Add an example to emulate *.cgi binary
cq674350529 opened this issue · 6 comments
Awesome work, thanks!
As for partial emulation (user-mode emulation), it's often to need to deal with cgi binary. So maybe add an example for cgi partial emulation is more helpful.
sudo chroot . ./qemu-mips-static -E REQUEST_METHOD="POST" -E REQUEST_URI=<request_uri> -E REMOTE_ADDR=<ip_addr> -E HTTP_COOKIE=<custom_cookie> -g <port> <path to cgi binary>
DIR850-REVB.bincan also be used for this purpose.
In addition, a few more suggestions are as follows.
-
add an encrypted firmware example
Some versions of firmwareDIR850L_REVB.binare encrypted. So maybe we can add an example in[Stage 3] Analyzing firmware. Moreover, the common methods to decrypt the encrypted firmwares can be given. Here is a link: https://www.zerodayinitiative.com/blog/2020/2/6/mindshare-dealing-with-encrypted-router-firmware.
As to theDIR850L_REVB.binagain, I have already decrypted it. -
add qiling firmware enumation
The common ways to emulate the firmwares include:qemu user mode,qemu system modeand some third-party tools such adFirmadyne,ARM-X,firmware-analysis-toolkit. Also, the Qiling framework can be used to emulate binaries in firmware. -
network fuzzers
For protocol fuzzing, some generation-based fuzzers are used, such as boofuzz and kitty. Personally I use them more often than other network fuzzers.
By the way, there is an format issue as shown, maybe missing a newline.
Thanks again.
Thanks for the suggestions and edits. The CGI example is important and now included. Also made updates to the network fuzzers and the newline. If you have examples on how you use these fuzzers, I think it would be a great addition.
Ill have a look the firmware encryption example and see how we incorporate an example or point to an authoritative source. There are several ways firmware can be encrypted and decrypted.
Need to add a qiling example using IoTGoat such as the following
$ ./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux
As for the cgi binary emulation, changing the method POST to GET is more proper. For POST method, another options should be added, such as CONTENT_LENGTH and data, which were removed by me when pasting them into comments. Sorry for that mistake.
sudo chroot . ./qemu-mips-static -E REQUEST_METHOD="GET" -E REQUEST_URI=<request_uri> -E REMOTE_ADDR=<ip_addr> -E HTTP_COOKIE=<custom_cookie> -g <port> <path to cgi binary>
If you have examples on how you use these fuzzers, I think it would be a great addition.
If necessary, I can add examples related to protocol fuzzers. So where should I put these examples? Open another issue? By the way, maybe it's possible to do protocol fuzzing against IotGoat. I'll try to setup an environment and add the example as soon as possible.
Need to add a qiling example using IoTGoat
I tried qiling to run the /usr/bin/shellback. Currently there is something wrong with it. I'll try to figure it out and add the commands if I can solve it.
Do you have example output from emulated CGI GET and POST requests with responses?
Regarding protocol fuzzing, it would be awesome if you can contribute. Feel free to submit a pull request with edits. All pages in GitBook are synced to this repo in the gitbook branch (not from master) - https://github.com/scriptingxss/owasp-fstm/blob/gitbook/README.md
Shellback listens on port 5515 but any other binary for Arm should work. Havent gotten around to trying with qiling
Do you have example output from emulated CGI GET and POST requests with responses?
Yes, I'll use a sample firmware and give the concrete GET/POST requests and responses.
As for protocol fuzzing, I'll submit a pull request when the examples are ready.
Regarding qiling framework, it's powerful but not very mature yet. I have opened an issue in qiling repository. Yes, any other binary including shellback for arm should work. The shellback binary is used for partial emulation, I just want to keep it consistent.
done via #6
Also, other features mentioned here will done in another pull requests.