CTF导航 CTF导航

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

IoT 7个月前 admin
72 0 0

获取固件

从官网上下载固件升级包。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

升级软件包:

https://service.fastcom.com.cn/d3/201712/FR100P-AC V1.0升级软件20171124.zip

解压出来fr100pacv1.bin

固件提取

binwalk分析一下固件。

(p27) ➜  binwalk fr100pacv1.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
20            0x14            IMG0 (VxWorks) header, size: 909568
43956         0xABB4          U-Boot version string, "U-Boot 1.1.3 (Jun  2 2017 - 18:37:14)"
57492         0xE094          IMG0 (VxWorks) header, size: 852096
57620         0xE114          LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 1267504 bytes
675920        0xA5050         Unix path: /web/language/cn/error.js
677152        0xA5520         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1758 bytes
678325        0xA59B5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3237 bytes
678785        0xA5B81         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 200 bytes
678981        0xA5C45         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 80 bytes
679039        0xA5C7F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 21984 bytes
682408        0xA69A8         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 147 bytes
682529        0xA6A21         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 493 bytes
682948        0xA6BC4         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2826 bytes
684431        0xA718F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 32861 bytes
691537        0xA8D51         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4383 bytes
693333        0xA9455         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2747 bytes
694524        0xA98FC         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7316 bytes
696832        0xAA200         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1981 bytes
697735        0xAA587         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 15912 bytes
701953        0xAB601         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2955 bytes
702968        0xAB9F8         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6623 bytes
704981        0xAC1D5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3565 bytes
706289        0xAC6F1         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2831 bytes
707554        0xACBE2         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4280 bytes
708886        0xAD116         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10925 bytes
711326        0xADA9E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 286 bytes
711548        0xADB7C         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3912 bytes
712971        0xAE10B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5943 bytes
714894        0xAE88E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5955 bytes
716799        0xAEFFF         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6416 bytes
718873        0xAF819         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1638 bytes
719622        0xAFB06         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7549 bytes
721691        0xB031B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 857 bytes
722183        0xB0507         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 22381 bytes

尝试binwalk -Me提取,提出了一堆无用文件。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

通过binwalk解压分析后并不能得到和其他大部分路由器一样类似的完整的文件系统。从binwalk的分析结果来看:

(p27) ➜  binwalk  fr100pacv1.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
20            0x14            IMG0 (VxWorks) header, size: 909568
43956         0xABB4          U-Boot version string, "U-Boot 1.1.3 (Jun  2 2017 - 18:37:14)"
57492         0xE094          IMG0 (VxWorks) header, size: 852096
57620         0xE114          LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 1267504 bytes
675920        0xA5050         Unix path: /web/language/cn/error.js
677152        0xA5520         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1758 bytes

该固件主要由一个固件头部(IMG0 header)、引导加载程序(uBoot)、和其他LZMA格式的文件数据组成(LZMA是一种压缩算法)。但uBoot解析并没有获取到入口地址Entry Point,只能尝试手动提取分析。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

拉个图表,分析每个段的长度,可以很明显看出来57620开始位置的lzma压缩文件占用空间最大,占用了68%,极大概率是主程序。

用dd来提取dd if=fr100pacv1.bin of=57620.lzma bs=1 skip=57620 count=619532

(p27) ➜  ls -l 57620.lzma
-rw-r--r-- 1 root root 619532 3月  28 05:30 57620.lzma
(p27) ➜  lzma -d 57620.lzma
lzma: 57620.lzma: Compressed data is corrupt

lzma解压报错,用010editor打开57620.lzma,拉到底,看右侧灰度布局。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

灰度有问题,往上拉,找到断层位置。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

将下面的数据删除,重新lzma解压:

(p27) ➜  lzma -d 57620.lzma
(p27) ➜  ls -l 57620
-rw-r--r-- 1 root root 1267504 3月  28 05:36 57620

没有回显,已经成功解压。丢进ida,无法分析,先分析程序是x86还是arm。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

binwalk 分析:

(p27) ➜  FR100P-AC V1.0 binwalk 57620

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
176636        0x2B1FC         Copyright string: "Copyright(C) 2001-2011 by TP-LINK TECHNOLOGIES CO., LTD."
522740        0x7F9F4         PEM certificate
523412        0x7FC94         PEM RSA private key
559336        0x888E8         Copyright string: "Copyright FAST_TECHNOLOGIES"
790532        0xC1004         HTML document header
790597        0xC1045         HTML document footer
947428        0xE74E4         PEM certificate
947484        0xE751C         PEM certificate request
947668        0xE75D4         PEM RSA private key
947864        0xE7698         PEM EC private key
947928        0xE76D8         PEM DSA private key
1049388       0x10032C        XML document, version: "1.0"
1049576       0x1003E8        Base64 standard index table
1183672       0x120FB8        SHA256 hash constants, little endian
1242908       0x12F71C        XML document, version: "1.0"

没能找到大致的系统,但至少确定了是little endian小端,挨个试吧,先试一下arm:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

ida里c一下,发现还是不对:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

x86架构也不对:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

再试试mips:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究
迅捷PoE*AC路由一体机FR100P-AC固件提取研究

mips的架构估计是对的,那么换ghidra来分析,选择mips 32位小端:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

先看文件最开始的汇编:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

将基地址改为0xb0000000,再进行分析:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

可以看到,反编译窗口也正常了:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

但是发现部分函数的偏移是0x80开头:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究
且字符串的数据引用为空,所以基地址应该还是错的,0xb0000000可能是内存空间地址。
迅捷PoE*AC路由一体机FR100P-AC固件提取研究

重新尝试改基地址为0x80000000:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

反编译正常运行:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

字符串的数据引用也正常了,到这里固件的提取就完成了。

迅捷PoE*AC路由一体机FR100P-AC固件提取研究

原文始发于微信公众号(山石网科安全技术研究院):迅捷PoE*AC路由一体机FR100P-AC固件提取研究

版权声明:admin 发表于 2024年4月23日 下午12:29。
转载请注明:迅捷PoE*AC路由一体机FR100P-AC固件提取研究 | CTF导航

相关文章

关于路由器的CGI漏洞分析及挖掘
admin
5,222
VxWorks固件系统研究
admin
1,003
原创 | RouterOS提权漏洞分析(CVE-2023-30799)
admin
104
国内四大 IoT 物联网平台选型综合评估报告 (2021.11)
admin
1,014
Uncovering Hardcoded Root Password in VStarcam CB73 Security Camera
admin
109
CVE-2022-22252: Huawei HWLog Vmalloc Use-After-Free
admin
691

相关文章

PWN入门:整数溢出
0
原创 Paper | Vigor3900 固件仿真及漏洞分析(CVE-2024-44844、CVE-2024-44845)
0
SDC2024 议题回顾 | BULKHEAD:通过分隔化打造内核安全的水密舱
0
ROPing Routers from scratch: Step-by-step Tenda Ac8v4 Mips 0day Flow-control ROP
0
同步STM32的SAI外设传输普通数据
0
A Brief Look at FortiJump (FortiManager CVE-2024-47575)
0
Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024
0
SDC2024 议题回顾 | 智能摩托车进化之路
0
PWN入门-SROP拜师
0
GL-iNet 路由器 Login bypass(CVE-2024-45261)
0