🎮Dynamic Analysis with Emulation
FirmAE
The FirmAE3 tool extends the capability of FIRMADYNE4 to allow for the emulation of more firmware by using various arbitrations for services and the QEMU hypervisor. The focus of the arbitrations is to allow the running of web services, as that is a common attack vector. The beauty of this approach is that you do not have to buy the hardware to test the firmware. This powerful approach allows for scaled testing in parallel. The authors of FirmAE had a success rate of 79.36 percent on 1,124 devices and found 12 new 0-days, 5 which is not bad at all.
Setting Up FirmAE
Install Packages
sudo apt install build-essential git telnetInstall FirmAE
git clone https://github.com/pr0v3rbs/FirmAE.git
cd FirmAE
./download.sh
./install.sh
./init.shEmulating Firmware
First, using the run.sh script, check any firmware . This step will extract the image, get the architecture, infer the network config, and associate an ID in the database for the analysis (this may take a while, so be patient):
sudo -E ./run.sh -c <netgear> <firmware.zip>Run the Emulator with Debugging Enabled
sudo -E ./run.sh -d <netgear> <firmware.zip>
# Access the shell
2Reset the Database and Environment
psql -d postgres -U firmdyne -h 127.0.0.1 -q -c 'DROP DATABASE "firmware"'
sudo -u postgres createdb -O firmdyne firmware
sudo -u postgres psql -d firmware < ./database/schema
sudo rm -rf ./images/*.tar.gz
sudorm -rf scratch/At this point, the firmware should be running on the preceding IP as a tap device. You should also be able to connect to this virtual interface from the machine on which you are running QEMU. From within the VM, open a web browser and try to connect to the inferred IP, as shown next. You may need to wait a minute for the web service to fully start after the emulator launches the firmware.
REFERENCES
Last updated
Was this helpful?