vxhunter

by PAGalaxyLab

PAGalaxyLab /vxhunter

ToolSet for VxWorks Based Embedded Device Analyses

150 Stars 28 Forks Last release: Not found BSD 2-Clause "Simplified" License 131 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

VxHunter

A ToolSet for VxWorks Based Embedded Device Analyses.

Readme in other languages: English, 简体中文

Firmware Analyze Tool

The firmware analyze tool is plugins written in Python, mainly used for analyze firmware loading address, fix function name with symbol table and etc.

supported reverse tool: * IDA Pro 7.x * Ghidra 9.x * Radare2

Tested firmware: * Schneider 140NOE77101 - Ethernet network TCP/IP module * Siemens SCALANCE-X208/SCALANCE-X216/SCALANCE-X308 - Siemens SCALANCE X Switch * Hirschmann PowerMICE - Industrial ETHERNET Switch

IDA Demo

Ghidra Demo

How to use VxHunter firmware tools in Ghidra

vxhunterfirmwareinit.py

vxhunter_analysis.py

After execute

vxhunter_firmware_init.py
, we can use
vxhunter_analysis.py
script to analyze VxWorks firmware. This script will search hard coded accounts, compiled in services and some other info.

Radare2 Demo

How to use VxHunter firmware tools in Radare2

VxSerial Debugger - Beta

The serial debugger tool is written in Python and based on VxWorks command line, usually we can get that command line from VxWorks device using serial port.

The serial debugger tool using memory read/write command to inject debugger shellcode into targat system, the shellcode is dynamic generation by keystone-engine.

It's similar to inline hook, if target hit the breakpoint, it will jump to debugger shellcode and waiting for other debug command.

The serial debugger tool support functions: * Memory read/write function. * Conditional breakpoint, Python based conditional function, return True to break, False to keep running. * Task status viewer(stacks, register). * VxWorks struct viewer(netpool, clBlk, etc).

Example

This is an example script to debug CVE-2018-19528 vulnerability on TP-Link TL-WR886N-V7 deivce with Firmware V1.1.0.

Serial Debugger Example Script

Demo Video

Demo Video

TODO

Firmware Analyze Tool

  • ~~Add Support for VxWorks memory dump file~~
  • Add dynamic loaded symbols analyze for VxWorks memory dump file
  • Add Function xref by analyze symFindByName call parameters

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.