本文参考《物联网安全漏洞挖掘实战》崔洪权编著。此部分对应书籍P87:“3.7.2对加密的固件进行解密“
➜ binwalk DIR822C1_FW315WWb02.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------binwalk查看固件信息,显示空白。binwalk -E查看固件的熵值。
熵值大,意味着字节序列有可能是加密的或者是压缩过的,熵值小,则正好相反。
熵值几乎恒定在1左右,这意味着很有可能对固件的不同部分进行了加密,因此需要对这部分进行解密。
D-Link官网的固件升级文档中提到,The firmware v3.12 must be upgraded from the transitional version of firmware v303WWb04_middle (only if you currently have firmware lower than version 3.10).,而前文又提到,可以用”中间版本“来破解加密的固件。因此,接下来的工作就是下载这个v303WWb04_middle版本的固件,准备进行解密
https://legacyfiles.us.dlink.com/DIR-822/Firmware/DIR-822_REVC_RELEASE_NOTES_v3.12B04.pdf为了方便用户下载固件,D-Link公司搭建了一个FTP服务器,我们可以从该服务器下载这个v303WWb04_middle固件。
下载完后执行binwalk -Me命令进行解压,解压之后就可以看到熟悉的SquashFS文件系统目录了
➜ binwalk -Me DIR822C1_FW303WWb04_i4sa_middle.bin
Scan Time: 2026-01-12 11:39:04
Target File: /home/ra1ny/fw/DIR822C1_FW303WWb04_i4sa_middle.bin
MD5 Checksum: c3b9a3f115c02e739690616aba2f2d99
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/1"
10380 0x288C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4246396 bytes
1376372 0x150074 PackImg section delimiter tag, little endian size: 3166720 bytes; big endian size: 5386240 bytes
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'' might not be installed correctly
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'' might not be installed correctly
WARNING: Symlink points outside of the extraction directory: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/squashfs-root/tmp -> /var/tmp; changing link target to /dev/null for security purposes.
...
WARNING: Symlink points outside of the extraction directory: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/squashfs-root/etc/TZ -> /var/TZ; changing link target to /dev/null for security purposes.
1376404 0x150094 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5384655 bytes, 2352 inodes, blocksize: 131072 bytes, created: 2018-04-28 02:11:42
Scan Time: 2026-01-12 11:39:05
Target File: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/288C
MD5 Checksum: d6818196660647a5451186a6cef8b24f
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3051552 0x2E9020 Linux kernel version 2.6.30
3394224 0x33CAB0 CRC32 polynomial table, little endian
3407184 0x33FD50 SHA256 hash constants, big endian
3534944 0x35F060 Neighborly text, "NeighborSolicitst_%s"
3534964 0x35F074 Neighborly text, "NeighborAdvertisements=%pI6 dst=%pI6 "
3538367 0x35FDBF HTML document header
3538530 0x35FE62 HTML document footer
3842064 0x3AA010 AES S-Box解压完成后,有一个.extracted结尾的目录,里面包含一个名为squashfs-root,里面是很熟悉的Linux的文件系统目录。
因为使用v303WWb04_middle固件对3.15B02版本的固件进行升级。为此,使用grep命令在squashfs-root文件夹中搜索update, firmware, upgrade, download等关键的字符串,搜索结果:
分析/etc/templates/hnap/StartFirmwareDownload.php
$fw_path = "/var/firmware.seama";
// fw encimg
setattr("/runtime/tmpdevdata/image_sign" ,"get","cat /etc/config/image_sign");
$image_sign = query("/runtime/tmpdevdata/image_sign");
fwrite("a", $ShellPath, "encimg -d -i ".$fw_path." -s ".$image_sign." > /dev/console \n");
del("/runtime/tmpdevdata");下面是代码解释
setattr("/runtime/tmpdevdata/image_sign" ,"get","cat /etc/config/image_sign");这一行是在系统中设置一个属性。它定义了当访问 /runtime/tmpdevdata/image_sign 这个路径并执行 “get” 操作时,系统实际上会去运行 cat /etc/config/image_sign。
$image_sign = query("/runtime/tmpdevdata/image_sign");在 D-Link 等路由器固件所使用的 X在 D-Link 等路由器固件所使用的XMLDBC (XML Database Control)框架中,query 并不是在一个普通的脚本文件中定义的,它是一个 内置的底层函数。
在这些设备中,所有的配置信息(如 Wi-Fi 名、密码、签名等)都存储在一个内存中的 XML 树里。query 的作用就是从这个 XML 树中检索路径对应的值。
其内部逻辑大致如下:
- 接收参数:接收一个字符串路径(如
"/runtime/tmpdevdata/image_sign")。 - 查找节点:通过内部的
libxmldbc.so库向xmldb守护进程发送请求。 - 返回值:找到该节点后,将节点中的文本内容作为字符串返回。
query 和 setattr 是成对使用的,这反映了 XMLDBC 的一个特殊机制:
setattr:通常用于设置节点的属性。在你的例子中,它设置了一个特殊的属性get,其值为一条 shell 命令cat /etc/config/image_sign。query:当你对这个路径执行query时,XMLDB 发现该路径关联了一个get属性的操作,它会先执行该命令,捕捉输出,然后由query函数返回这个输出结果。
通俗理解:
query就像是数据库的SELECT语句,只不过它查询的是一个实时的 XML 树,而这个树的节点甚至可以绑定到真实的 Linux 命令。
fwrite("a", $ShellPath, "encimg -d -i ".$fw_path." -s ".$image_sign." > /dev/console \n");通过fwrite函数执行encimg -d -i ".$fw_path." -s ".$image_sign.,接下来执行第一步的
➜ squashfs-root cat ./etc/config/image_sign
wrgac43s_dlink.2015_dir822c1这便是$image_sign的内容,为wrgac43s_dlink.2015_dir822c1,下一步便是寻找encimg
➜ squashfs-root find ./ -name "encimg"
./usr/sbin/encimg查看该文件信息
➜ squashfs-root readelf -h ./usr/sbin/encimg
ELF Header:
Magic: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, big endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: MIPS R3000
Version: 0x1
Entry point address: 0x4009b0
Start of program headers: 52 (bytes into file)
Start of section headers: 7524 (bytes into file)
Flags: 0x1007, noreorder, pic, cpic, o32, mips1
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 8
Size of section headers: 40 (bytes)
Number of section headers: 30
Section header string table index: 27可以看出encimg是32位大端mips架构。接下来使用QEMU对其进行模拟(这里使用的是用户模式)并运行。首先把qemu-mips-static二进制文件复制到当前目录下,然后模拟运行encimg文件。先把待解密固件和qemu-mips-static复制到当前目录。
cp ~/fw/DIR822C1_FW315WWb02.bin .
cp $(which qemu-mips-static) ./ 使用qemu模拟运用进行解密:
➜ squashfs-root sudo chroot . ./qemu-mips-static ./usr/sbin/encimg -d -i DIR822C1_FW315WWb02.bin -s wrgac43s_dlink.2015_dir822c1
[sudo] password for ra1ny:
The file length of DIR822C1_FW315WWb02.bin is 6869168再次使用binwalk命令查看固件,与之前看到的不同,这次看到了固件信息。
➜ squashfs-root binwalk DIR822C1_FW315WWb02.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/1"
10380 0x288C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4255296 bytes
1376372 0x150074 PackImg section delimiter tag, little endian size: 13652736 bytes; big endian size: 5492736 bytes
1376404 0x150094 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5491298 bytes, 2349 inodes, blocksize: 131072 bytes, created: 2019-10-24 08:59:14然后依然可以看出,其使用的是Squashfs filesystem,再次binwalk -E查看熵值
![[Pasted image 20260112154058.png]]
然后再次使用binwalk -Me提取固件信息
➜ squashfs-root binwalk -Me DIR822C1_FW315WWb02.bin
Scan Time: 2026-01-12 15:42:04
Target File: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/squashfs-root/DIR822C1_FW315WWb02.bin
MD5 Checksum: 39afe984ecc4ad58ca28f1df30232bb9
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/1"
10380 0x288C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4255296 bytes
1376372 0x150074 PackImg section delimiter tag, little endian size: 13652736 bytes; big endian size: 5492736 bytes
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'' might not be installed correctly
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'' might not be installed correctly
WARNING: Symlink points outside of the extraction directory: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/squashfs-root/_DIR822C1_FW315WWb02.bin.extracted/squashfs-root/tmp -> /var/tmp; changing link target to /dev/null for security purposes.
...
WARNING: Symlink points outside of the extraction directory: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/squashfs-root/_DIR822C1_FW315WWb02.bin.extracted/squashfs-root/etc/TZ -> /var/TZ; changing link target to /dev/null for security purposes.
1376404 0x150094 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5491298 bytes, 2349 inodes, blocksize: 131072 bytes, created: 2019-10-24 08:59:14
Scan Time: 2026-01-12 15:42:05
Target File: /home/ra1ny/fw/_DIR822C1_FW303WWb04_i4sa_middle.bin.extracted/squashfs-root/_DIR822C1_FW315WWb02.bin.extracted/288C
MD5 Checksum: 8375a1b5ef3893266f93d200ecdf1618
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1786074 0x1B40DA bix header, header size: 64 bytes, header CRC: 0x8021241E, created: 1970-01-22 08:17:27, image size: 74774 bytes, Data Address: 0x8021E, Entry Point: 0x180000, data CRC: 0xA0120295, OS: QNX, image name: ""
3051552 0x2E9020 Linux kernel version 2.6.30
3394544 0x33CBF0 CRC32 polynomial table, little endian
3407536 0x33FEB0 SHA256 hash constants, big endian
3536980 0x35F854 Neighborly text, "NeighborSolicitst_%s"
3537000 0x35F868 Neighborly text, "NeighborAdvertisements=%pI6 dst=%pI6 "
3540403 0x3605B3 HTML document header
3540566 0x360656 HTML document footer
3843376 0x3AA530 AES S-Box查看一下解密后固件的文件系统
➜ squashfs-root cd _DIR822C1_FW315WWb02.bin.extracted
➜ _DIR822C1_FW315WWb02.bin.extracted ls
150094.squashfs 288C 288C.7z squashfs-root squashfs-root-0
➜ _DIR822C1_FW315WWb02.bin.extracted cd squashfs-root
➜ squashfs-root ls
bin dev etc home htdocs lib mnt proc sbin sys tmp usr var www
评论(0)
暂无评论