FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware. It includes the following components:
There are also three basic automated analyses using the FIRMADYNE system.
In 2016 Network and Distributed System Security Symposium (NDSS) paper, titled Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , team evaluated the FIRMADYNE system over a dataset of 23,035 firmware images, of which they were able to extract 9,486. Using 60 exploits from the Metasploit Framework , and 14 previously-unknown vulnerabilities were discovered, showing that 846 out of 1,971 (43%) firmware images were vulnerable to at least one exploit, affecting 89+ different products. For more details, refer to the paper linked above.
Note: This project is a research tool, and is currently not production ready. In particular, some components are quite immature and rough. It is suggested running the system within a virtual machine. No support is offered, but pull requests are greatly appreciated, whether for documentation, tests, or code!
The following has been tested on a Ubuntu 14.04 machine. Other Debian-based systems should also be compatible. First, clone this repository recursively and install its dependencies.
sudo apt-get install busybox fakeroot git kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan git clone --recursive https://github.com/firmadyne/firmadyne.git
The extractor depends on the binwalk tool, so we need to install that and its dependencies.
git clone https://github.com/devttys0/binwalk.git sudo ./binwalk/deps.sh sudo python ./binwalk/setup.py install For Python 2.x, sudo apt-get install python-lzma sudo -H pip install git+https://github.com/ahupp/python-magic
Instead of upstream jefferson , it is recommended to install jefferson fork , which supports extraction of additional file and compression types. Optionally, instead of upstream sasquatch , sasquatch fork can be used to prevent false positives by making errors fatal.
Next, install, set up, and configure the database.
sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne, with password firmadyne sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema
To download pre-built binaries for all components, run the following script:
cd ./firmadyne; ./download.sh
To use QEMU provided by your distribution:
sudo apt-get install qemu-system-arm qemu-system-mips qemu-utils
firmadyne.configto point to the root of this repository.
-nk), no parallel operation (
-np), populating the
imagetable in the SQL server at
-sql) with the
-b), and storing the tarball in
./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
1and store the result in the
imagetable of the database.
1into the database, populating the
./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
sudo ./scripts/makeImage.sh 1
1. Kernel messages are logged to
1with the inferred network configuration. This will modify the configuration of the host system by creating a TAP device and adding a route.
./analyses/webAccess.py 1 192.168.0.100 log.txt
mkdir exploits; ./analyses/runExploits.py -t 192.168.0.100 -o exploits/exploit -e x(requires Metasploit Framework)
sudo nmap -O -sV 192.168.0.100
run.shscript to provide console access, or use the second console provided by the framework.
nc -U /tmp/qemu.1.S1
1. Ensure that the emulated firmware is not running, and remember to unmount before performing any other operations.
sudo ./scripts/mount.sh 1
sudo ./scripts/umount.sh 1