cisco asa设备逆向调试分析辅助工具

# asafw Preliminary note: we recommend you to use this as part of [asatools](https://github.com/nccgroup/asatools) but it can also be used standalone. **asafw** is a set of scripts to deal with Cisco ASA firmware. It allows someone to unpack firmware required when debugging with gdb, as well as unpacking/repacking them in order to enable certain features such as: * Enabling gdb at boot * Disabling ASLR to ease debugging * Injecting a Linux debug shell to allow CTRL^C in gdb when used with real hardware * Rooting a firmware (generally deprecated by enabling gdb at boot and injecting a root shell) * etc. The more useful tools are `unpack_repack_bin.sh` and `unpack_repack_qcow2.sh`. They allow respectively to manipulate `asa*.bin` and `asav*.qcow2` image formats. They both need to be executed as root when actually repacking rootfs to keep the right permissions. ## Requirements * Python3 only * apt install binwalk * Heavily tested on Linux (but could work on OS X to) You initially need to modify `asafw/env.sh` to match your environment. It will allow you to define paths to the tools used by all the scripts as well as some variables matching your ASA environment. Note there is a simmilar `asadbg/env.sh` but only one is required to be used for both projects. We recommend that you add it to your `~/.bashrc`: ``` source /path/to/asafw/env.sh ``` # unpack_repack_bin.sh `unpack_repack_bin.sh` is used to unpack/repack `asa*.bin` images which are used for real Cisco ASA hardware (such as ASA 5500 and 5500-X series). The complete usage is: ``` $ unpack_repack_bin.sh -h Usage: ./unpack_repack_bin.sh -i <firmware_file> -o <out_dir> [-f -g -G -a -A -m -b -r -u -l <linabin_dir> -d -e -k] -h, --help This help menu -i, --input <firmware_file> What firmware bin to operate on -o, --output <out_dir> Where to write new firmware -f, --free-space Remove space from .bin to ensure injections fit -g, --enable-gdb Set gdb to start on boot -G, --disable-gdb Stop gdb from starting on boot -a, --enable-aslr Turn on ASLR -A, --disable-aslr Turn off ASLR -m, --inject-gdb Inject gdbserver to run -b, --debug-shell Inject ssh-triggered debug shell -H, --lina-hook Inject hooks for monitor lina heap (requires -b) -r, --root root the bin to get a rootshell on boot -c, --custom custom? -n, --n-custom custom? -q, --gns3-fixup gns? -u, --unpack-only unpack the firmware and nothing else -l, --linabins <linabin_dir> destination folder to save lina binaries -d, --delete-extracted delete files extracted during modification -e, --delete-original-bin delete the original firmware being modified -k, --keep-rootfs keep the extracted rootfs on disk -s, --simple-name use a simple name for the output .bin with just appended '-repacked' Examples: ./unpack_repack_bin.sh -i /home/user/firmware -o /home/user/firmware_repacked --free-space --enable-gdb --inject-gdb ./unpack_repack_bin.sh -i /home/user/firmware/asa961-smp-k8.bin -f -g -m ./unpack_repack_bin.sh -u -i /home/user/firmware -l /home/user/linabins ./unpack_repack_bin.sh -u -i /home/user/firmware/asa924-k8.bin -k ``` ## Extract multiple firmare Let's assume we have these two firmware: ``` ~/fw$ ls asa924-k8.bin asa981-smp-k8.bin ``` If you only want to extract firmware, e.g. to debug them with [asadbg](https://github.com/nccgroup/asadbg), you can use `-u` to unpack only and `-k` to only keep the rootfs and delete other files extracted by binwalk that you don't need. Note that the output folder is the same as the input folder as we rely on binwalk for this: ``` ~/fw$ unpack_repack_bin.sh -i . -k -u [unpack_repack_bin] Directory of firmware detected: . [unpack_repack_bin] extract_one: asa924-k8.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 75000 0x124F8 SHA256 hash constants, little endian 144510 0x2347E gzip compressed data, maximum compression, from Unix, last modified: 2015-07-15 04:53:23 1501296 0x16E870 gzip compressed data, has original file name: "rootfs.img", from Unix, last modified: 2015-07-15 05:19:52 27168620 0x19E8F6C MySQL ISAM index file Version 4 28192154 0x1AE2D9A Zip archive data, at least v2.0 to extract, name: com/cisco/webvpn/csvrjavaloader64.dll 28773362 0x1B70BF2 Zip archive data, at least v2.0 to extract, name: AliasHandlerWrapper-win64.dll [unpack_repack_bin] Extracted firmware to /home/user/fw/_asa924-k8.bin.extracted [unpack_repack_bin] Firmware uses regular rootfs/ dir [unpack_repack_bin] Extracting /home/user/fw/_asa924-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa924-k8.bin.extracted/rootfs [unpack_repack_bin] Keeping rootfs [unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted/rootfs.img" [unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted/2347E" [unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted/1AE2D9A.zip" [unpack_repack_bin] extract_one: asa981-smp-k8.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 75264 0x12600 SHA256 hash constants, little endian 133120 0x20800 Microsoft executable, portable (PE) 149183 0x246BF gzip compressed data, maximum compression, from Unix, last modified: 2017-01-30 19:33:09 3678112 0x381FA0 gzip compressed data, has original file name: "rootfs.img", from Unix, last modified: 2017-05-10 22:42:05 14838307 0xE26A23 MySQL MISAM compressed data file Version 4 87985870 0x53E8ECE MySQL MISAM compressed data file Version 7 96261881 0x5BCD6F9 Zip archive data, at least v2.0 to extract, name: com/cisco/webvpn/csvrjavaloader64.dll 96890193 0x5C66D51 MySQL ISAM compressed data file Version 5 [unpack_repack_bin] Extracted firmware to /home/user/fw/_asa981-smp-k8.bin.extracted [unpack_repack_bin] Firmware uses regular rootfs/ dir [unpack_repack_bin] Extracting /home/user/fw/_asa981-smp-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa981-smp-k8.bin.extracted/rootfs [unpack_repack_bin] Keeping rootfs [unpack_repack_bin] Deleting "/home/user/fw/_asa981-smp-k8.bin.extracted/rootfs.img" [unpack_repack_bin] Deleting "/home/user/fw/_asa981-smp-k8.bin.extracted/5BCD6F9.zip" [unpack_repack_bin] Deleting "/home/user/fw/_asa981-smp-k8.bin.extracted/246BF" ``` Note that errors like below you may get don't matter in this case because you are not going to repack the firmware: ``` cpio: lib/udev/devices/kmem: Function mknod failed: Operation not permitted cpio: lib/udev/devices/net/tun: Function mknod failed: Operation not permitted cpio: lib/udev/devices/loop01: Function mknod failed: Operation not permitted cpio: lib/udev/devices/null: Function mknod failed: Operation not permitted cpio: lib/udev/devices/console: Function mknod failed: Operation not permitted cpio: lib/udev/devices/loop00: Function mknod failed: Operation not permitted 134992 blocks ``` ## Enable gdb at boot / debug shell Let's assume we have these two firmware: ``` ~/fw$ ls asa924-k8.bin asa981-smp-k8.bin ``` We enable gdb with `-g` and remove some unused files with `-f` to be able to repack the firmware (the compressed rootfs needs to be smaller than the original one). We also patch `lina` to add a debug shell with `-b`. As we see below, it worked for `asa924-k8.bin` but it failed for