-
Notifications
You must be signed in to change notification settings - Fork 73
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
208 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# VxHunter | ||
一个用于VxWorks嵌入式设备分析的工具集。 | ||
|
||
*说明文档的其他语言: [English](README.md), [简体中文](README.zh-cn.md)* | ||
|
||
|
||
## Firmware Analyze Tool | ||
固件分析工具是基于python编写的VxWorks分析工具,主要的用途是分析固件的加载地址,从识别出的符号表中修复函数名及符号信息等。 | ||
|
||
支持的逆向工具: | ||
* IDA Pro 7.x | ||
* Ghidra 9.x | ||
* Radare2 | ||
|
||
测试过的固件: | ||
* Schneider 140NOE77101 - Ethernet network TCP/IP module | ||
* Siemens SCALANCE-X208/SCALANCE-X216/SCALANCE-X308 - Siemens SCALANCE X Switch | ||
* Hirschmann PowerMICE - Industrial ETHERNET Switch | ||
|
||
|
||
### IDA Demo | ||
![](docs/images/VxHunter_IDA_480.gif) | ||
|
||
|
||
### Ghidra Demo | ||
[如何在Ghidra中使用VxHunter](docs/How_to_use_vxhunter_firmware_tools_in_ghidra.zh-cn.md) | ||
|
||
|
||
#### vxhunter_firmware_init.py | ||
![](docs/images/VxHunter_ghidra_firmware_init_720.gif) | ||
|
||
|
||
#### vxhunter_analysis.py | ||
在执行了`vxhunter_firmware_init.py`后,我们可以使用`vxhunter_analysis.py`脚本对VxWorks固件进行进一步的分析。 | ||
这个脚本会分析硬编码的账号,已编译的VxWorks服务以及一些其他的信息。 | ||
![](docs/images/VxHunter_ghidra_analysis_720.gif) | ||
|
||
|
||
### Radare2 Demo | ||
|
||
[如何在Radare2中使用VxHunter](docs/How_to_use_vxhunter_firmware_tools_in_radare2.zh-cn.md) | ||
|
||
![](docs/images/VxHunter_Radare2_720.gif) | ||
|
||
## VxSerial Debugger - Beta | ||
串口调试工具是基于VxWorks命令行及python编写的一个VxWorks调试工具,通常我们能够在VxWorks设备的串口获取到交互式命令行。 | ||
|
||
串口调试工具使用VxWorks交互式命令行中的内存读/写指令来将调试shellcode注入到目标系统中,这个调试shellcode将由keystone-engine来动态生成。 | ||
|
||
串口调试工具的原理和inline hook比较像,如果目标设备命中了断点,它将会跳转执行调试shellcode并且等待其他调试命令的执行。 | ||
|
||
串口调试工具所支持的功能: | ||
* 内存读/写。 | ||
* 条件断点, 基于Python的callback函数,该函数返回True则断下,返回False时程序会继续执行。 | ||
* 查看Task状态。(栈, 寄存器). | ||
* VxWorks数据结构查看(netpool, clBlk, 等). | ||
|
||
|
||
### Example | ||
这个示例脚本是在TP-Link TL-WR886N-V7,固件版本V1.1.0的设备上调试CVE-2018-19528漏洞的例子。 | ||
|
||
|
||
[串口调试示例脚本](serial_debugger_example.py) | ||
|
||
示例视频 | ||
|
||
[![示例视频](https://img.youtube.com/vi/ulO8MsoDLLk/0.jpg)](https://www.youtube.com/watch?v=ulO8MsoDLLk) | ||
|
||
|
||
## TODO | ||
### Firmware Analyze Tool | ||
* ~~支持对VxWorks内存dump文件分析~~ | ||
* 支持分析VxWorks内存dump文件中动态加载的符号 | ||
* 支持分析symFindByName符号查询函数的引用来补全函数引用。 |
29 changes: 29 additions & 0 deletions
29
docs/How_to_use_vxhunter_firmware_tools_in_ghidra.zh-cn.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# 如何在Ghidra中使用VxHunter | ||
|
||
VxHunter Ghidra脚本能自动分析VxWorks镜像的加载地址及符号信息。 | ||
|
||
|
||
## 步骤一: 在Ghidra中加载VxWorks镜像 | ||
示例固件下载地址 [这里](https://github.com/dark-lbp/vxhunter/tree/master/example_firmware), in this document we chose [image_vx5_ppc_big_endian.bin](https://github.com/dark-lbp/vxhunter/blob/master/example_firmware/image_vx5_ppc_big_endian.bin). | ||
|
||
使用正确的处理器类型及默认加载地址0来加载VxWorks镜像。 | ||
|
||
![](images/Load_vxworks_image_to_ghidra_01.png) | ||
|
||
因为此时我们并不知道正确的加载地址,因此先不要对镜像进行自动分析。 | ||
|
||
![](images/not_analyze_now.png) | ||
|
||
|
||
## 步骤二: 运行VxHunter firmware init脚本 | ||
|
||
在脚本管理器中运行VxHunter vxhunter_firmware_init.py脚本, 这个脚本会将镜像rebase到正确的加载地址并根据符号修复函数名。 | ||
|
||
![](images/VxHunter_ghidra_firmware_init_720.gif) | ||
|
||
|
||
## 步骤三: 使用vxhunter_analysis脚本分析硬编码账号及已编入的VxWorks服务 | ||
|
||
至此就可以自由的对这个VxWorks固件进行分析了。 | ||
|
||
![](images/VxHunter_ghidra_analysis_720.gif) |
100 changes: 100 additions & 0 deletions
100
docs/How_to_use_vxhunter_firmware_tools_in_radare2.zh-cn.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
# 如何在Radare2中使用VxHunter | ||
|
||
VxHunter radare2脚本能自动分析VxWorks镜像的加载地址及符号信息。 | ||
|
||
|
||
## 步骤一: 在radare2中打开VxWorks镜像 | ||
示例固件下载地址 [这里](https://github.com/dark-lbp/vxhunter/tree/master/example_firmware), in this document we chose [image_vx5_ppc_big_endian.bin](https://github.com/dark-lbp/vxhunter/blob/master/example_firmware/image_vx5_ppc_big_endian.bin). | ||
|
||
在radare2使用正确的处理器类型来加载VxWorks镜像。 | ||
|
||
``` | ||
r2 -a ppc -b 32 image_vx5_ppc_big_endian.bin | ||
``` | ||
|
||
## 步骤二: 使用R2pipe运行VxHunter r2 python脚本 | ||
|
||
目前已经编写了python2及python3两个版本的脚本。 | ||
|
||
``` | ||
# for python2 | ||
#!pipe python2 ./vxhunter_r2_py2.py | ||
# for python3 | ||
#!pipe python3 ./vxhunter_r2_py3.py | ||
``` | ||
|
||
VxHunter r2能够利用关键字自动识别VxWorks版本号。如果VxHunter无法识别VxWorks版本,就需要用户在r2中输入对应版本。 | ||
|
||
``` | ||
[0x00000000]> #!pipe python3 ./vxhunter_r2_py3.py # for python2 | ||
Running with python version: 3.7.4 (default, Sep 7 2019, 18:27:02) | ||
[Clang 10.0.1 (clang-1001.0.46.4)] | ||
Auto detected VxWorks version: None | ||
Please input the VxWorks main version type 'c' to exit | ||
Available (5/6/c): 5 | ||
vx_version:5 | ||
``` | ||
|
||
你也可以将VxWorks版本作为第一个脚本参数来传参: | ||
|
||
``` | ||
[[0x00000000]> #!pipe python3 ./vxhunter_r2_py3.py 5 | ||
Running with python version: 3.7.4 (default, Sep 7 2019, 18:27:02) | ||
[Clang 10.0.1 (clang-1001.0.46.4)] | ||
vx_version:5 | ||
firmware_path: /path/image_vx5_ppc_big_endian.bin | ||
[INFO ][vxhunter_r2_py3.find_symbol_table] symbol table start offset: 0x301e60 | ||
[INFO ][vxhunter_r2_py3.find_symbol_table] symbol table end offset: 0x3293b0 | ||
``` | ||
|
||
VxHunter会分析VxWorks镜像的加载地址及符号,如果分析成功你会受到如下所示的输出。 | ||
|
||
``` | ||
###### Start analyze firmware ###### | ||
[INFO ][vxhunter_r2_py3.quick_test] load address is not:0x80002000 | ||
[INFO ][vxhunter_r2_py3._check_load_address] load address is :0x10000 | ||
Found VxWorks image load address: 0x00010000 | ||
Found VxWorks symbol table from 0x00301E60 to 0x003293B0 | ||
###### Rebase current firmware ###### | ||
All core files, io, anal and flags info purged. | ||
Rebase with r2 command: o /Users/zhuwz/temp/VxHunter_r2/image_vx5_ppc_big_endian.bin 0x10000 r-x | ||
###### Start analyzing functions###### | ||
symbol_table_start_address: 0x00311E60 | ||
symbol_table_end_address: 0x003393B0 | ||
af: Cannot find function at 0x0002986c | ||
af: Cannot find function at 0x0002983c | ||
af: Cannot find function at 0x002275b0 | ||
... | ||
###### Finish here is the flags ###### | ||
0 . classes | ||
9086 . functions | ||
0 . relocs | ||
0 . sections | ||
0 . segments | ||
2155 * symbols | ||
``` | ||
|
||
## 步骤三: Have Fun | ||
|
||
至此就可以自由的对这个VxWorks固件进行分析了。 | ||
|
||
### 查找函数 | ||
``` | ||
[0x00000000]> f functions | ||
[0x00000000]> f |grep usrI | ||
0x0002b8e4 180 usrIpLibInit | ||
0x0002cd94 88 usrInit | ||
0x0002d1d8 80 usrIosCoreInit | ||
0x0002d228 100 usrIosExtraInit | ||
``` | ||
|
||
### 查看函数 | ||
![](images/VxHunter_Rarare2_view_functions.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## Setting up for Development | ||
|
||
克隆项目, 在Ghidra脚本管理器中将项目目录添加为脚本目录。 |