IOT-Fuzz-初探

2022-01-13

IoT Fuzz 初探（路由器）

由于大创的原因，学了一下Fuzz。Fuzz在二进制文件代码量很大（实战里几乎全都很大）的时候很有用。大创选的是路由器，路由器固件的代码量完全不用Fuzz，当时不懂，为了带上智能化这个keyword就写上去了。

环境搭建

Binwalk(解包)

1
2
3

git clone https://github.com/devttys0/binwalk
cd binwalk
sudo python3 setup.py install

AFL++

Download the lastest devel version with:

1 2	$ git clone https://github.com/AFLplusplus/AFLplusplus $ cd AFLplusplus

AFL++ has many build options. The easiest is to build and install everything:

1 2	$ make distrib $ sudo make install

Note that “make distrib” also builds llvm_mode, qemu_mode, unicorn_mode and more. If you just want plain afl then do “make all”, however compiling and using at least llvm_mode is highly recommended for much better results - hence in this case

1	$ make source-only

Radamsa( 测试用例生成器 )

# please please please fuzz your programs. here is one way to get data for it:
sudo apt-get install gcc make git wget
git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install
echo "HAL 9000" | radamsa

qemu(调试)

sudo apt install ninja-build #依赖
sudo apt-get install libpixman-1-dev
wget https://download.qemu.org/qemu-6.1.0-rc2.tar.xz
tar xvJf qemu-6.1.0-rc2.tar.xz
cd qemu-6.1.0-rc2
./configure
sudo make

Binwalk 识别&解压

sample: RT-AC68U

固件下载链接置于文末

$ binwalk RT-AC68U_3.0.0.4_380_7743-g2cf84e9-fbwifi.trx 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TRX firmware header, little endian, image size: 40816640 bytes, CRC32: 0xB41A00C2, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x19AE28, rootfs offset: 0x0
28            0x1C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4026720 bytes
1682984       0x19AE28        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 39130341 bytes, 2511 inodes, blocksize: 131072 bytes, created: 2017-08-07 03:28:39

binwalk识别出了文件系统，可以直接用binwalk -Me解压