小米路由ax3600、ax1800解包后发现lua脚本加密
查找资料后发现unluac可以进行反汇编
配置binwalk、ubi_reader、unluac
binwalk配置:
git clone https://github.com/ReFirmLabs/binwalk.git
cd binwalk
sudo python3 setup.py install
ubi_reader配置:
git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader
sudo python3 setup.py install
sudo apt-getinstall python-lzo
sudo apt-get install liblzo2-dev
unluac配置:
git clone https://github.com/NyaMisty/unluac_miwifi.git
cd unluac_miwifi
mkdir build
javac -d build -sourcepath src src/unluac/*.java
jar -cfm build/unluac.jar src/META-INF/MANIFEST.MF -C build .
主要是这个unluac.jar
反汇编
对ax3600解包:
binwalk -Me binwalk -Me miwifi_r3600_firmware_02d97_1.1.15.bin
cd _miwifi_r3600_firmware_02d97_1.1.15.bin.extracted/
ubireader_extract_images 2AC.ubi
cd ubifs-root/2AC.ubi
sudo unsquashfs ./img-928520125_vol-ubi_rootfs.ubifs
对ax1800解包:
binwalk -Me binwalk -Me miwifi_rm1800_firmware_df7e3_1.0.385.bin
cd _miwifi_rm1800_firmware_df7e3_1.0.385.bin.extracted/
ubireader_extract_images 2B0.ubi
cd ubifs-root/2B0.ubi/
sudo unsquashfs ./img-1921350739_vol-rootfs_data.ubifs
进入
squashfs-root/usr/lib/lua/luci/controller/api
查看脚本:
加密过了这时候用
unluac.jar
进行反汇编,选择如下有漏洞的函数文件测试一下:
squashfs-root/usr/lib/lua/luci/controller/api/misystem.lua
记得分别把这个ax3600、ax1800下的这个文件copy到unluar.jar下
方便对比
touch ax3600.lua
java -jar ./unluac.jar ./misystem.lua > ax3600.lua
反汇编后查看有漏洞的函数
setConfigIotDev = L14
function L14()
local L0, L1, L2, L3, L4, L5, L6, L7, L8, L9, L10, L11, L12, L13, L14, L15, L16, L17, L18, L19, L20
L0 = require
L1 = "xiaoqiang.common.XQFunction"
L0 = L0(L1)
L1 = require
L2 = "xiaoqiang.util.XQWifiUtil"
L1 = L1(L2)
L2 = require
L3 = "luci.util"
L2 = L2(L3)
L3 = {}
L3.code = 0
L4 = {}
L5 = {}
L6 = require
L7 = "luci.model.uci"
L6 = L6(L7)
L6 = L6.cursor
L6 = L6()
L8 = L6
L7 = L6.get
L9 = "miscan"
L10 = "config"
L7 = L7(L8, L9, L10, L11)
L7 = L7 or L7
L8 = nil
L9 = {}
L10 = L1.getWifiBasicInfo
L10 = L10(L11)
L10 = L10.on
L10 = L10 == 1
wifi24GOn = L10
if L7 == "1" then
L10 = wifi24GOn
if L10 then
L10 = "scan 1"
scancmd = L10
L10 = L2.execl
L10 = L10(L11)
if L10 then
for L14, L15 in L11, L12, L13 do
L16 = L0.isStrNil
L17 = L15
L16 = L16(L17)
if not L16 then
L17 = L15
L16 = L15.match
L18 = "ssid:(%S+) bssid:(%S+) model:(%S+) routerSSID:(%S+) routerBSSID:(%S+)"
L16, L17, L18, L19, L20 = L16(L17, L18)
router_bssid = L20
router_ssid = L19
model = L18
bssid = L17
ssid = L16
L16 = ssid
if L16 ~= nil then
L16 = table
L16 = L16.insert
L17 = L4
L18 = {}
L19 = tostring
L20 = model
L19 = L19(L20)
L18.model = L19
L19 = tostring
L20 = ssid
L19 = L19(L20)
L18.ssid = L19
L19 = tostring
L20 = bssid
L19 = L19(L20)
L18.bssid = L19
L19 = tostring
L20 = router_ssid
L19 = L19(L20)
L18.router_ssid = L19
L19 = tostring
L20 = router_bssid
L19 = L19(L20)
L18.router_bssid = L19
L16(L17, L18)
end
end
end
end
end
end
L5.list = L4
L3.data = L5
L10 = _UPVALUE0_
L10 = L10.write_json
L10(L11)
end
好像不是很直观,对比一下ax1800中相同函数的改动情况
左为ax1800右为ax3600
从改动代码来看ax3600已经修复了可注入函数。
整体反汇编下看还是不太直观。