IoT Firmware Binary Emulation!!!

Once we have extracted the firmware we have left with the binaries so to understand their functionalities and interact with them we require debuggers which will help in analyzing them for in-depth technicalities including buffer overflows etc.

 Required tools:

 Qemu
Qemu - QEMU is a generic and open source machine emulator and virtualizer.

 When used as a machine emulator, QEMU can run OSes and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC). By using dynamic translation, it achieves very good performance.
When used as a visualizer, QEMU achieves near native performance by executing the guest code directly on the host CPU. QEMU supports virtualization when executing under the Xen hyper-visor or using the KVM kernel module in Linux. When using KVM, QEMU can virtualize x86, server and embedded PowerPC, 64-bit POWER, S390, 32-bit and 64-bit ARM, and MIPS guests.
QEMU is a member of Software Freedom Conservancy.

 Step 1 - For emulation we will be using below firmware:
Netgear - WNAP320 Device
http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip



Try searching anything suspicious we see and we come across interesting thing here that all the binary's if required to run then we have to use busybox just like we need to append it to the required command:



 Step 2 - We can use Qemu once we know which architecture we will be assessing eg:ARM, MIPS which is one of the widely used.

The architecture its running on is MIPS32

 Step 3 - Once we have identified the machine architecture we need to copy the QEMU binary in the corresponding folder and run with "chroot".

 Chroot: Chroot is an operation that changes the apparent root directory for the current running process and their children. A program that is run in such a modified environment cannot access files and commands outside that environmental directory tree. This modified environment is called a chroot jail.


You can also perform some operations like change password or pwd etc.




 In next series we will learn backdooring a firmware and extraction with FMK(firmware modification kit)

 Thanks and regards,
#Kapil_kulkarni
#Akash_chavan.
References:
http://wiki.qemu.org/Main_Page
https://en.wikibooks.org/wiki/QEMU/Installing_QEMU
Security Tube training Offensive IoT security
https://wiki.archlinux.org/index.php/change_root
https://github.com/attify/firmware-analysis-toolkit
http://blog.attify.com/2016/07/08/firmware-analysis-iot-devices/

Comments

Post a Comment

Popular posts from this blog

Threat Hunting | Malspam Analysis | Malware Traffic Analysis - MalwareTrafficAnalysis.net Basic

Image
+++++++Please note that we have not attempted to copy anyone nor have we published any copyrighted material however We have tried to compile all the best resources freely available to include it in our investigation+++++++++ Before we proceed with the threat hunting we will see a couple of techniques which will help us in making our job easier while working with Wireshark. ------------------------------------------------------------------------------------------------------------------------------------- How to add server/host names to columns for the Wireshark? ------------------------------------------------------------------------------------------------------------------------------------- Open Wireshark with any captured packets file(.pcap). Before starting hunt for critical data always make sure the time format is selected as per the incidence reported. This will help you in track the time status of the infection for the pre and post stages. Here w
Read more

IoT Firmware Analysis!!!

Image
A simple tutorial you can follow if you are new to the IoT world and firmware analysis. There are various videos as well you can refer to, just what to accept from all of them is the logic behind what is needed and what to look for. Step 1 - We begin by downloading the firmware from below link which belongs to a simple D-Link router, this can also be downloaded from vendors official website: https://github.com/praetorian-inc/DVRF/blob/master/Firmware/DVRF_v03.bin  Step 2 - We can use any tool which is capable of  ".bin" extraction.We will be using the "Binwalk" tool with  below command for analyzing the file system type. For a complete list of file systems, please refer to this link:  http://elinux.org/File_Systems . binwalk file.bin Step 3 - What we identify from simple binwalk is the file system and the address from where the file systems start which in our case is "1648424"The next step now would be to extract the file system us
Read more

Exploiting The New Apache Struts2 Remote Code Execution [CVE 2017-5638]

Image
A Glance at Apache Struts 2:- Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007. About CVE 2017-5638:- Security Researcher have discovered a new Remote Code Execution Vulnerability in Jakarta Multi-part parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 using Object Graph Navigation Language (OGNL) expressions and it is being actively exploited in the wild. About the Exploit:- This vulnerability can be triggered if the attacker sends a modified HTTP request to up
Read more