吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4001|回复: 6
收起左侧

[漏洞分析] DWR-932_fw_revB_2_02_eu_en_20150709 固件漏洞分析调试

  [复制链接]
dreamingctf 发表于 2021-12-2 19:39
固件介绍
某路由器有漏洞的固件,搜索名字,在官网上能够下载到对应版本

分析过程中使用的工具总结
binwalk、fcrackzip、unyaffs、hashcat、John the Ripper、firmwalker

第一步:破解密码
[Asm] 纯文本查看 复制代码
fcrackzip 破解工具的使用
得到 zip 解压密码:beUT9Z


第二步:用unyaffs 解压固件
[Asm] 纯文本查看 复制代码
mkdir test1
cp  2K-mdm-image-mdm9625.yaffs2 test1
└─# unyaffs 2K-mdm-image-mdm9625.yaffs2
                                                                                                                                      
┌──(root💀kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# ls
2K-mdm-image-mdm9625.yaffs2  boot        cache   config2  disk  home  linuxrc  mnt   sbin    sys  usr  WEBSERVER
bin                          build.prop  config  dev      etc   lib   media    proc  sdcard  tmp  var  www


第三步:信息挖掘
[Asm] 纯文本查看 复制代码
└─# find . -name "*.conf"
└─# find . -name "shadow"
└─# find . -name "passwd"
└─# find . -name "*config*"
└─# find . -name "*history*"
└─# find . -name "*ssh*config*"
└─# find . -name "*ssh*host*"


第四步:寻找关键配置信息
[Asm] 纯文本查看 复制代码
cat ./etc/inadyn-mt.conf
cat ./etc/shadow
cat ./etc/passwd

从中发现某些用户名账号和口令,以及root 账户的用户名和密码HASH

第五步:使用 John 工具来破解 HASH
[Asm] 纯文本查看 复制代码
这里使用的 John 爆破的密码
┌──(root💀kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# echo "root:aRDiHrJ0OkehM:16270:0:99999:7:::" > hash.txt
                                                                                                                                      
┌──(root💀kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# ls
2K-mdm-image-mdm9625.yaffs2  boot        cache   config2  disk  hash.txt  lib      media  proc  sdcard  tmp  var        www
bin                          build.prop  config  dev      etc   home      linuxrc  mnt    sbin  sys     usr  WEBSERVER
                                                                                                                                      
┌──(root💀kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# cat hash.txt    
root:aRDiHrJ0OkehM:16270:0:99999:7:::
                                                                                                                                      
┌──(root💀kali)-[/home/…/Desktop/IoT/DWR/test1]
└─# john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 AVX])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 327 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
1234             (root)
1g 0:00:00:00 DONE 2/3 (2021-12-01 21:57) 100.0g/s 1857Kp/s 1857Kc/s 1857KC/s 123456..betabeta
Use the "--show" option to display all of the cracked passwords reliably
Session completed


第六步:使用 firmwalker
[Asm] 纯文本查看 复制代码
firmwalker
A simple bash script for searching the extracted or mounted firmware file system.
It will search through the extracted or mounted firmware file system for things of interest such as:
* etc/shadow and etc/passwd
* list out the etc/ssl directory
* search for SSL related files such as .pem, .crt, etc.
* search for configuration files
* look for script files
* search for other .bin files
* look for keywords such as admin, password, remote, etc.
* search for common web servers used on IoT devices
* search for common binaries such as ssh, tftp, dropbear, etc.
* search for URLs, email addresses and IP addresses
* Experimental support for making calls to the Shodan API using the Shodan CLI

***Firmware Directory***
../test1
***Search for password files***
##################################### passwd
1/bin/passwd
1/etc/passwd
1/var/lib/opkg/alternatives/passwd

...


第七步:查看启动项
[Asm] 纯文本查看 复制代码
cd etc/init.d
ls -l


第八步:分析 start_appmgr 脚本
[Asm] 纯文本查看 复制代码
cat start_appmgr

#Sandro { for telnetd debug...
start-stop-daemon -S -b -a /bin/logmaster
#if [ -e /config2/telnetd ]; then
    start-stop-daemon -S -b -a /sbin/telnetd
#fi
#Sandro }

# Get the vendor_id, [Generic|Pure]
VENDOR_ID=$(grep vendor_id /etc/versions 2>/dev/null | awk -F"=" '{print $2}')


case "$1" in
    start)
        if [ "$VENDOR_ID" = "Pure" ]; then
            echo -n "Starting btnd: "
            start-stop-daemon -S -b -a /bin/btnd
            echo "done"
        else
            echo -n "Starting appmgr: "
            start-stop-daemon -S -b -a /bin/appmgr
            echo "done"
        fi
        ;;
    stop)
        if [ "$VENDOR_ID" = "Pure" ]; then
            echo -n "Stopping btnd: "
            start-stop-daemon -K -n btnd
            echo "done"
        else
            echo -n "Stopping appmgr: "
            start-stop-daemon -K -n appmgr
            echo "done"
        fi
        ;;
    restart)
        $0 stop
        $0 start
        ;;
    *)
        echo "Usage appmgr { start | stop | restart}" >&2
        exit 1
        ;;
esac

其功能是开启 telnetd、btnd、appmgr 等服务

第九步:分析 appmgr 二进制文件
[Asm] 纯文本查看 复制代码
file appmgr                                                          1 ⨯
appmgr: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped


图片.png


相关学习链接:
学习链接1
学习链接2
https://github.com/PacktPublishing/IoT-Penetration-Testing-Cookbook

appmgr_IDA

appmgr_IDA

appmgr.zip

244.17 KB, 下载次数: 8, 下载积分: 吾爱币 -1 CB

免费评分

参与人数 4吾爱币 +11 热心值 +4 收起 理由
arryboom + 2 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
chinawolf2000 + 1 + 1 热心回复!
zhczf + 1 + 1 我很赞同!
Hmily + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

h81632468 发表于 2022-4-27 00:05
谢谢大佬无私贡献
h81632468 发表于 2022-5-3 00:54
spawn_fly 发表于 2022-5-7 08:52
huixiang 发表于 2022-12-30 07:49
感谢大佬,厉害厉害👍🏻
BG3SPD 发表于 2022-12-30 09:16
谢谢分享
ijack2001 发表于 2022-12-30 09:18
感謝大佬,厲害厲害
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-29 00:47

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表