Hacking Book | Free Online Hacking Learning


vxhunter: an analysis tool for vxworks equipment

Posted by truschel at 2020-03-01

1. What is vxhunter


Vxhunter is the tool we used in our presentation topic in blackhat AISI 2019. It is mainly used for firmware analysis and construction of debugging tools based on serial command line for embedded devices based on VxWorks operating system. The project address is https://github.com/dark-lbp/vxhunter.

2. Main functions of vxhunter


(1) Firmware? Tools

Vxhunter's firmware analysis tool is a plug-in script of IDA pro and ghidra. Its main function is to automatically analyze the memory loading address of the loaded VxWorks firmware (VxWorks image) and rebase it, identify the embedded symbol table and repair the function name. Here's how vxhunter is used in ghidra, a recently popular open source reverse tool. First we need to load the VxWorks image into ghidra with the correct processor type.

After successful loading, you will be prompted whether analysis is needed. At this time, select no, because at present we do not know the correct loading address of VxWorks firmware.

Then we can use the script manager in ghidra to execute our vxhunter script, as shown below. Vxhunter will automatically analyze the file rebase to the correct load address and start repairing the function name according to the symbol table.

After the script is executed, the effect is shown in the figure below. At this time, we can start static analysis, such as looking for hard coded accounts.

(2) Serial? Debugger

VxWorks is different from Linux, so it can't be debugged by uploading static compiled GDB and other tools. Generally speaking, to debug VxWorks System, debugging functions such as WDB must be programmed when compiling VxWorks firmware. Then in most cases, VxWorks devices on the market are not programmed with debugging functions, which also leads to our inability to analyze the real causes and hazards of device vulnerabilities. Vxhunter is designed to solve this problem. This tool is written based on python. It mainly uses the memory reading and writing instructions of the device's serial command line, writes the debugging shellcode based on assembly code into the device's memory, and then uses the packed Python debugging function to break the point, view the VxWorks task information and a series of operations.

For details, please refer to our topic PPT in blackhat


In PPT, there is an analysis of the principle of serial port debugging tool and cve-2018-19528 vulnerability.

This YouTube video https://www.youtube.com/watch? V = ulo8msodlink is a demo demonstration of debugging cve-2018-19528 using vxhunter.

3, summary


The embedded system based on VxWorks is widely used in the field of industrial control and IOT, VxWorks System is widely used in aerospace, industrial control, network communication and medical fields. However, there is a lack of safety research articles and tools related to VxWorks. This open source vxhunter also hopes to take this opportunity to attract more safety researchers to pay attention to the safety of VxWorks System.

#Related links#


*Ghidra project address-


*Related topics -


*Vxhunter project address - https://github.com/dark-lbp/vxhunter

*Debug Demo - https://www.youtube.com/watch? V = ulo8msodlk