我正在尝试为TD-W8961ND路由器修改固件,因为存在一个漏洞,攻击者可能会利用该漏洞下载路由器的配置文件,该文件公开了路由器密码并使其能够稍后控制路由器的设置。我想到了从这里修复它的想法。它能够使用我不可用的串行端口修改虚拟内存中的固件。

那么,有可能应用他在固件中建议的内容然后更新路由器吗?

使用binwalk,显然该文件是ZynOS。但是,我真的不能像那里解释的那样提取签名,而且我真的不知道以后要做什么。
br />
~$ binwalk ras

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
84992       0x14C00     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 66824, compressed size: 16870, uncompressed checksum: 0xF480, compressed checksum: 0xF03A, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
85043       0x14C33     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 66824 bytes
128002      0x1F402     GIF image data, version "89a", 200 x 50
136194      0x21402     GIF image data, version "89a", 560 x 50
326749      0x4FC5D     Copyright string: " (c) 2001 - 2011 TP-LINK TECHNOLOGIES CO., LTD.LOGIES CO., LTD."
349184      0x55400     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 55931, uncompressed checksum: 0xC892, compressed checksum: 0xC30C, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
349235      0x55433     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
405248      0x62F00     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 59174, uncompressed checksum: 0x8D2B, compressed checksum: 0x66BC, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
405299      0x62F33     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
464640      0x71700     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 52399, uncompressed checksum: 0xA2DE, compressed checksum: 0x917A, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
464691      0x71733     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
517120      0x7E400     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 63920, uncompressed checksum: 0xFEC9, compressed checksum: 0xA7FD, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
517171      0x7E433     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
581120      0x8DE00     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 54909, uncompressed checksum: 0xF811, compressed checksum: 0x3544, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
581171      0x8DE33     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
636160      0x9B500     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 61051, uncompressed checksum: 0x36F3, compressed checksum: 0x6A1, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
636211      0x9B533     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
697344      0xAA400     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 54463, uncompressed checksum: 0x30D8, compressed checksum: 0x9AB9, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
697395      0xAA433     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
751872      0xB7900     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 12440, compressed size: 6879, uncompressed checksum: 0x5C0A, compressed checksum: 0x1945, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
751923      0xB7933     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 12440 bytes
759040      0xB9500     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 3914416, compressed size: 884839, uncompressed checksum: 0xA904, compressed checksum: 0x73E3, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
759091      0xB9533     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3914416 bytes


发现漏洞的那个人建议,图像中似乎没有Lzma压缩数据,而且只是明文中的大数据。 >

评论

也许发布binwalk的输出?

我添加了binwalk输出

#1 楼

重要的是要知道并非所有的ZyNOS图像都是一样创建的,并且对piotrbania起作用的确切步骤(如您的问题所述)可能对您不起作用。操作系统,您可以将整个操作系统视为一个大内核(即,没有用户空间或文件系统,也没有类似的易于处理的东西)。取决于ZyNOS版本,编译器版本,编译器选项,目标体系结构等,即使是相同的源代码也可以编译为不同的字节和指令序列,并且不同的ZyNOS版本/风格可能会“打包”非常不同。 br />
就您而言,我几乎可以保证那些LZMA签名是有效的,并且可能包含一些数据/代码。映像中也可能存在未压缩的原始代码(尝试使用binwalk -A搜索原始可执行代码)。

完成所需的一些常规步骤:


解压缩所有压缩块,并确定其中哪些包含可执行代码
反汇编所有代码(可能从未压缩的任何代码开始,因为它可能用于引导系统并解压缩固件的其他部分)
反汇编过程的一部分将是确定每个代码段的加载地址;没有这个,数据外部参照将毫无意义。在提示中查找对绝对内存地址的引用(例如,跳转到直接地址,函数表,跳转表等)。
现在,您可以开始实际地反转代码,寻找处理ras文件请求的代码。如果幸运的话,您将拥有一个反汇编程序无法理解的符号表,因此您必须编写脚本来解析符号表并重命名所有符号地址。如果不是很幸运,则必须手动识别功能。
一旦确定了需要修补的代码,就可以用类似于piotrbania的方式对其进行修补,尽管显然固件映像的细节可能略有不同。更新所有标头校验和,然后上传到您的设备,并希望它不会变成纸镇。 :)

因此,回答您的问题,是的,这当然是可能的。但是我不知道预构建的解决方案可以使您轻松提取/修补/重新构建固件,因此需要花费一些精力才能完成。显然,通过piotrbania的工作证明,对设备进行某种调试访问(例如UART或JTAG)将大有帮助。

评论


谢谢大家的答案。我想出了另一种使用CLI修复该问题的简便方法,并且我将其发布了egyptianvulture.blogspot.com/2014/06/…...因此,您无需再费劲了:

– Kifcaliph
2014年6月16日14:52

听到您对ZynOS的看法真棒,Craig!

–小工具
15年7月15日在3:57

#2 楼

您可以尝试使用firmware-mod-kit来查看是否还有进一步的改进,尽管firmware-mod-kit专为Linux而设计,因此可能无济于事。有时我发现它可以完成binwalk不能做的事情(反之亦然)

此外,您可能想从最新的源构建binwalk,然后再试一次。

#3 楼

这有点旧,但是我无法执行与OP相同的任务-也就是说,找不到能够正确解压缩ZyNOS固件更新映像的工具。所以我自己滚了。请抓取并在您的图片上尝试:

https://github.com/dev-zzo/router-tools/blob/master/zynos.py

该工具目前不支持重新打包图像,但我正在处理它。