: pic/triangle.gif... Accessing: http://192.168.0.50/adv_mcast.php... -> Redirect Accessing: http://192.168.0.50/auth/__authenticate_p.php... -> HTTPError: 401 Accessing: http://192.168.0.50/locale/en/adv_ap_array.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/adv_dhcps.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/dap2590_display.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/st_device.php... -> Redirect Accessing: http://192.168.0.50/comm/__js_defineMytree.php... Accessing: http://192.168.0.50/home_sys.php... -> Redirect Accessing: http://192.168.0.50/sys_setting.php... -> Redirect Skipping: pic/logout.gif... Accessing: http://192.168.0.50/locale/en/adv_captival.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/onlanchange.php... Accessing: http://192.168.0.50/locale/en/adv_arpspoofing.php... Accessing: http://192.168.0.50/help.php... -> Redirect Accessing: http://192.168.0.50/locale/en/st_device.php... -> Socket Timeout: timed out Skipping: pic/joinbottom.gif... Accessing: http://192.168.0.50/adv_8021q.php... -> Redirect Accessing: http://192.168.0.50/html/Version.html... -> Redirect Skipping: pic/add2.gif... Accessing: http://192.168.0.50/locale/en/adv_dhcpl.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/tool_config.php... -> Redirect Skipping: pic/save1.gif... Accessing: http://192.168.0.50/bsc_capwap.php... -> Redirect Accessing: http://192.168.0.50/sys/restart.htm... -> Redirect Accessing: http://192.168.0.50/locale/en/bsc_wlan.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/sys_stunnel_error.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/locale/en/check_radiusclient.php... -> Socket Timeout: timed out Accessing: http://192.168.0.50/adv_8021q_vlan_list.php... Accessing: http://192.168.0.50/dap2695_display_new.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/msg_menu.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_acl.php... Accessing: http://192.168.0.50/bsc_wlan.php... -> HTTPError: 500 Accessing: http://192.168.0.50/dap3690_display.php... -> HTTPError: 500 Accessing: http://192.168.0.50/session_wr_login.php... -> HTTPError: 500 Accessing: http://192.168.0.50/st_log.php... -> HTTPError: 500 Accessing: http://192.168.0.50/st_stats_wl.php... Accessing: http://192.168.0.50/sys_fw_valid.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/st_wds_info.php... Skipping: pic/light_blue1.jpg... Accessing: http://192.168.0.50/model/__wlan.php... -> HTTPError: 500 Accessing: http://192.168.0.50/dap2690b_display_new.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/tool_sntp.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/wr_login.php... Skipping: pic/join.gif... Accessing: http://192.168.0.50/tool_admin.php... -> HTTPError: 500 Accessing: http://192.168.0.50/adv_dhcpd.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__logo.php... Skipping: pic/sys.gif... Accessing: http://192.168.0.50/check_radiusclient.php... -> HTTPError: 500 Accessing: http://192.168.0.50/cfg_valid.php... -> HTTPError: 500 Accessing: http://192.168.0.50/index.html... Accessing: http://192.168.0.50/model/__burn_time.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/frame_menu.php... -> HTTPError: 500 Skipping: pic/banner.jpg... Accessing: http://192.168.0.50/web_redirect_out.php... -> HTTPError: 500 Skipping: pic/plusbottom.gif... Accessing: http://192.168.0.50/locale/en/sys_fw_invalid.php... Accessing: http://192.168.0.50/tool_fw.php... -> HTTPError: 500 Accessing: http://192.168.0.50/st_info.php... -> HTTPError: 500 Accessing: http://192.168.0.50/dap2590_display_new.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_resource.php... Accessing: http://192.168.0.50/adv_wtp.php... -> HTTPError: 500 Accessing: http://192.168.0.50/adv_partition.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__show_info.php... Accessing: http://192.168.0.50/locale/en/msg_comm.php... -> HTTPError: 500 Accessing: http://192.168.0.50/sys_fw_update.php... Accessing: http://192.168.0.50/st_wds_info.php... Accessing: http://192.168.0.50/adv_trafficmanage_dy.php... Skipping: pic/X.gif... Accessing: http://192.168.0.50/locale/en/adv_radiusserver.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__version.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_fair.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/version.php... -> HTTPError: 500 Skipping: pic/open_file.gif... Accessing: http://192.168.0.50/dwl2100_display_new.php... Accessing: http://192.168.0.50/comm/__header.php... -> HTTPError: 500 Accessing: http://192.168.0.50/dap2690_display_new.php... Accessing: http://192.168.0.50/locale/en/session_full.php... Accessing: http://192.168.0.50/locale/en/adv_wtp.php... Accessing: http://192.168.0.50/dap3520_display_new.php... -> HTTPError: 500 Accessing: http://192.168.0.50/comm/__js_comm.php... Accessing: http://192.168.0.50/logout.php... Accessing: http://192.168.0.50/locale/en/sys_fw_update.php... -> HTTPError: 500 Accessing: http://192.168.0.50/login_fail.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/main.php... -> HTTPError: 500 Skipping: pic/home.gif... Accessing: http://192.168.0.50/adv_mssid.php... Accessing: http://192.168.0.50/adv_mdhcpd.php... -> HTTPError: 500 Skipping: model/router.css... Skipping: pic/apply1.gif... Accessing: http://192.168.0.50/locale/en/bsc_ipv6.php... -> HTTPError: 500 Skipping: pic/minusbottom.gif... Accessing: http://192.168.0.50/adv_url.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__sch_list.php... Accessing: http://192.168.0.50/locale/en/adv_perf.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/charset... Accessing: http://192.168.0.50/locale/en/st_stats_lan.php... -> HTTPError: 500 Accessing: http://192.168.0.50/auth/__session_timeout.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/home_sys.php... Skipping: pic/themespacer.gif... Accessing: http://192.168.0.50/adv_resource.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/st_info.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__admin_check.php... -> HTTPError: 500 Accessing: http://192.168.0.50/session_full.php... Accessing: http://192.168.0.50/adv_captival.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/sys_setting.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__html_head.php... Accessing: http://192.168.0.50/bsc_lan.php... -> HTTPError: 500 Skipping: pic/tool_bar_v.jpg... Accessing: http://192.168.0.50/locale/en/sys_cfg_valid.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/__upgrading_fw_msg.php... Accessing: http://192.168.0.50/dap3340_display_new.php... Accessing: http://192.168.0.50/auth/__login.php... -> HTTPError: 500 Accessing: http://192.168.0.50/dwp2360_display_new.php... -> HTTPError: 500 Accessing: http://192.168.0.50/model/__g_var.php... Accessing: http://192.168.0.50/tool_sntp.php... Accessing: http://192.168.0.50/locale/en/adv_wtp_trafficmanage.php... Accessing: http://192.168.0.50/adv_perf.php... Skipping: pic/config.gif... Accessing: http://192.168.0.50/session_login.php... -> HTTPError: 500 Accessing: http://192.168.0.50/__saving.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/st_logs.php... Accessing: http://192.168.0.50/locale/en/st_log.php... -> HTTPError: 500 Skipping: pic/monitor.gif... Accessing: http://192.168.0.50/dap1353b_display_new.php... -> HTTPError: 500 Skipping: pic/lld2d.ico... Accessing: http://192.168.0.50/adv_ap_array.php... -> HTTPError: 500 Accessing: http://192.168.0.50/NEC-Magnus_display_new.php... -> HTTPError: 500 Accessing: http://192.168.0.50/wr_login.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_url.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_updnsetting.php... -> HTTPError: 500 Accessing: http://192.168.0.50/__scan.php... -> HTTPError: 500 Skipping: pic/save2.gif... Accessing: http://192.168.0.50/sys_stunnel_error.php... -> HTTPError: 500 Accessing: http://192.168.0.50/adv_dhcpl.php... Accessing: http://192.168.0.50/adv_fair.php... Accessing: http://192.168.0.50/locale/en/adv_url_addr.php... -> HTTPError: 500 Accessing: http://192.168.0.50/comm/__js_tree.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/help.php... -> HTTPError: 500 Accessing: http://192.168.0.50/comm/__js_select.php... Accessing: http://192.168.0.50/dap2553_display.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_8021q.php... Accessing: http://192.168.0.50/auth/__wr_login.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_mcast.php... Accessing: http://192.168.0.50/adv_schedule.php... -> HTTPError: 500 Accessing: http://192.168.0.50/__action_bsc.php... -> HTTPError: 500 Accessing: http://192.168.0.50/__no_changed.php... Accessing: http://192.168.0.50/adv_radiusserver.php... -> HTTPError: 500 Accessing: http://192.168.0.50/adv_qos.php... Accessing: http://192.168.0.50/comm/__js_ip.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/template.php... Accessing: http://192.168.0.50/model/__auth_check.php... Skipping: pic/plus.gif... Accessing: http://192.168.0.50/locale/en/sys_fw_valid.php... -> HTTPError: 500 Accessing: http://192.168.0.50/adv_dhcps.php... -> HTTPError: 500 Accessing: http://192.168.0.50/st_logs.php... Accessing: http://192.168.0.50/locale/en/tool_config.php... Skipping: pic/minus.gif... Accessing: http://192.168.0.50/locale/en/adv_trafficmanage_dy.php... Accessing: http://192.168.0.50/adv_rogue.php... -> HTTPError: 500 Skipping: pic/tool.gif... Accessing: http://192.168.0.50/login.php... -> HTTPError: 500 Accessing: http://192.168.0.50/adv_qos_limit.php... -> HTTPError: 500 Accessing: http://192.168.0.50/auth/__authenticate_s.php... Accessing: http://192.168.0.50/sys_stunnel_process.php... -> HTTPError: 500 Accessing: http://192.168.0.50/wr_login_fail.php... -> HTTPError: 500 Skipping: pic/text.gif... Accessing: http://192.168.0.50/auth/__logout.php... -> HTTPError: 500 Skipping: pic/tool_bar.jpg... Accessing: http://192.168.0.50/locale/en/bsc_lan.php... -> HTTPError: 500 Accessing: http://192.168.0.50/locale/en/adv_tr069v3.php... -> HTTPError: 500 Accessing: http://192.168.0.50/syslog.rg... -> HTTPError: 404 Accessing: http://192.168.0.50/tsyslog.rg... -> HTTPError: 404 ``` 看看 log.txt ```== cat log.txt locale/en/__file_is_processing.php sys/wrongImg.htm (REDIR) __action_adv.php (REDIR) index.php (REDIR) __sample.php (REDIR) sys_fw_invalid.php (REDIR) dap3690_display_new.php bsc_ipv6.php (REDIR) sys/restart2.htm (REDIR) dap2360_display_new.php sys_cfg_valid.php (REDIR) sys/redirectlink.php (REDIR) adv_tr069v3.php (REDIR) WAP-N08A_display_new.php __action.php (REDIR) comm/__msync.php (REDIR) dap2553_display_new.php locale/en/__active_msg.php __action_dhcp_server.php (REDIR) model/__show_info_version.php st_stats_lan.php (REDIR) adv_radiusclient.php (REDIR) locale/en/__rebooting_msg.php main.php (REDIR) model/__button.php (REDIR) web_redirect.php (REDIR) dap2310_display_new.php adv_acl.php (REDIR) permission_deny.php (REDIR) adv_arpspoofing.php (REDIR) adv_url_addr.php (REDIR) adv_mcast.php (REDIR) st_device.php (REDIR) comm/__js_defineMytree.php home_sys.php (REDIR) sys_setting.php (REDIR) onlanchange.php locale/en/adv_arpspoofing.php help.php (REDIR) adv_8021q.php (REDIR) html/Version.html (REDIR) tool_config.php (REDIR) bsc_capwap.php (REDIR) sys/restart.htm (REDIR) adv_8021q_vlan_list.php locale/en/adv_acl.php st_stats_wl.php locale/en/st_wds_info.php locale/en/wr_login.php model/__logo.php index.html locale/en/sys_fw_invalid.php locale/en/adv_resource.php model/__show_info.php sys_fw_update.php st_wds_info.php adv_trafficmanage_dy.php dwl2100_display_new.php dap2690_display_new.php locale/en/session_full.php locale/en/adv_wtp.php comm/__js_comm.php logout.php adv_mssid.php model/__sch_list.php locale/en/charset locale/en/home_sys.php session_full.php model/__html_head.php locale/en/__upgrading_fw_msg.php dap3340_display_new.php model/__g_var.php tool_sntp.php locale/en/adv_wtp_trafficmanage.php adv_perf.php locale/en/st_logs.php adv_dhcpl.php adv_fair.php comm/__js_select.php locale/en/adv_8021q.php locale/en/adv_mcast.php __no_changed.php adv_qos.php locale/en/template.php model/__auth_check.php st_logs.php locale/en/tool_config.php locale/en/adv_trafficmanage_dy.php auth/__authenticate_s.php ``` 再試試看其他的 - metasploit ``` mkdir exploits2 # 這個步驟若在照著官方示範 WNAP320 Firmware Version 2.0.3 時用過就不用再做了 # chmod 755 ./analyses/runExploits.py sudo ./analyses/runExploits.py -t 192.168.0.50 -o exploits2/exploit -e x ```  看到那精美的 0x41414141 就感覺有被塞了一堆 a 的跡象 看看 exploits2 資料夾底下有啥東  好吧好像沒有 exploit QQ ## D-Link DIR-846 https://www.cvedetails.com/cve/CVE-2018-16408/ https://github.com/PAGalaxyLab/VulInfo/blob/master/D-Link/DIR-846/RCE_0/D-Link%20DIR-846%20RCE.md http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-846 這都有 CVE 了，拿他來測試看看能不能產生 exploit 1. 請參考 Usage (WNAP320 Firmware Version 2.0.3) 的 1. 2. 下載 [D-Link DIR-846](http://support.dlink.com.cn/download.ashx?file=6577) 3. recover only the filesystem ``` ./sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "DIR846A1_FW100A35.bin" images ``` 4. Identify the architecture of firmware 3 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/3.tar.gz ``` 5. Load the contents of the filesystem for firmware 3 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 3 -f ./images/3.tar.gz ``` 6. Create the QEMU disk image for firmware 3. ``` sudo ./scripts/makeImage.sh 3 ``` 7. Infer the network configuration for firmware 3. ``` ./scripts/inferNetwork.sh 3 ```  192.168.0.1 8. mount 此 firmware 的 file-system，將 /etc/securetty 改名 ``` sudo ./scripts/mount.sh 3 ``` 一樣沒有 /etc/securetty，那就不用改了直接 umount ``` sudo umount ./scratch/3/image ``` 9. Emulate firmware 3 with the inferred network configuration. ``` ./scratch/3/run.sh ``` 10. 測試連線 連線失敗。 好慘QQ 而且還找不到到底 account password 到底是什麼，登不進去什麼事情都做不了 ## D-Link DSl-2750B 這也是有 CVE 的，Metasploit 上也有攻擊腳本 https://www.exploit-db.com/exploits/44760?fbclid=IwAR3vAENkSOovHpkDv60fgC2KhDORxK3oeUmEegtPIxHcsSjAV7XDpa-trXA 1. 請參考 Usage (WNAP320 Firmware Version 2.0.3) 的 1. 2. 下載 [DSl-2750B](http://files.dlink.com.au/products/DSL-2750B/REV_T/Firmware/Firmware_AU_3.00_(18-10-2012)/DSl-2750B.T1_Firmware_AU_3.00_20121018.zip) 3. 不知道為何，做到第4個就壞掉ㄌ  我一整個黑人問號 沒IP 所以我先洗掉了 database, 打算重來一次 ``` cd ~ sudo -u postgres dropdb firmware sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema ``` 然後 firmadyne/images 跟 firmadyne/scratch 裡面的資料我也改個名字了 4. recover only the filesystem ``` ./sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "firmwares/DSl-2750B.T1_Firmware_AU_3.00_20121018.zip" images ``` 編號重新為 1 5. Identify the architecture of firmware 1 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/1.tar.gz ``` 5. Load the contents of the filesystem for firmware 1 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 1 -f ./images/1.tar.gz ``` 6. Create the QEMU disk image for firmware 1. ``` sudo ./scripts/makeImage.sh 1 ``` 7. Infer the network configuration for firmware 1. ``` ./scripts/inferNetwork.sh 1 ``` 但還是沒IP 參考 https://hackmd.io/@LJP/H1d_IyUxH 後來可以配置 IP 但找不到有什麼服務的跡象，所以也不知道怎麼重啟服務 ## D-Link DIR-645 1. 請參考 Usage (WNAP320 Firmware Version 2.0.3) 的 1. 2. 下載 [D-Link DIR-645](http://www.dlinktw.com.tw/techsupport/download.ashx?file=1642) 3. recover only the filesystem ``` ./sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "DIR846A1_FW100A35.bin" images ``` 4. Identify the architecture of firmware 3 and store the result in the image table of the database. ``` ./scripts/getArch.sh ./images/3.tar.gz ``` 5. Load the contents of the filesystem for firmware 3 into the database, populating the object and object_to_image tables. ``` ./scripts/tar2db.py -i 3 -f ./images/3.tar.gz ``` 6. Create the QEMU disk image for firmware 3. ``` sudo ./scripts/makeImage.sh 3 ``` 7. Infer the network configuration for firmware 3. ``` sudo ./scripts/inferNetwork.sh 3 ```  192.168.0.1, 192.168.7.1 8. Emulate firmware 3 with the inferred network configuration. ``` ./scratch/3/run.sh ``` 好像還是爆了