IOT安全环境搭建
实验环境
ubuntu22.04,之前使用的最新版的ubuntu,每次配环境总是一堆环境依赖问题,所以,直接新配了一个ubuntu22.04,兼容性更强,但是随之而来也遇到了一些问题,配环境是一个很痛苦的事情》》
参考文章请点击这里
binwalk
注意
很多文章都说要提前安装sasquatch工具,binwalk才能正常使用,但是我并没有安装,我猜测可能是现在binwalk里自带了,如果最后binwalk不成功的话,大家可以试着安装一下这个
安装rust编译器
1
2
3
| sudo apt install curl
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. $HOME/.cargo/env
|
安装并编译binwalk
1
2
3
4
5
| git clone https://github.com/ReFirmLabs/binwalk
sudo ./binwalk/dependencies/ubuntu.sh
sudo apt install build-essential libfontconfig1-dev liblzma-dev
cd binwalk
cargo build --release
|
解决7z问题
因为binwalk在解压过程会用到7z解压工具,但是ubuntu22.04默认使用的是7z命令,而新版的7z提供的是7zz命令
这里有两种解决方法
1
2
3
| which 7z
sudo ln -s /usr/bin/7z /usr/local/bin/7zz
|
此时binwalk会在/binwalk/target/release目录下,可以将其添加到环境变量
1
2
| export PATH=$PATH:/home/tao/Desktop/binwalk/target/release
source ~/.bashrc
|
接下来就可以使用了
配置qemu
走过的坑
最一开始的时候,我像高版本的ubuntu一样
直接安装,但是在复现题目的时候,因为qemu的版本过低,不能使用pwndbg的vmmap指令,这给我带来了很大的麻烦(因为我的高版本是可以的,所以猜测是版本问题,在排查后,确实是因为qemu的版本太低了)
1
2
| sudo apt-get install qemu-user qemu-user-static
sudo apt-get install qemu-system uml-utilities bridge-utils
|
为了不出问题,我直接使用了另一台虚拟机的qemu的版本
写到后面才发现,qemu编译的时候只编译了mips小端序的启动elf,没有编译mips大端序的,等以后遇到了再编译吧,大家有需要的可以自行编译
这里给出大家配置的方法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
sudo apt update
sudo apt install -y \
git build-essential pkg-config libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev \
ninja-build python3 python3-pip python3-venv python3-distlib
sudo apt install -y uml-utilities bridge-utils
git clone https://gitlab.com/qemu-project/qemu.git
cd qemu
git checkout v9.2.1
mkdir build && cd build
../configure \
--target-list=mipsel-linux-user,mips64el-linux-user,arm-linux-user,aarch64-linux-user,\
mipsel-softmmu,mips64el-softmmu,arm-softmmu,aarch64-softmmu \
--enable-virtfs \
--prefix=/usr/local/qemu-9.2 \
--disable-docs
make -j$(nproc)
sudo make install
ls /usr/local/qemu-9.2/bin/
qemu-mipsel
qemu-mips64el
qemu-aarch64
qemu-arm
qemu-system-mipsel
qemu-system-mips64el
qemu-system-arm
qemu-system-aarch64
/usr/local/qemu-9.2/bin/qemu-mipsel --version
/usr/local/qemu-9.2/bin/qemu-mips64el --version
/usr/local/qemu-9.2/bin/qemu-arm --version
/usr/local/qemu-9.2/bin/qemu-aarch64 --version
/usr/local/qemu-9.2/bin/qemu-system-mipsel --version
/usr/local/qemu-9.2/bin/qemu-system-mips64el --version
/usr/local/qemu-9.2/bin/qemu-system-arm --version
/usr/local/qemu-9.2/bin/qemu-system-aarch64 --version
echo 'export PATH=/usr/local/qemu-9.2/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
cd qemu
rm -rf build#清空构建的configure
../configure \
--target-list=arm-linux-user,aarch64-linux-user,mipsel-linux-user,mips64el-linux-user \
--prefix=/usr/local/qemu-9.2-glibc-static \
--disable-docs \
--static
make -j$(nproc)
sudo make install
ls /usr/local/qemu-9.2-glibc-static/bin
cd /usr/local/qemu-9.2-glibc-static/bin
sudo mv qemu-arm qemu-arm-static
sudo mv qemu-aarch64 qemu-aarch64-static
sudo mv qemu-mipsel qemu-mipsel-static
sudo mv qemu-mips64el qemu-mips64el-static
echo 'export PATH=/usr/local/qemu-9.2-glibc-static/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
|
gdb-multiarch
目前这个没有版本问题,直接安装就好了
1
| sudo apt install gdb-multiarch
|
多架构交叉环境编译
这里都是默认使用apt安装与本系统对应的环境,优点就是方便,如果有特定版本需要,请大家自己下载源码编译
安装32位编译环境(因为本机是x64)
1
2
3
4
| sudo dpkg --add-architecture i386
sudo apt update
sudo apt install libncurses5-dev lib32z1
sudo apt install libc6:i386 libstdc++6:i386
|
arm架构环境
安装编译器
1
2
| sudo apt install gcc-arm-linux-gnueabihf
sudo apt install g++-arm-linux-gnueabihf
|
测试安装
1
2
| arm-linux-gnueabihf-gcc -v
arm-linux-gnueabihf-g++ -v
|
编译arm架构的程序
1
2
3
4
5
6
7
| #include<stdio.h>
int main()
{
printf("hello world\n");
return 0;
}
|
1
2
3
4
5
6
7
8
| --------------------------------------------------------------------------------
~/Desktop/IOT/ARM » vim test.c tao@taotao
--------------------------------------------------------------------------------
~/Desktop/IOT/ARM » arm-linux-gnueabihf-gcc test.c -o arm_file tao@taotao
--------------------------------------------------------------------------------
~/Desktop/IOT/ARM » file arm_file tao@taotao
arm_file: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, BuildID[sha1]=bee977a06004c50b16f1a751363824ab748e27c4, for GNU/Linux 3.2.0, not stripped
|
可以看到编译成功,但是现在还不能运行程序,因为我没有配套的运行库
安装运行库
1
| sudo apt install libc6-armhf-cross libstdc++6-armhf-cross
|
运行程序
1
2
3
4
5
6
| ~/Desktop/IOT/ARM » qemu-arm -L /usr/arm-linux-gnueabihf ./arm_file
hello world
~/Desktop/IOT/ARM » qemu-arm-static -L /usr/arm-linux-gnueabihf ./arm_file
hello world
|
aarch64架构环境
安装编译器
1
| sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
|
测试安装
1
2
| aarch64-linux-gnu-gcc -v
aarch64-linux-gnu-g++ -v
|
编译aarch64架构的程序
1
2
3
4
| ~/Desktop/IOT/ARM » aarch64-linux-gnu-gcc test.c -o aarch64_file tao@taotao
--------------------------------------------------------------------------------
~/Desktop/IOT/ARM » file aarch64_file tao@taotao
aarch64-file: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=b046e8fc9e68cd9b9dcbe651f4d8d37f24dbbed8, for GNU/Linux 3.7.0, not stripped
|
安装运行库
1
| sudo apt install libc6-arm64-cross libstdc++6-arm64-cross
|
运行程序
1
2
3
4
5
6
| ~/Desktop/IOT/ARM » qemu-aarch64 -L /usr/aarch64-linux-gnu/ aarch64_file
hello world
--------------------------------------------------------------------------------
~/Desktop/IOT/ARM » qemu-aarch64-static -L /usr/aarch64-linux-gnu/ aarch64_file
hello world
|
mips架构环境
安装编译器
1
2
3
4
5
6
7
8
9
10
|
sudo apt install gcc-mips-linux-gnu
sudo apt install g++-mips-linux-gnu
sudo apt install gcc-mips64-linux-gnuabi64
sudo apt install g++-mips64-linux-gnuabi64
sudo apt install gcc-mipsel-linux-gnu g++-mipsel-linux-gnu
sudo apt install gcc-mips64el-linux-gnuabi64 g++-mips64el-linux-gnuabi64
|
编译程序
1
2
3
4
5
6
7
| ~/Desktop/IOT/ARM » file mipsel_file tao@taotao
mipsel_file: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld.so.1, BuildID[sha1]=03b2d1e661b7628f897ca70494a23484b69f9194, for GNU/Linux 3.2.0, not stripped
--------------------------------------------------------------------------------
~/Desktop/IOT/ARM » mips64el-linux-gnuabi64-gcc test.c -o mips64el_file
--------------------------------------------------------------------------------
~/Desktop/IOT/ARM » file mips64el_file tao@taotao
mips64el_file: ELF 64-bit LSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib64/ld.so.1, BuildID[sha1]=bccfc31ee9480409156969b241fd4c792e76a5a9, for GNU/Linux 3.2.0, not stripped
|
安装运行库
mips
1
| sudo apt install libc6-mips-cross libc6-dev-mips-cross libstdc++6-mips-cross linux-libc-dev-mips-cross
|
mips64
1
| sudo apt install libc6-mips64-cross libc6-dev-mips64-cross libstdc++6-mips64-cross linux-libc-dev-mips64-cross
|
运行程序
1
2
3
4
5
6
7
8
9
10
11
12
13
| ---------------------------------------------------------------------------------------------------------
~/Desktop/IOT/ARM » qemu-mipsel -L /usr/mipsel-linux-gnu mipsel_file
hello world
---------------------------------------------------------------------------------------------------------
~/Desktop/IOT/ARM » qemu-mipsel-static -L /usr/mipsel-linux-gnu mipsel_file
hello world
---------------------------------------------------------------------------------------------------------
~/Desktop/IOT/ARM » qemu-mips64el-static -L /usr/mips64el-linux-gnuabi64 mips64el_file 255 ↵ tao@taotao
hello world
---------------------------------------------------------------------------------------------------------
~/Desktop/IOT/ARM » qemu-mips64el -L /usr/mips64el-linux-gnuabi64 mips64el_file tao@taotao
hello world
---------------------------------------------------------------------------------------------------------
|
GDB远程调试
首先看一下自己的gdb是哪个版本的,然后下载对应的版本,编译调试不同架构的gdb以及gdbserver
可以看到我这里是12.1的版本,所以我选择编译12.1版本的源码
因为官网太慢了,这里选择从阿里云的镜像站下载
1
2
3
| wget https://mirrors.aliyun.com/gnu/gdb/gdb-12.1.tar.gz
tar xf gdb-12.1.tar.gz
cd gdb-12.1
|
GDB
其实本地的gdb的话,gdb-multiarch就够了,所以这里就不编译了
gdbserver
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| mkdir build && cd build
CC="mipsel-linux-gnu-gcc" CXX="mipsel-linux-gnu-g++" \
../configure \
--target="mipsel-linux-gnu" \
--host="mipsel-linux-gnu" \
--prefix="/home/tao/Desktop/gdb_iot/mipsel" \
LDFLAGS="-static" \
--disable-werror
make -j$(nproc)
make install
cd ~/Desktop/gdb-12.1
rm -rf build && mkdir build && cd build
CC="mips64el-linux-gnuabi64-gcc" CXX="mips64el-linux-gnuabi64-g++" \
../configure \
--host=mips64el-linux-gnuabi64 \
--target=mips64el-linux-gnuabi64 \
--prefix=/home/tao/Desktop/gdb_iot/mips64el \
LDFLAGS="-static" \
--disable-werror
make -j$(nproc)
make install
cd ~/Desktop/gdb-12.1
rm -rf build && mkdir build && cd build
CC="arm-linux-gnueabihf-gcc" CXX="arm-linux-gnueabihf-g++" \
../configure \
--host=arm-linux-gnueabihf \
--target=arm-linux-gnueabihf \
--prefix=/home/tao/Desktop/gdb_iot/arm \
LDFLAGS="-static" \
--disable-werror
make -j$(nproc)
make install
cd ~/Desktop/gdb-12.1
rm -rf build && mkdir build && cd build
CC="aarch64-linux-gnu-gcc" CXX="aarch64-linux-gnu-g++" \
../configure \
--host=aarch64-linux-gnu \
--target=aarch64-linux-gnu \
--prefix=/home/tao/Desktop/gdb_iot/aarch \
LDFLAGS="-static" \
--disable-werror \
--disable-sim \
--disable-inprocess-agent
make -j$(nproc)
make install
|
一键仿真固件的工具
我试过Firmware Analysis Plus和FirmAE,个人感觉FirmAE更好用一点,大家根据自己的喜好自行选择即可
参考文章:FirmAE 模拟固件-CSDN博客
安装方法
1
2
3
4
| git clone --recursive https://github.com/pr0v3rbs/FirmAE
cd FirmAE
./download.sh#可能需要科学上网
./install.sh
|