Replicating router vulnerabilities through QEMU

Directory

Brief introduction

Environment construction

Firmware unpacking

Replication vulnerability, IDA debugging

Resources

Brief introduction

• QEMU, like VMware, is a virtual machine software, except that QEMU can enrich the virtual platform. A device that can virtualize many embedded platforms.
• Work needs to explore the direction of intelligent hardware, temporarily using the QEMU simulation equipment to accumulate experience.
• This is a simple analysis of some router vulnerabilities, MIPS architecture.
• Of course, QEMU is lacking in virtual memory and peripherals, and if it comes to these resources, it may not be possible to reproduce the vulnerability.
• The main focus on the use of the principle, because their own contact is not afraid to say very clearly.

Environment construction

• Choosing a Debian system
• Installing Binwalk

-git Clone Https://github.com/devttys0/binwalk.git

-Install dependent libraries as per INSTALL.MD instructions

-Install Binfmt-support (the interpreter used to specify a binary file in a format that does not currently appear to be used)

• Installing QEMU

-Install qume-user-static (user-executed firmware inside the program, apt-get install qume-user-static)

-Installs Qemu, Qemu-system (apt-get install QEMU Qemu-system, currently using Qemu-system)

• Configure the network to build bridges

-apt-get Install Bridge-utils uml-utilities

-Modify/etc/network/interfaces Content

-Modify/ETC/QEMU-IFUP Content

My environment is built in accordance with the guidance of [resources I].

Firmware unpacking

• Select the firmware to analyze from the download page provided by each vendor's website
• Unpacking command

-binwalk–me Firmware Path

Firmware unpacking is generally relatively simple. With the existing tools, can be solved can be analyzed, if not come out, my skill is not enough, unable to manually extract the file system.

Replication vulnerability, IDA debugging

The following two examples are based on [reference two or three] to reproduce, after all, there is no actual equipment, only to find some public loopholes to learn.

User mode

This example is based on [reference two] and runs a single program with QEMU, which is easier to debug.

• Example: my_cgi.cgi
• Run the script (see Code 1)
• Qemu-mips-static parameter,-e specifies the environment parameter

Code 1 running the script

#!/bin/Bash INPUT=" $"LEN=$(Echo-N"$INPUT"|WC-c) PORT="1234" if["$LEN"=="0"] || ["$INPUT"=="- H"] || ["$UID"!="0" ] Then    Echo-E"\nusage:sudo $ \ n"Exit1fi CP$(whichqemu-mipsel-static)./QemuEcho "$INPUT"|chroot. ./QEMU-E request_method="POST"-e content_length= $LEN-e content_type="application/x-www-form-urlencoded"-E remote_addr="1.1.1.100"-G $PORT./usr/bin/my_cgi.cgi2>/dev/NULL

Run the Run command

Figure 1 Running a script to wait for debugging

Results

Figure 2 Running results

This example is still relatively simple to run, copy the running script to the root of the firmware unpacked file system to run.

System mode

This example is based on [reference three]. The entire firmware package unlocks the file system into a hard disk image, and then use the QEMU system mode to run a Malta platform Linux system kernel, so that the kernel can recognize the hard disk image.

• Requires the entire file system after the firmware package is unpacked
• Run the Qemu-system command, load the operating system and file system, add the firmware file system to the system in some way (such as FTP, disk image format as a second disk attached to the operating system)
• To switch to the firmware root, you must ensure that the system architecture of the QEMU simulation is consistent with that of the firmware

At first I found a big-endian firmware, the extracted file system mounted to Qemu-system running Linux system, but with chroot switch root directory, always prompted me "/bin/sh" file format error. I always thought that the file itself is problematic and has been daoteng back and forth. Later, the team leader to find a small end of the firmware, the same method is successful, I only understand that the problem is the machine byte sequence, or experience is not enough AH.

As described in [reference three], the unpacked file system is made into an IMG-formatted image, and then to the https://downloads.openwrt.org/snapshots/trunk/malta/generic/site to download the kernel, Finally start with the Qemu-system command.

Start command:

Qemu-system-mipsel-kernel openwrt-malta-le-vmlinux-initramfs.elf-m malta-net nic,vlan=0,macaddr=12:22:22:22:22:22 -net tap-nographic-drive file=./share.img

The-kernel parameter specifies the kernel file

-m parameter specifies a platform that requires QEMU emulation

The-net parameter specifies the MAC address of the NIC

The-drive parameter is to specify our hard disk image file

-nographic tells Qemu to use the current console without a separate interface window

Post-boot interface:

Figure 3 Post-run command-line interface

At this point, we can use the Mount-t ext4/dev/sda/overlay/to mount our router file system.

Figure 4 Mount Router mirroring

Then use chroot/overlay/squashfs-root/bin/sh to switch the root directory to the router file system.

Figure 5 Switching the root directory

Run IGDMPTD

Figure 6 Running IGDMPTD

Another console used to verify the vulnerability

Figure 7 Validation Vulnerability

Replicating router vulnerabilities through QEMU