nccgroup / asafw Goto Github PK

Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]

License: BSD 3-Clause "New" or "Revised" License

Python 30.01% Shell 69.99%

asafw's Introduction

asafw

Preliminary note: we recommend you to use this as part of asatools but it can also be used standalone.

asafw is a set of scripts to deal with Cisco ASA firmware. It allows someone to unpack firmware required when debugging with gdb, as well as unpacking/repacking them in order to enable certain features such as:

Enabling gdb at boot
Disabling ASLR to ease debugging
Injecting a Linux debug shell to allow CTRL^C in gdb when used with real hardware
Rooting a firmware (generally deprecated by enabling gdb at boot and injecting a root shell)
etc.

The more useful tools are unpack_repack_bin.sh and unpack_repack_qcow2.sh. They allow respectively to manipulate asa*.bin and asav*.qcow2 image formats. They both need to be executed as root when actually repacking rootfs to keep the right permissions.

Requirements

Python3 only
apt install binwalk qemu-utils
Heavily tested on Linux (but could work on OS X to)

You initially need to modify asafw/env.sh to match your environment. It will allow you to define paths to the tools used by all the scripts as well as some variables matching your ASA environment. Note there is a simmilar asadbg/env.sh but only one is required to be used for both projects. We recommend that you add it to your ~/.bashrc:

source /path/to/asafw/env.sh

unpack_repack_bin.sh

unpack_repack_bin.sh is used to unpack/repack asa*.bin images which are used for real Cisco ASA hardware (such as ASA 5500 and 5500-X series). The complete usage is:

$ unpack_repack_bin.sh -h
Usage:
./unpack_repack_bin.sh -i <firmware_file> -o <out_dir> [-f -g -G -a -A -m -b -r -u -l <linabin_dir> -d -e -k]
      -h, --help                    This help menu
      -i, --input <firmware_file>   What firmware bin to operate on
      -o, --output  <out_dir>       Where to write new firmware
      -f, --free-space              Remove space from .bin to ensure injections fit
      -g, --enable-gdb              Set gdb to start on boot
      -G, --disable-gdb             Stop gdb from starting on boot
      -a, --enable-aslr             Turn on ASLR
      -A, --disable-aslr            Turn off ASLR
      -m, --inject-gdb              Inject gdbserver to run
      -b, --debug-shell             Inject ssh-triggered debug shell
      -H, --lina-hook               Inject hooks for monitor lina heap (requires -b)
      -r, --root                    root the bin to get a rootshell on boot
      -c, --custom                  custom?
      -n, --n-custom                custom?
      -q, --gns3-fixup              gns?
      -u, --unpack-only             unpack the firmware and nothing else
      -l, --linabins <linabin_dir>  destination folder to save lina binaries
      -d, --delete-extracted        delete files extracted during modification
      -e, --delete-original-bin     delete the original firmware being modified
      -k, --keep-rootfs             keep the extracted rootfs on disk
      -s, --simple-name             use a simple name for the output .bin with just appended '-repacked'
Examples:
 ./unpack_repack_bin.sh -i /home/user/firmware -o /home/user/firmware_repacked --free-space --enable-gdb --inject-gdb
 ./unpack_repack_bin.sh -i /home/user/firmware/asa961-smp-k8.bin -f -g -m
 ./unpack_repack_bin.sh -u -i /home/user/firmware -l /home/user/linabins
 ./unpack_repack_bin.sh -u -i /home/user/firmware/asa924-k8.bin -k

Extract multiple firmare

Let's assume we have these two firmware:

~/fw$ ls
asa924-k8.bin  asa981-smp-k8.bin

If you only want to extract firmware, e.g. to debug them with asadbg, you can use -u to unpack only and -k to only keep the rootfs and delete other files extracted by binwalk that you don't need. Note that the output folder is the same as the input folder as we rely on binwalk for this:

~/fw$ unpack_repack_bin.sh -i . -k -u
[unpack_repack_bin] Directory of firmware detected: .
[unpack_repack_bin] extract_one: asa924-k8.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
75000         0x124F8         SHA256 hash constants, little endian
144510        0x2347E         gzip compressed data, maximum compression, from Unix, last modified: 2015-07-15 04:53:23
1501296       0x16E870        gzip compressed data, has original file name: "rootfs.img", from Unix, last modified: 2015-07-15 05:19:52
27168620      0x19E8F6C       MySQL ISAM index file Version 4
28192154      0x1AE2D9A       Zip archive data, at least v2.0 to extract, name: com/cisco/webvpn/csvrjavaloader64.dll
28773362      0x1B70BF2       Zip archive data, at least v2.0 to extract, name: AliasHandlerWrapper-win64.dll

[unpack_repack_bin] Extracted firmware to /home/user/fw/_asa924-k8.bin.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/_asa924-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa924-k8.bin.extracted/rootfs
[unpack_repack_bin] Keeping rootfs
[unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted/rootfs.img"
[unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted/2347E"
[unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted/1AE2D9A.zip"
[unpack_repack_bin] extract_one: asa981-smp-k8.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
75264         0x12600         SHA256 hash constants, little endian
133120        0x20800         Microsoft executable, portable (PE)
149183        0x246BF         gzip compressed data, maximum compression, from Unix, last modified: 2017-01-30 19:33:09
3678112       0x381FA0        gzip compressed data, has original file name: "rootfs.img", from Unix, last modified: 2017-05-10 22:42:05
14838307      0xE26A23        MySQL MISAM compressed data file Version 4
87985870      0x53E8ECE       MySQL MISAM compressed data file Version 7
96261881      0x5BCD6F9       Zip archive data, at least v2.0 to extract, name: com/cisco/webvpn/csvrjavaloader64.dll
96890193      0x5C66D51       MySQL ISAM compressed data file Version 5

[unpack_repack_bin] Extracted firmware to /home/user/fw/_asa981-smp-k8.bin.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/_asa981-smp-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa981-smp-k8.bin.extracted/rootfs
[unpack_repack_bin] Keeping rootfs
[unpack_repack_bin] Deleting "/home/user/fw/_asa981-smp-k8.bin.extracted/rootfs.img"
[unpack_repack_bin] Deleting "/home/user/fw/_asa981-smp-k8.bin.extracted/5BCD6F9.zip"
[unpack_repack_bin] Deleting "/home/user/fw/_asa981-smp-k8.bin.extracted/246BF"

Note that errors like below you may get don't matter in this case because you are not going to repack the firmware:

cpio: lib/udev/devices/kmem: Function mknod failed: Operation not permitted
cpio: lib/udev/devices/net/tun: Function mknod failed: Operation not permitted
cpio: lib/udev/devices/loop01: Function mknod failed: Operation not permitted
cpio: lib/udev/devices/null: Function mknod failed: Operation not permitted
cpio: lib/udev/devices/console: Function mknod failed: Operation not permitted
cpio: lib/udev/devices/loop00: Function mknod failed: Operation not permitted
134992 blocks

Enable gdb at boot / debug shell

Let's assume we have these two firmware:

~/fw$ ls
asa924-k8.bin  asa981-smp-k8.bin

We enable gdb with -g and remove some unused files with -f to be able to repack the firmware (the compressed rootfs needs to be smaller than the original one). We also patch lina to add a debug shell with -b. As we see below, it worked for asa924-k8.bin but it failed for asa981-smp-k8.bin. This is because we haven't added the target to our json database:

~/fw# unpack_repack_bin.sh -i . -f -g -b -o .
[unpack_repack_bin] Directory of firmware detected: .
[unpack_repack_bin] unpack_one: asa924-k8.bin
[bin] Unpacking...
[bin] Writing /home/user/fw/asa924-k8-initrd-original.gz (29013841 bytes)...
[bin] unpack: Writing /home/user/fw/asa924-k8-vmlinuz (1368176 bytes)...
134992 blocks
[unpack_repack_bin] modify_one: asa924-k8.bin
[unpack_repack_bin] ENABLE GDB
[unpack_repack_bin] FREE SPACE IN .BIN
[unpack_repack_bin] Using 32-bit firmware
[unpack_repack_bin] Adding debug shell for 192.168.210.78:4444
[lina] WARN: No index specified. Will guess based on lina path...
[lina] Using index: 132 for asa924-k8.bin
[lina] Input file: /home/user/fw/work/asa/bin/lina
[lina] Size of clean lina: 43386588 bytes
[lina] Patching lina offset: 0x3db00 with len = 445 bytes
[lina] Output file: /home/user/fw/work/asa/bin/lina
[unpack_repack_bin] repack_one: asa924-k8.bin
132192 blocks
[bin] Repacking...
[bin] repack: Writing ./asa924-k8-debugshell-gdbserver.bin (30597120 bytes)...
[unpack_repack_bin] MD5: 6ee6af342a5b1ef31d633fca6dfa0d1a  ./asa924-k8-debugshell-gdbserver.bin
[unpack_repack_bin] CLEANUP
[unpack_repack_bin] unpack_one: asa981-smp-k8.bin
[bin] Unpacking...
[bin] Writing /home/user/fw/asa981-smp-k8-initrd-original.gz (100973358 bytes)...
[bin] Could not find Direct booting from string
[bin] Probably handling a 64-bit firmware...
[bin] unpack: Writing /home/user/fw/asa981-smp-k8-vmlinuz (3544992 bytes)...
458699 blocks
[unpack_repack_bin] modify_one: asa981-smp-k8.bin
[unpack_repack_bin] ENABLE GDB
[unpack_repack_bin] FREE SPACE IN .BIN
[unpack_repack_bin] Using 32-bit firmware
[unpack_repack_bin] Adding debug shell for 192.168.210.78:4444
[lina] WARN: No index specified. Will guess based on lina path...
[lina] [x] Failed to get target index matching bin name
/path/asafw/lina.py -b asa981-smp-k8.bin -f /home/user/fw/work/asa/bin/lina -o /home/user/fw/work/asa/bin/lina -c 192.168.210.78 -p 4444 -d /path/to/asadbg/asadb.json failed

As you can see we get an additional firmware with gdb enabled: asa924-k8-debugshell-gdbserver.bin that can be used with asadbg.

~/fw# ls
asa924-k8.bin                       asa981-smp-k8.bin                   asa981-smp-k8-initrd-original.gz  work
asa924-k8-debugshell-gdbserver.bin  asa981-smp-k8-initrd-original.cpio  asa981-smp-k8-vmlinuz

Also the latest extracted rootfs is kept in work for debugging purpose. The remaining files for asa981-smp-* are there because of the failure. You can use the idahunt scripts in asadbg to import the new lina. You can more specifically refer to the Importing additional symbols section in the README.

Retrieve lina and co files for future analysis

Because firmware files are quite big, and extracted files are even worse, it may be interesting to extract each firmware, get the lina, lina_monitor files and then delete temporary extracted files.

You can do it with the following command line:

$ unpack_repack_bin.sh -u -i /home/user/fw/ --linabins /home/user/linabins/ --delete-extracted
[unpack_repack_bin] Created /home/user/linabins/ directory
[unpack_repack_bin] Directory of firmware detected: /home/user/fw/
[unpack_repack_bin] extract_bin: asa924-25-k8.bin
[unpack_repack_bin] Extracted firmware to /home/user/fw/_asa924-25-k8.bin.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/_asa924-25-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa924-25-k8.bin.extracted/rootfs
[unpack_repack_bin] Deleting extracted files
[unpack_repack_bin] Deleting "/home/user/fw/_asa924-25-k8.bin.extracted"
[unpack_repack_bin] extract_bin: asa924-27-k8.bin
[unpack_repack_bin] Extracted firmware to /home/user/fw/_asa924-27-k8.bin.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/_asa924-27-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa924-27-k8.bin.extracted/rootfs
[unpack_repack_bin] Deleting extracted files
[unpack_repack_bin] Deleting "/home/user/fw/_asa924-27-k8.bin.extracted"
[unpack_repack_bin] extract_bin: asa924-k8.bin
[unpack_repack_bin] Extracted firmware to /home/user/fw/_asa924-k8.bin.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/_asa924-k8.bin.extracted/rootfs/rootfs.img into /home/user/fw/_asa924-k8.bin.extracted/rootfs
[unpack_repack_bin] Deleting extracted files
[unpack_repack_bin] Deleting "/home/user/fw/_asa924-k8.bin.extracted"
$ tree /home/user/linabins/
/home/user/linabins/
├── asa924-25-k8.bin
│   ├── lina
│   └── lina_monitor
├── asa924-27-k8.bin
│   ├── lina
│   └── lina_monitor
└── asa924-k8.bin
    ├── lina
    └── lina_monitor

3 directories, 6 files

unpack_repack_qcow2.sh

Extract one firmware

You need to be root even if you just want to unpack firmware:

$ unpack_repack_qcow2.sh -i asav941-200.qcow2 -u
[unpack_repack_qcow2] You need to be root to mount/unmount the qcow2

You can extract one asav*.qcow2 image with the following. Again -u is used to unpack only.

~/fw_qcow2# unpack_repack_qcow2.sh -i asav941-200.qcow2 -u
[unpack_repack_qcow2] Using input qcow2 file: asav941-200.qcow2
[unpack_repack_qcow2] Using template qcow2 file: asav941-200.qcow2
[unpack_repack_qcow2] Using output qcow2 file: /home/user/fw_qcow2/asav941-200-repacked.qcow2
[unpack_repack_qcow2] Command line: -f 
[unpack_repack_qcow2] extract_one: asav941-200.qcow2
[unpack_repack_qcow2] Mounted /dev/nbd01 to /home/user/mnt/qcow2
[unpack_repack_qcow2] Copied asa941-200-smp-k8.bin to /home/user/fw_qcow2/bin/asav941-200.qcow2
[unpack_repack_qcow2] Unmounted /home/user/mnt/qcow2
[unpack_repack_bin] Single firmware detected
[unpack_repack_bin] extract_one: asav941-200.qcow2

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
74656         0x123A0         SHA256 hash constants, little endian
133120        0x20800         Microsoft executable, portable (PE)
149183        0x246BF         gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
3447872       0x349C40        gzip compressed data, has original file name: "rootfs.img", from Unix, last modified: 2015-05-12 00:16:47
68057161      0x40E7849       Zip archive data, at least v2.0 to extract, name: com/cisco/webvpn/csvrjavaloader64.dll
68700208      0x4184830       Zip archive data, at least v2.0 to extract, name: libAliasHandlerWrapper-mac.jnilib

[unpack_repack_bin] Extracted firmware to /home/user/fw_qcow2/bin/_asav941-200.qcow2.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw_qcow2/bin/_asav941-200.qcow2.extracted/rootfs/rootfs.img into /home/user/fw_qcow2/bin/_asav941-200.qcow2.extracted/rootfs
334503 blocks
[unpack_repack_bin] Keeping rootfs
[unpack_repack_bin] Deleting "/home/user/fw_qcow2/bin/_asav941-200.qcow2.extracted/rootfs.img"
[unpack_repack_bin] Deleting "/home/user/fw_qcow2/bin/_asav941-200.qcow2.extracted/246BF"
[unpack_repack_bin] Deleting "/home/user/fw_qcow2/bin/_asav941-200.qcow2.extracted/40E7849.zip"

We can access the extracted rootfs or use it with asadbg.

~/fw_qcow2# ls
asav941-200.qcow2  _asav941-200.qcow2.extracted  asav971.qcow2  bin
~/fw_qcow2# ls _asav941-200.qcow2.extracted/rootfs/
asa  bin  boot  dev  etc  home  init  lib  lib64  media  mnt  proc  root  run  sbin  sys  tmp  usr  var

Enable gdb at boot / disable ASLR

You can enable gdb at boot with -g and disable ASLR with -A. This allows debugging the firmware with gdb after loading it with GNS3:

~/fw_qcow2# unpack_repack_qcow2.sh -i asav962-7.qcow2 -g -A 
[unpack_repack_qcow2] Using input qcow2 file: asav962-7.qcow2
[unpack_repack_qcow2] Using template qcow2 file: asav962-7.qcow2
[unpack_repack_qcow2] Using output qcow2 file: /home/user/fw_qcow2/asav962-7-repacked.qcow2
[unpack_repack_qcow2] Command line: -f  -g -A
[unpack_repack_qcow2] extract_repack_one: asav962-7.qcow2
[unpack_repack_qcow2] Mounted /dev/nbd01 to /home/user/mnt/qcow2
[unpack_repack_qcow2] Copied asa962-7-smp-k8.bin to /home/user/fw_qcow2/bin/asav962-7.qcow2
[unpack_repack_qcow2] Unmounted /home/user/mnt/qcow2
[unpack_repack_bin] Single firmware detected
[unpack_repack_bin] unpack_one: asav962-7.qcow2
[bin] Unpacking...
[bin] Writing /home/user/fw_qcow2/bin/asav962-7-initrd-original.gz (86019506 bytes)...
[bin] Could not find Direct booting from string
[bin] Probably handling a 64-bit firmware...
[bin] unpack: Writing /home/user/fw_qcow2/bin/asav962-7-vmlinuz (3624768 bytes)...
455629 blocks
[unpack_repack_bin] modify_one: asav962-7.qcow2
[unpack_repack_bin] DISABLE ASLR
[unpack_repack_bin] ENABLE GDB
[unpack_repack_bin] FREE SPACE IN .BIN
[unpack_repack_bin] repack_one: asav962-7.qcow2
442851 blocks
[bin] Repacking...
[bin] repack: Writing /home/user/fw_qcow2/bin/asav962-7-repacked-gdbserver.qcow2 (89874432 bytes)...
[unpack_repack_bin] MD5: b898d5db383a95fa412527f8b1cd52e4  /home/user/fw_qcow2/bin/asav962-7-repacked-gdbserver.qcow2
[unpack_repack_bin] CLEANUP
[unpack_repack_qcow2] Mounted /dev/nbd01 to /home/user/mnt/qcow2
[unpack_repack_qcow2] Moved modified .bin inside of /home/user/fw_qcow2/asav962-7-repacked.qcow2
[unpack_repack_qcow2] Unmounted /home/user/mnt/qcow2

The obtained /home/user/fw_qcow2/asav962-7-repacked.qcow2 has both gdb enabled at boot and ASLR disabled.

Retrieve lina and co files for future analysis

Similarly to the asa*.bin files, but with a different command line and as root:

# for QCOW2FILE in $(find /home/user/fw/*); do echo --- Handling $QCOW2FILE; unpack_repack_qcow2.sh -u -i $QCOW2FILE; done
--- Handling /home/user/fw/asav962-2.qcow2
[unpack_repack_qcow2] Using input qcow2 file: /home/user/fw/asav962-2.qcow2
[unpack_repack_qcow2] Using template qcow2 file: /home/user/fw/asav962-2.qcow2
[unpack_repack_qcow2] Using output qcow2 file: /home/user/fw/asav962-2-repacked.qcow2
[unpack_repack_qcow2] Command line: -f 
[unpack_repack_qcow2] extract_one: /home/user/fw/asav962-2.qcow2
[unpack_repack_qcow2] Mounting /home/user/fw/asav962-2.qcow2 to /dev/nbd0
[unpack_repack_qcow2] Mounted /dev/nbd0p1 to /home/user/mnt/qcow2
[unpack_repack_qcow2] Copied asa962-2-smp-k8.bin to /home/user/fw/bin/asav962-2.qcow2
[unpack_repack_qcow2] Unmounted /home/user/mnt/qcow2
[unpack_repack_qcow2] Disconnecting /dev/nbd0
[unpack_repack_bin] Single firmware detected
[unpack_repack_bin] extract_bin: asav962-2.qcow2
[unpack_repack_bin] Extracted firmware to /home/user/fw/bin/_asav962-2.qcow2.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/bin/_asav962-2.qcow2.extracted/rootfs/rootfs.img into /home/user/fw/bin/_asav962-2.qcow2.extracted/rootfs
--- Handling /home/user/fw/asav962-7.qcow2
[unpack_repack_qcow2] Using input qcow2 file: /home/user/fw/asav962-7.qcow2
[unpack_repack_qcow2] Using template qcow2 file: /home/user/fw/asav962-7.qcow2
[unpack_repack_qcow2] Using output qcow2 file: /home/user/fw/asav962-7-repacked.qcow2
[unpack_repack_qcow2] Command line: -f 
[unpack_repack_qcow2] extract_one: /home/user/fw/asav962-7.qcow2
[unpack_repack_qcow2] Mounting /home/user/fw/asav962-7.qcow2 to /dev/nbd0
[unpack_repack_qcow2] Mounted /dev/nbd0p1 to /home/user/mnt/qcow2
[unpack_repack_qcow2] Copied asa962-7-smp-k8.bin to /home/user/fw/bin/asav962-7.qcow2
[unpack_repack_qcow2] Unmounted /home/user/mnt/qcow2
[unpack_repack_qcow2] Disconnecting /dev/nbd0
[unpack_repack_bin] Single firmware detected
[unpack_repack_bin] extract_bin: asav962-7.qcow2
[unpack_repack_bin] Extracted firmware to /home/user/fw/bin/_asav962-7.qcow2.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/bin/_asav962-7.qcow2.extracted/rootfs/rootfs.img into /home/user/fw/bin/_asav962-7.qcow2.extracted/rootfs
--- Handling /home/user/fw/asav962.qcow2
[unpack_repack_qcow2] Using input qcow2 file: /home/user/fw/asav962.qcow2
[unpack_repack_qcow2] Using template qcow2 file: /home/user/fw/asav962.qcow2
[unpack_repack_qcow2] Using output qcow2 file: /home/user/fw/asav962-repacked.qcow2
[unpack_repack_qcow2] Command line: -f 
[unpack_repack_qcow2] extract_one: /home/user/fw/asav962.qcow2
[unpack_repack_qcow2] Mounting /home/user/fw/asav962.qcow2 to /dev/nbd0
[unpack_repack_qcow2] Mounted /dev/nbd0p1 to /home/user/mnt/qcow2
[unpack_repack_qcow2] Copied asa962-smp-k8.bin to /home/user/fw/bin/asav962.qcow2
[unpack_repack_qcow2] Unmounted /home/user/mnt/qcow2
[unpack_repack_qcow2] Disconnecting /dev/nbd0
[unpack_repack_bin] Single firmware detected
[unpack_repack_bin] extract_bin: asav962.qcow2
[unpack_repack_bin] Extracted firmware to /home/user/fw/bin/_asav962.qcow2.extracted
[unpack_repack_bin] Firmware uses regular rootfs/ dir
[unpack_repack_bin] Extracting /home/user/fw/bin/_asav962.qcow2.extracted/rootfs/rootfs.img into /home/user/fw/bin/_asav962.qcow2.extracted/rootfs
# cd /home/user/fw/
# linabins.sh /home/user/linabins
_asav962-2.qcow2.extracted/rootfs/asa/bin/lina
_asav962-2.qcow2.extracted/rootfs/asa/bin/lina_monitor
_asav962-7.qcow2.extracted/rootfs/asa/bin/lina
_asav962-7.qcow2.extracted/rootfs/asa/bin/lina_monitor
_asav962.qcow2.extracted/rootfs/asa/bin/lina
_asav962.qcow2.extracted/rootfs/asa/bin/lina_monitor
# tree /home/user/linabins
/home/user/linabins
├── asav962-2.qcow2
│   ├── lina
│   └── lina_monitor
├── asav962-7.qcow2
│   ├── lina
│   └── lina_monitor
└── asav962.qcow2
    ├── lina
    └── lina_monitor

3 directories, 6 files

Firmware helpers

bin.py

bin.py is used to manipulate asa*.bin images. It is mainly used by unpack_repack_bin.sh and unpack_repack_qcow2.sh.

$ bin.py -h
usage: bin.py [-h] [-f FIRMWARE_FILE] [-g GZIP_FILE] [-u] [-r] [-t] [-T]
              [-o OUTPUTFILE]

optional arguments:
  -h, --help            show this help message and exit
  -f FIRMWARE_FILE, --firmware-file FIRMWARE_FILE
  -g GZIP_FILE, --gzip-file GZIP_FILE
  -u, --unpack
  -r, --repack
  -t, --root
  -T, --unroot
  -o OUTPUTFILE, --output-file OUTPUTFILE

It can still be used to quickly extract a Linux kernel and a rootfs from an asa*.bin firmware:

$ bin.py -f asa924-k8.bin -u
[bin] Unpacking...
[bin] Writing asa924-k8-initrd-original.gz (29013841 bytes)...
[bin] unpack: Writing asa924-k8-vmlinuz (1368176 bytes)...
$ file asa924-k8-*
asa924-k8-initrd-original.gz:       gzip compressed data, was "rootfs.img", from Unix, last modified: Wed Jul 15 06:19:52 2015
asa924-k8-vmlinuz:                  x86 boot sector

You can also use it to root a single binary:

$ bin.py -f asa924-k8.bin -t
[bin] root: Writing asa924-k8-rooted.bin (30597120 bytes)...

We check the differences in the two asa*.bin:

$ xxd asa924-k8.bin > b1.hex
$ xxd asa924-k8-rooted.bin > b2.hex
$ diff b1.hex b2.hex 
1907204,1907206c1907204,1907206
< 1d1a030: 0048 2000 70e0 1400 51b7 ba01 7175 6965  .H .p...Q...quie
< 1d1a040: 7420 6c6f 676c 6576 656c 3d30 2061 7574  t loglevel=0 aut
< 1d1a050: 6f20 6b73 7461 636b 3d31 3238 2072 6562  o kstack=128 reb
---
> 1d1a030: 0048 2000 70e0 1400 51b7 ba01 7264 696e  .H .p...Q...rdin
> 1d1a040: 6974 3d2f 6269 6e2f 7368 2020 2020 2020  it=/bin/sh      
> 1d1a050: 2020 6b73 7461 636b 3d31 3238 2072 6562    kstack=128 reb

cpio.sh

The cpio.sh is used to manipulate CPIO images (rootfs). It is mainly used by unpack_repack_bin.sh and unpack_repack_qcow2.sh. It's a pretty slim wrapper around cpio to just combine a few commands together for convenience:

$ cpio.sh -h
Unknown option
-c  Create cpio image
-d  Directory to turn into cpio image
-e  Extract cpio image
-o  Output file
Examples:
Create ./cpio.sh -c -d rootfs -o rootfs.img
Extract ./cpio.sh -e -i rootfs.img

If you want to play with it as standalone, you can do the following. After extracting a gzipped rootfs with bin.py, we decompress it:

$ gunzip asa924-k8-initrd-original.gz
$ file asa924-k8-initrd-original 
asa924-k8-initrd-original: ASCII cpio archive (SVR4 with no CRC)

Now we extract the rootfs into the rootfs_924 folder:

$ cpio.sh -e -i asa924-k8-initrd-original -d rootfs_924
$ ls rootfs_924/
asa  bin  boot  config  dev  etc  home  init  lib  lib64  linuxrc  mnt  opt  proc  root  sbin  share  sys  tmp  usr  var

lina.py

lina.py is used to patch the main Cisco ASA executable a.k.a. lina. It is mainly used by unpack_repack_bin.sh and unpack_repack_qcow2.sh.

$ lina.py -h
usage: lina.py [-h] [-c CBHOST] [-p CBPORT] [--log-port CBLOGPORT]
               [-i TARGET_INDEX] [-f LINA_FILE] [-b BIN_NAME]
               [-o LINA_FILE_OUT] [--hook] [-v] [-d TARGET_FILE]

optional arguments:
  -h, --help            show this help message and exit
  -c CBHOST             Attacker or debugger IP addr for reverse shell
  -p CBPORT             Attacker or debugger port for reverse shell
  --log-port CBLOGPORT  Port for sending hook logs
  -i TARGET_INDEX       Index of the target (use -l to list them all)
  -f LINA_FILE          Input lina file
  -b BIN_NAME           Input bin name
  -o LINA_FILE_OUT      Output lina file
  --hook                Insert lina hooks
  -v                    Display more info
  -d TARGET_FILE        JSON db name

We can use it as a standalone tool to patch lina to contain a debug shell. We use the asadbg.json from asadbg as it already contains addresses required. Otherwise you may need to use idahunt to find them first.

$ lina.py -c 192.168.1.1 -p 5555 -f _asa924-k8.bin.extracted/rootfs/asa/bin/lina -b asa924-k8.bin -o lina_patched -d /path/to/asadbg/asadb.json 
[lina] WARN: No index specified. Will guess based on lina path...
[lina] Using index: 0 for asa924-k8.bin
[lina] Input file: _asa924-k8.bin.extracted/rootfs/asa/bin/lina
[lina] Size of clean lina: 43386588 bytes
[lina] Patching lina offset: 0x3db00 with len = 445 bytes
[lina] Output file: lina_patched

We can check that it just patched one function with the reverse debug shell shellcode:

$ xxd _asa924-k8.bin.extracted/rootfs/asa/bin/lina > b1.hex
$ xxd lina_patched > b2.hex
$ diff b1.hex b2.hex 
15793,15820c15793,15820
< 003db00: 5589 e557 5653 81ec 8c05 0000 8b7d 208d  U..WVS.......} .
< 003db10: 45f0 c745 f001 0000 0066 c745 b0c1 1085  E..E.....f.E....
< 003db20: ffc7 45b4 0400 0000 8945 b866 c745 bc00  ..E......E.f.E..
< 003db30: 00c7 45c0 0000 0000 c745 c400 0000 0074  ..E......E.....t
< 003db40: 088b 4520 66c7 0000 008b 7524 85f6 7409  ..E f.....u$..t.
< 003db50: 8b55 24c7 0200 0000 008d 95f4 feff ff31  .U$............1
< 003db60: db89 d789 d8b9 2000 0000 f3ab c785 f4fe  ...... .........
< 003db70: ffff 0100 0000 c785 50ff ffff ffff ffff  ........P.......
< 003db80: 8b45 0889 1424 8985 68ff ffff e8bf 3525  .E...$..h.....5%
< 003db90: 01c7 85a4 faff ff00 0000 0085 c089 85a0  ................
< 003dba0: faff ff0f 849f 0400 008b 4018 8db5 38fe  [email protected].
< 003dbb0: ffff 89f7 8904 24e8 24a9 2501 b92f 0000  ......$.$.%../..
< 003dbc0: 0089 85b0 faff ff89 d8f3 abc7 8538 feff  .............8..
< 003dbd0: ff00 0000 008b 95a0 faff ff8b 7d08 8b42  ............}..B
< 003dbe0: 1889 853c feff ff8b 4244 897c 2404 c785  ...<....BD.|$...
< 003dbf0: 4cfe ffff ffff ffff c785 48fe ffff ffff  L.........H.....
< 003dc00: ffff 8985 44fe ffff 8934 24e8 e0f8 ffff  ....D....4$.....
< 003dc10: b909 0000 0089 8590 faff ff8d 8574 ffff  .............t..
< 003dc20: ff89 859c faff ff89 c789 d8f3 abc7 85a4  ................
< 003dc30: faff ffff ffff ff83 bd90 faff ffff 0f84  ................
< 003dc40: 1c04 0000 8d85 b4fa ffff b1a1 8985 98fa  ................
< 003dc50: ffff 89c7 89d8 f3ab 8d95 b4fa ffff 8d9d  ................
< 003dc60: 33fb ffff 8b4d 0ceb 138d b426 0000 0000  3....M.....&....
< 003dc70: 8802 83c2 0139 da74 0a83 c101 0fb6 0184  .....9.t........
< 003dc80: c075 edc6 0200 8d9d b3fb ffff 8b4d 108d  .u...........M..
< 003dc90: 9534 fbff ffeb 0d90 8802 83c2 0139 da74  .4...........9.t
< 003dca0: 0a83 c101 0fb6 0184 c075 edc6 0200 8b55  .........u.....U
< 003dcb0: 148d bd6c 2e00 008b 4508 c785 10fd ffff  ...l....E.......
---
> 003db00: b840 bc2a 09ff d0b8 0200 0000 cd80 85c0  .@.*............
> 003db10: 0f85 a101 0000 baed 0100 00b9 c200 0000  ................
> 003db20: 682f 7368 0068 2f74 6d70 8d1c 24b8 0500  h/sh.h/tmp..$...
> 003db30: 0000 cd80 50eb 3159 8b11 8d49 0489 c3b8  ....P.1Y...I....
> 003db40: 0400 0000 cd80 5bb8 0600 0000 cd80 8d1c  ......[.........
> 003db50: 2431 d252 538d 0c24 b80b 0000 00cd 8031  $1.RS..$.......1
> 003db60: dbb8 0100 0000 cd80 e8ca ffff ff46 0100  .............F..
> 003db70: 007f 454c 4601 0101 0000 0000 0000 0000  ..ELF...........
> 003db80: 0002 0003 0001 0000 0054 8004 0834 0000  .........T...4..
> 003db90: 0000 0000 0000 0000 0034 0020 0001 0000  .........4. ....
> 003dba0: 0000 0000 0001 0000 0000 0000 0000 8004  ................
> 003dbb0: 0800 8004 08f2 0000 00f2 0000 0007 0000  ................
> 003dbc0: 0000 1000 0055 89e5 83ec 106a 006a 016a  .....U.....j.j.j
> 003dbd0: 028d 0c24 bb01 0000 00b8 6600 0000 cd80  ...$......f.....
> 003dbe0: 83c4 0c89 45fc 687f 0000 0168 0200 0438  ....E.h....h...8
> 003dbf0: 8d14 246a 1052 508d 0c24 bb03 0000 00b8  ..$j.RP..$......
> 003dc00: 6600 0000 cd80 83c4 1485 c07d 186a 006a  f..........}.j.j
> 003dc10: 018d 1c24 31c9 b8a2 0000 00cd 8083 c408  ...$1...........
> 003dc20: ebc4 8b45 fc83 ec20 8d0c 24ba 0300 0000  ...E... ..$.....
> 003dc30: 8b5d fcc7 0105 0100 00b8 0400 0000 cd80  .]..............
> 003dc40: ba04 0000 00b8 0300 0000 cd80 c701 0501  ................
> 003dc50: 0001 c741 04c0 a801 0166 c741 0815 b3ba  ...A.....f.A....
> 003dc60: 0a00 0000 b804 0000 00cd 80ba 2000 0000  ............ ...
> 003dc70: b803 0000 00cd 8083 c420 8b5d fcb9 0200  ......... .]....
> 003dc80: 0000 b83f 0000 00cd 8049 7df6 31d2 682d  ...?.....I}.1.h-
> 003dc90: 6900 0089 e768 2f73 6800 682f 6269 6e89  i....h/sh.h/bin.
> 003dca0: e352 5753 8d0c 24b8 0b00 0000 cd80 31db  .RWS..$.......1.
> 003dcb0: b801 0000 00cd 80b8 0100 0000 c3fd ffff  ................

Datamining

info.sh

The info.sh script allows listing mitigations on the firmare in the current folder.

$ info.sh -h
Display/save mitigations and additional info for all firmware in the current folder
Usage: info.sh [--save-result --db-name <json_db>]

Once you have extracted all firmware, you can analyse them:

fw$ ls
_asa802-k8.bin.extracted         _asa825-51-k8.bin.extracted      _asa844-5-k8.bin.extracted    _asa911-4-k8.bin.extracted    _asa922-4-k8.bin.extracted        _asa944-smp-k8.bin.extracted
_asa803-k8.bin.extracted         _asa825-52-k8.bin.extracted      _asa844-9-k8.bin.extracted    _asa911-k8.bin.extracted      _asa922-4-smp-k8.bin.extracted    _asa951-smp-k8.bin.extracted
_asa804-16-k8.bin.extracted      _asa825-57-k8.bin.extracted      _asa844-k8.bin.extracted      _asa911-smp-k8.bin.extracted  _asa922-k8.bin.extracted          _asa952-smp-k8.bin.extracted
_asa804-k8.bin.extracted         _asa825-59-k8.bin.extracted      _asa845-k8.bin.extracted      _asa912-k8.bin.extracted      _asa923-k8.bin.extracted          _asa953-smp-k8.bin.extracted
_asa805-23-k8.bin.extracted      _asa825-k8.bin.extracted         _asa845-smp-k8.bin.extracted  _asa912-smp-k8.bin.extracted  _asa923-smp-k8.bin.extracted      _asa961-10-smp-k8.bin.extracted
_asa805-28-k8.bin.extracted      _asa825-smp-k8.bin.extracted     _asa846-5-k8.bin.extracted    _asa913-k8.bin.extracted      _asa924-10-k8.bin.extracted       _asa961-smp-k8.bin.extracted
_asa805-31-k8.bin.extracted      _asa831-k8.bin.extracted         _asa846-k8.bin.extracted      _asa913-smp-k8.bin.extracted  _asa924-13-smp-k8.bin.extracted   _asa962-3-smp-k8.bin.extracted
_asa805-k8.bin.extracted         _asa831-smp-k8.bin.extracted     _asa846-smp-k8.bin.extracted  _asa914-5-k8.bin.extracted    _asa924-14-k8.bin.extracted       _asa962-smp-k8.bin.extracted
_asa811-smp-k8.bin.extracted     _asa832-13-k8.bin.extracted      _asa847-15-k8.bin.extracted   _asa914-k8.bin.extracted      _asa924-18-k8.bin.extracted       _asa971-smp-k8.bin.extracted
_asa812-23-smp-k8.bin.extracted  _asa832-25-k8.bin.extracted      _asa847-26-k8.bin.extracted   _asa914-smp-k8.bin.extracted  _asa924-5-k8.bin.extracted        _asav932-200.qcow2.extracted
_asa812-49-smp-k8.bin.extracted  _asa832-39-k8.bin.extracted      _asa847-28-k8.bin.extracted   _asa915-12-k8.bin.extracted   _asa924-5-smp-k8.bin.extracted    _asav933-10.qcow2.extracted
_asa812-50-smp-k8.bin.extracted  _asa832-40-k8.bin.extracted      _asa847-29-k8.bin.extracted   _asa915-16-k8.bin.extracted   _asa924-8-k8.bin.extracted        _asav933-11.qcow2.extracted
_asa812-55-smp-k8.bin.extracted  _asa832-44-k8.bin.extracted      _asa847-30-k8.bin.extracted   _asa915-19-k8.bin.extracted   _asa924-8-smp-k8.bin.extracted    _asav933-9.qcow2.extracted
_asa812-56-smp-k8.bin.extracted  _asa832-44-smp-k8.bin.extracted  _asa847-31-k8.bin.extracted   _asa915-21-k8.bin.extracted   _asa924-k8.bin.extracted          _asav941-13.qcow2.extracted
_asa812-smp-k8.bin.extracted     _asa832-4-k8.bin.extracted       _asa847-k8.bin.extracted      _asa915-k8.bin.extracted      _asa924-smp-k8.bin.extracted      _asav941-200.qcow2.extracted
_asa821-k8.bin.extracted         _asa832-k8.bin.extracted         _asa847-smp-k8.bin.extracted  _asa915-smp-k8.bin.extracted  _asa931-smp-k8.bin.extracted      _asav941-6.qcow2.extracted
_asa822-k8.bin.extracted         _asa832-smp-k8.bin.extracted     _asa861-smp-k8.bin.extracted  _asa916-10-k8.bin.extracted   _asa932-200-smp-k8.bin.extracted  _asav941.qcow2.extracted
_asa822-smp-k8.bin.extracted     _asa841-11-k8.bin.extracted      _asa901-k8.bin.extracted      _asa916-11-k8.bin.extracted   _asa932-smp-k8.bin.extracted      _asav942-6.qcow2.extracted
_asa823-k8.bin.extracted         _asa841-k8.bin.extracted         _asa902-k8.bin.extracted      _asa916-4-k8.bin.extracted    _asa933-11-smp-k8.bin.extracted   _asav942.qcow2.extracted
_asa823-smp-k8.bin.extracted     _asa841-smp-k8.bin.extracted     _asa902-smp-k8.bin.extracted  _asa916-k8.bin.extracted      _asa933-7-smp-k8.bin.extracted    _asav952-204.qcow2.extracted
_asa824-4-k8.bin.extracted       _asa842-8-k8.bin.extracted       _asa903-k8.bin.extracted      _asa916-smp-k8.bin.extracted  _asa933-9-smp-k8.bin.extracted    _asav961.qcow2.extracted
_asa824-k8.bin.extracted         _asa842-k8.bin.extracted         _asa903-smp-k8.bin.extracted  _asa917-12-k8.bin.extracted   _asa933-smp-k8.bin.extracted      _asav962-2.qcow2.extracted
_asa824-smp-k8.bin.extracted     _asa842-smp-k8.bin.extracted     _asa904-38-k8.bin.extracted   _asa917-13-k8.bin.extracted   _asa941-13-smp-k8.bin.extracted   _asav962-7.qcow2.extracted
_asa825-13-k8.bin.extracted      _asa843-8-k8.bin.extracted       _asa904-39-k8.bin.extracted   _asa917-4-k8.bin.extracted    _asa941-smp-k8.bin.extracted      _asav962.qcow2.extracted
_asa825-22-k8.bin.extracted      _asa843-k8.bin.extracted         _asa904-40-k8.bin.extracted   _asa917-6-k8.bin.extracted    _asa942-11-smp-k8.bin.extracted   _asav971.qcow2.extracted
_asa825-26-k8.bin.extracted      _asa843-smp-k8.bin.extracted     _asa904-42-k8.bin.extracted   _asa917-9-k8.bin.extracted    _asa942-6-smp-k8.bin.extracted
_asa825-33-k8.bin.extracted      _asa844-1-k8.bin.extracted       _asa904-5-k8.bin.extracted    _asa917-k8.bin.extracted      _asa942-smp-k8.bin.extracted
_asa825-41-k8.bin.extracted      _asa844-1-smp-k8.bin.extracted   _asa904-k8.bin.extracted      _asa921-k8.bin.extracted      _asa943-12-smp-k8.bin.extracted
_asa825-46-k8.bin.extracted      _asa844-3-k8.bin.extracted       _asa904-smp-k8.bin.extracted  _asa921-smp-k8.bin.extracted  _asa943-smp-k8.bin.extracted
fw$ info.sh --save-result --db-name /path/to/asafw/asadb.json

A database with already a bunch of firmware version is provided in the repo as asadb.json.

If you simply want to list the mitigations, you simply go to the root folder containing all the extracted firmware and use it without any argument:

$ info.sh

info.py

The following script is used by info.sh to fill a json database.

$ info.py -h
usage: info.py [-h] [-l] [-u UPDATE_INFO] [-i BIN_NAME] [-v VERBOSE]
               [-d DBNAME]

optional arguments:
  -h, --help      show this help message and exit
  -l              List migitations in all firmware versions
  -u UPDATE_INFO  Output from info.sh to update db
  -i BIN_NAME     firmware bin name to update or display
  -v VERBOSE      display more info
  -d DBNAME       json database name to read/list info from

Outside of its use by info.sh, its main interest is using the following command to display the summary of mitigations:

asafw$ info.py -l asadbg.json

Note that info.py -l can also be used to get the index (first column) of a specific version in case it is required (e.g. for lina.py).

Mitigation summary

Below is a copy of the output of info.py -l -d asadbg.json, formatted correctly for markdown:

ID	Version	Arch	ASLR	NX	PIE	Can	RELRO	Sym	Strip	Linux	Glibc	Heap allocator	Build date	Firmware
000	8.0.2	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	15-06-2007	asa802-k8.bin
001	8.0.3	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	06-11-2007	asa803-k8.bin
002	8.0.4	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	07-08-2008	asa804-k8.bin
003	8.0.4.16	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	04-12-2008	asa804-16-k8.bin
004	8.0.5	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	02-11-2009	asa805-k8.bin
005	8.0.5.23	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	20-01-2011	asa805-23-k8.bin
006	8.0.5.28	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	26-09-2012	asa805-28-k8.bin
007	8.0.5.31	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.6.x	13-03-2013	asa805-31-k8.bin
008	8.1.1	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	01-03-2008	asa811-smp-k8.bin
009	8.1.2	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	09-10-2008	asa812-smp-k8.bin
010	8.1.2.23	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	22-04-2009	asa812-23-smp-k8.bin
011	8.1.2.49	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	22-02-2011	asa812-49-smp-k8.bin
012	8.1.2.50	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	22-09-2011	asa812-50-smp-k8.bin
013	8.1.2.55	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	29-02-2012	asa812-55-smp-k8.bin
014	8.1.2.56	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	26-09-2012	asa812-56-smp-k8.bin
015	8.2.1	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	05-05-2009	asa821-k8.bin
016	8.2.2	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	11-01-2010	asa822-k8.bin
017	8.2.2	32	N	N	N	N	N	N	N	2.6.17.8	2.3.2	dlmalloc 2.8.3	11-01-2010	asa822-smp-k8.bin
018	8.2.3	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	06-08-2010	asa823-k8.bin
019	8.2.3	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	06-08-2010	asa823-smp-k8.bin
020	8.2.4	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	14-12-2010	asa824-k8.bin
021	8.2.4	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	14-12-2010	asa824-smp-k8.bin
022	8.2.4.4	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	03-03-2011	asa824-4-k8.bin
023	8.2.5	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	20-05-2011	asa825-k8.bin
024	8.2.5	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	20-05-2011	asa825-smp-k8.bin
025	8.2.5.13	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	05-09-2011	asa825-13-k8.bin
026	8.2.5.22	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	20-01-2012	asa825-22-k8.bin
027	8.2.5.26	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	02-03-2012	asa825-26-k8.bin
028	8.2.5.33	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	21-08-2012	asa825-33-k8.bin
029	8.2.5.41	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	13-03-2013	asa825-41-k8.bin
030	8.2.5.46	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	23-08-2013	asa825-46-k8.bin
031	8.2.5.51	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	20-08-2014	asa825-51-k8.bin
032	8.2.5.52	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	13-10-2014	asa825-52-k8.bin
033	8.2.5.57	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	24-03-2015	asa825-57-k8.bin
034	8.2.5.59	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	12-02-2016	asa825-59-k8.bin
035	8.3.1	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	04-03-2010	asa831-k8.bin
036	8.3.1	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	04-03-2010	asa831-smp-k8.bin
037	8.3.2	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	30-07-2010	asa832-k8.bin
038	8.3.2	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	30-07-2010	asa832-smp-k8.bin
039	8.3.2.13	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	19-01-2011	asa832-13-k8.bin
040	8.3.2.25	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	26-08-2011	asa832-25-k8.bin
041	8.3.2.39	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	30-09-2013	asa832-39-k8.bin
042	8.3.2.4	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	20-09-2010	asa832-4-k8.bin
043	8.3.2.40	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	11-02-2014	asa832-40-k8.bin
044	8.3.2.44	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	24-03-2015	asa832-44-k8.bin
045	8.3.2.44	32	N	N	N	N	N	N	N	2.6.29.6	2.3.2	dlmalloc 2.8.3	24-03-2015	asa832-44-smp-k8.bin
046	8.4.1	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	31-01-2011	asa841-k8.bin
047	8.4.1	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	31-01-2011	asa841-smp-k8.bin
048	8.4.1.11	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	06-05-2011	asa841-11-k8.bin
049	8.4.2	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	15-06-2011	asa842-k8.bin
050	8.4.2	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	15-06-2011	asa842-smp-k8.bin
051	8.4.2.8	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	26-08-2011	asa842-8-k8.bin
052	8.4.3	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	06-01-2012	asa843-k8.bin
053	8.4.3	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	06-01-2012	asa843-smp-k8.bin
054	8.4.3.8	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	01-03-2012	asa843-8-k8.bin
055	8.4.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-05-2012	asa844-k8.bin
056	8.4.4.1	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-06-2012	asa844-1-k8.bin
057	8.4.4.1	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-06-2012	asa844-1-smp-k8.bin
058	8.4.4.3	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	11-07-2012	asa844-3-k8.bin
059	8.4.4.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	08-08-2012	asa844-5-k8.bin
060	8.4.4.9	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-09-2012	asa844-9-k8.bin
061	8.4.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	29-10-2012	asa845-k8.bin
062	8.4.5	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	29-10-2012	asa845-smp-k8.bin
063	8.4.6	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	26-04-2013	asa846-k8.bin
064	8.4.6	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	26-04-2013	asa846-smp-k8.bin
065	8.4.6.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	03-07-2013	asa846-5-k8.bin
066	8.4.7	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	30-08-2013	asa847-k8.bin
067	8.4.7	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	30-08-2013	asa847-smp-k8.bin
068	8.4.7.15	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	25-03-2014	asa847-15-k8.bin
069	8.4.7.26	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-01-2015	asa847-26-k8.bin
070	8.4.7.28	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	24-03-2015	asa847-28-k8.bin
071	8.4.7.29	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	09-09-2015	asa847-29-k8.bin
072	8.4.7.30	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-12-2015	asa847-30-k8.bin
073	8.4.7.31	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	03-02-2016	asa847-31-k8.bin
074	8.6.1	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	18-11-2011	asa861-smp-k8.bin
075	8.6.1.2	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	01-06-2012	asa861-2-smp-k8.bin
076	8.7.1.3	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	14-11-2012	asa871-3-smp-k8.bin
077	8.7.1.4	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	06-02-2013	asa871-4-smp-k8.bin
078	9.0.1	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	26-10-2012	asa901-k8.bin
079	9.0.2	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-02-2013	asa902-k8.bin
080	9.0.2	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-02-2013	asa902-smp-k8.bin
081	9.0.3	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-07-2013	asa903-k8.bin
082	9.0.3	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-07-2013	asa903-smp-k8.bin
083	9.0.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	04-12-2013	asa904-k8.bin
084	9.0.4	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	04-12-2013	asa904-smp-k8.bin
085	9.0.4.38	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-12-2015	asa904-38-k8.bin
086	9.0.4.39	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	08-02-2016	asa904-39-k8.bin
087	9.0.4.40	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	18-08-2016	asa904-40-k8.bin
088	9.0.4.42	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	09-09-2016	asa904-42-k8.bin
089	9.0.4.42	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	09-09-2016	asa904-42-smp-k8.bin
090	9.0.4.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-03-2014	asa904-5-k8.bin
091	9.1.1	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	28-11-2012	asa911-k8.bin
092	9.1.1	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	28-11-2012	asa911-smp-k8.bin
093	9.1.1.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	13-03-2013	asa911-4-k8.bin
094	9.1.1.4	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	13-03-2013	asa911-4-smp-k8.bin
095	9.1.2	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	09-05-2013	asa912-k8.bin
096	9.1.2	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	09-05-2013	asa912-smp-k8.bin
097	9.1.3	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	16-09-2013	asa913-k8.bin
098	9.1.3	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	16-09-2013	asa913-smp-k8.bin
099	9.1.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	05-12-2013	asa914-k8.bin
100	9.1.4	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	05-12-2013	asa914-smp-k8.bin
101	9.1.4.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-02-2014	asa914-5-k8.bin
102	9.1.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	27-03-2014	asa915-k8.bin
103	9.1.5	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	27-03-2014	asa915-smp-k8.bin
104	9.1.5.12	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	20-08-2014	asa915-12-k8.bin
105	9.1.5.16	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	06-10-2014	asa915-16-k8.bin
106	9.1.5.19	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	23-10-2014	asa915-19-k8.bin
107	9.1.5.21	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	12-12-2014	asa915-21-k8.bin
108	9.1.6	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	27-02-2015	asa916-k8.bin
109	9.1.6	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	27-02-2015	asa916-smp-k8.bin
110	9.1.6.10	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	11-09-2015	asa916-10-k8.bin
111	9.1.6.11	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	15-02-2016	asa916-11-k8.bin
112	9.1.6.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	07-05-2015	asa916-4-k8.bin
113	9.1.6.6	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	03-06-2015	asa916-6-smp-k8.bin
114	9.1.6.6	32	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	03-06-2015	asa916-6-k8.bin
115	9.1.7	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-01-2016	asa917-k8.bin
116	9.1.7.12	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	08-12-2016	asa917-12-k8.bin
117	9.1.7.13	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	04-01-2017	asa917-13-k8.bin
118	9.1.7.19	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	11-08-2017	asa917-19-smp-k8.bin
119	9.1.7.20	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	02-11-2017	asa917-20-smp-k8.bin
120	9.1.7.20	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	02-11-2017	asa917-20-k8.bin
121	9.1.7.21	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-12-2017	asa917-21-k8.bin
122	9.1.7.21	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-12-2017	asa917-21-smp-k8.bin
123	9.1.7.23	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	01-02-2018	asa917-23-smp-k8.bin
124	9.1.7.23	32	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	01-02-2018	asa917-23-k8.bin
125	9.1.7.25	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	06-03-2018	asa917-25-smp-k8.bin
126	9.1.7.25	32	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	06-03-2018	asa917-25-k8.bin
127	9.1.7.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-02-2016	asa917-4-k8.bin
128	9.1.7.6	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	05-04-2016	asa917-6-k8.bin
129	9.1.7.9	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	18-08-2016	asa917-9-k8.bin
130	9.2.1	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	24-04-2014	asa921-k8.bin
131	9.2.1	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	24-04-2014	asa921-smp-k8.bin
132	9.2.2	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	26-06-2014	asa922-k8.bin
133	9.2.2	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	26-06-2014	asa922-smp-k8.bin
134	9.2.2.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	29-07-2014	asa922-4-k8.bin
135	9.2.2.4	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	29-07-2014	asa922-4-smp-k8.bin
136	9.2.3	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	15-12-2014	asa923-k8.bin
137	9.2.3	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	15-12-2014	asa923-smp-k8.bin
138	9.2.4	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-07-2015	asa924-k8.bin
139	9.2.4	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-07-2015	asa924-smp-k8.bin
140	9.2.4.10	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	19-04-2016	asa924-10-k8.bin
141	9.2.4.13	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	22-06-2016	asa924-13-smp-k8.bin
142	9.2.4.14	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	18-08-2016	asa924-14-k8.bin
143	9.2.4.18	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	27-10-2016	asa924-18-k8.bin
144	9.2.4.18	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	27-10-2016	asa924-18-smp-k8.bin
145	9.2.4.24	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	13-09-2017	asa924-24-k8.bin
146	9.2.4.24	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	13-09-2017	asa924-24-smp-k8.bin
147	9.2.4.25	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-12-2017	asa924-25-smp-k8.bin
148	9.2.4.25	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	14-12-2017	asa924-25-k8.bin
149	9.2.4.27	32	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	02-02-2018	asa924-27-k8.bin
150	9.2.4.27	64	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	02-02-2018	asa924-27-smp-k8.bin
151	9.2.4.28	32	N	N	N	N	N	N	N	?	2.9	dlmalloc 2.8.3	06-03-2018	asa924-28-k8.bin
152	9.2.4.5	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-12-2015	asa924-5-k8.bin
153	9.2.4.5	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	21-12-2015	asa924-5-smp-k8.bin
154	9.2.4.8	32	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	24-02-2016	asa924-8-k8.bin
155	9.2.4.8	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	24-02-2016	asa924-8-smp-k8.bin
156	9.3.1	64	N	N	N	N	N	N	N	2.6.29.6	2.9	dlmalloc 2.8.3	23-07-2014	asa931-smp-k8.bin
157	9.3.2	64	N	N	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	16-12-2014	asa932-smp-k8.bin
158	9.3.2.200	64	N	N	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	18-12-2014	asa932-200-smp-k8.bin
159	9.3.2.200	64	N	N	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	18-12-2014	asav932-200.qcow2
160	9.3.3	64	N	N	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	?	asa933-smp-k8.bin
161	9.3.3.10	64	N	Y	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	18-08-2016	asav933-10.qcow2
162	9.3.3.11	64	N	Y	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	09-09-2016	asa933-11-smp-k8.bin
163	9.3.3.11	64	N	Y	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	09-09-2016	asav933-11.qcow2
164	9.3.3.7	64	N	N	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	21-12-2015	asa933-7-smp-k8.bin
165	9.3.3.9	64	N	Y	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	26-02-2016	asa933-9-smp-k8.bin
166	9.3.3.9	64	N	Y	N	N	N	N	N	3.10.19	2.18	ptmalloc 2.x	26-02-2016	asav933-9.qcow2
167	9.4.1	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	21-03-2015	asa941-smp-k8.bin
168	9.4.1	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	21-03-2015	asav941.qcow2
169	9.4.1.13	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	03-08-2016	asa941-13-smp-k8.bin
170	9.4.1.13	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	03-08-2016	asav941-13.qcow2
171	9.4.1.200	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	11-05-2015	asav941-200.qcow2
172	9.4.1.6	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	16-10-2015	asav941-6.qcow2
173	9.4.2	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	23-09-2015	asa942-smp-k8.bin
174	9.4.2	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	23-09-2015	asav942.qcow2
175	9.4.2.11	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	22-02-2016	asa942-11-smp-k8.bin
176	9.4.2.6	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	27-01-2016	asa942-6-smp-k8.bin
177	9.4.2.6	64	N	N	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	27-01-2016	asav942-6.qcow2
178	9.4.3	64	N	Y	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	24-04-2016	asa943-smp-k8.bin
179	9.4.3.12	64	N	Y	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	20-10-2016	asa943-12-smp-k8.bin
180	9.4.4	64	N	Y	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	06-01-2017	asa944-smp-k8.bin
181	9.4.4.10	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	16-08-2017	asa944-10-smp-k8.bin
182	9.4.4.12	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	14-09-2017	asa944-12-smp-k8.bin
183	9.4.4.13	64	N	Y	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	12-10-2017	asa944-13-smp-k8.bin
184	9.4.4.14	64	N	Y	N	N	N	N	N	3.10.55	2.18	ptmalloc 2.x	28-11-2017	asa944-14-smp-k8.bin
185	9.4.4.16	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	02-02-2018	asa944-16-smp-k8.bin
186	9.4.4.17	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	06-02-2018	asa944-17-smp-k8.bin
187	9.4.4.18	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	29-03-2018	asa944-18-smp-k8.bin
188	9.4.4.6	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	27-04-2017	asa944-6-smp-k8.bin
189	9.4.4.8	64	N	Y	N	N	N	N	N	?	2.18	ptmalloc 2.x	16-07-2017	asa944-8-smp-k8.bin
190	9.5.1	64	Y	N	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	12-08-2015	asa951-smp-k8.bin
191	9.5.2	64	Y	N	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	28-11-2015	asa952-smp-k8.bin
192	9.5.2.2	64	Y	N	Y	N	N	Y	N	?	2.18	ptmalloc 2.x	22-12-2015	asa952-2-smp-k8.bin
193	9.5.2.204	64	Y	N	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	15-02-2016	asav952-204.qcow2
194	9.5.2.6	64	Y	Y	Y	N	N	Y	N	?	2.18	ptmalloc 2.x	04-03-2016	asa952-6-smp-k8.bin
195	9.5.3	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	30-08-2016	asa953-smp-k8.bin
196	9.6.1	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	18-03-2016	asa961-smp-k8.bin
197	9.6.1	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	18-03-2016	asav961.qcow2
198	9.6.1.10	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	09-08-2016	asa961-10-smp-k8.bin
199	9.6.2	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	23-08-2016	asa962-smp-k8.bin
200	9.6.2	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	23-08-2016	asav962.qcow2
201	9.6.2.2	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	07-10-2016	asav962-2.qcow2
202	9.6.2.3	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	26-10-2016	asa962-3-smp-k8.bin
203	9.6.2.7	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	05-12-2016	asav962-7.qcow2
204	9.6.3.17	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	16-10-2017	asa963-17-smp-k8.bin
205	9.6.3.20	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	17-11-2017	asa963-20-smp-k8.bin
206	9.6.4	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	13-12-2017	asa964-smp-k8.bin
207	9.6.4.3	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	02-02-2018	asa964-3-smp-k8.bin
208	9.6.4.8	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	11-04-2018	asa964-8-smp-k8.bin
209	9.7.1	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	16-01-2017	asa971-smp-k8.bin
210	9.7.1	64	Y	Y	Y	N	N	Y	N	3.10.62	2.18	ptmalloc 2.x	16-01-2017	asav971.qcow2
211	9.7.1.15	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	29-08-2017	asa971-15-smp-k8.bin
212	9.7.1.16	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	19-10-2017	asa971-16-smp-k8.bin
213	9.7.1.21	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	02-02-2018	asa971-21-smp-k8.bin
214	9.7.1.4	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	31-03-2017	asa971-4-smp-k8.bin
215	9.8.1	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	10-05-2017	asa981-smp-k8.bin
216	9.8.1.5	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	23-06-2017	asav981-5.qcow2
217	9.8.1.7	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	28-07-2017	asa981-7-smp-k8.bin
218	9.8.2	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	27-08-2017	asa982-smp-k8.bin
219	9.8.2.14	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	06-11-2017	asa982-14-smp-k8.bin
220	9.8.2.15	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	10-11-2017	asa982-15-smp-k8.bin
221	9.8.2.17	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	04-01-2018	asa982-17-smp-k8.bin
222	9.8.2.20	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	02-02-2018	asa982-20-smp-k8.bin
223	9.8.2.24	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	01-03-2018	asa982-24-smp-k8.bin
224	9.8.2.26	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	14-03-2018	asa982-26-smp-k8.bin
225	9.8.2.28	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	05-04-2018	asa982-28-smp-k8.bin
226	9.8.2.33	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	04-05-2018	asa982-33-smp-k8.bin
227	9.8.2.8	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	05-10-2017	asa982-8-smp-k8.bin
228	9.9.1	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	30-11-2017	asa991-smp-k8.bin
229	9.9.1	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	30-11-2017	asav991.qcow2
230	9.9.1.2	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	02-02-2018	asa991-2-smp-k8.bin
231	9.9.1.3	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	06-02-2018	asa991-3-smp-k8.bin
232	9.9.2	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	25-03-2018	asav992.qcow2
233	9.9.2	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	25-03-2018	asa992-smp-k8.bin
234	9.9.2.1	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	05-04-2018	asav992-1.qcow2
235	9.9.2.1	64	Y	Y	Y	N	N	N	N	?	2.18	ptmalloc 2.x	05-04-2018	asa992-1-smp-k8.bin
236	9.9.2.14	64	Y	Y	Y	N	N	N	N	3.10.62	2.18	ptmalloc 2.x	12-07-2018	asav992-14.qcow2
ID	Version	Arch	ASLR	NX	PIE	Can	RELRO	Sym	Strip	Linux	Glibc	Heap allocator	Build date	Firmware

End-of-life ASA versions

To our knowledge there isn't any summary of ASA branches being End-of-life (EOL)

though an official list of EOL devices is here. Feel free to contact us if we are missing something. However, it is possible to use the Cisco ASA advisories here to deduce branch EOL status. Last update of this table is July 2017.

Cisco ASA Branch	Latest Update	End-of-life?	Notes
7.2	<= Feb 2016	Yes
8.0	<= Feb 2016	Yes
8.1	<= Feb 2016	Yes
8.2	<= Feb 2016	Yes	Exceptional patch for IKE heap overflow
8.3	<= Feb 2016	Yes
8.4	<= May 2016	Yes
8.5	<= Feb 2016	Yes
8.6	<= Feb 2016	Yes
8.7	<= May 2016	Yes
9.0	<= Feb 2017	Yes
9.1		No
9.2		No
9.3	<= Feb 2017	Yes
9.4		No
9.5	<= Apr 2017	Yes
9.6		No
9.7		No
9.8		No
9.9		No

Known issues

sudo -E not keeping the PATH

On Ubuntu 18.04 at least, they have a defined secure_path in /etc/sudoers which forbids using the sudo -E command:

$ unpack_repack_qcow2.sh
[unpack_repack_qcow2] You need to be root to mount/unmount the qcow2
$ sudo -E unpack_repack_qcow2.sh
[sudo] password for user:
sudo: unpack_repack_qcow2.sh: command not found

So you may need to comment that out, see here.

#Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

$ sudo -E unpack_repack_qcow2.sh 
[sudo] password for user: 
[unpack_repack_qcow2] ERROR: You must specify at least a valid -i file: 
[unpack_repack_qcow2] ERROR: Double check your working directory as  doesn't appear to exist

asafw's People

Contributors

Stargazers

Watchers

asafw's Issues

Could not find kernel command line.

When i use unpack_reapck_bin.sh ,i meet a question .

Is it because this version is not supported?
The version is asa804-k8.bin.
Please help me！！！

How to access to the serial-shell after enable it?

Hi, thanks your guys for providing these great tools.
I want to get a shell (not Cisco CLI) on the device emulated by GNS3. As far as I know, there are three ways provided by asafw tool to do this.

using -r option
I can access to a shell. But the shell is too early, many pre-works haven't been done. So it's not what I want.
using --debugshell option
When I try to ssh to the device, it just crashes instead of giving me a reverse-shell. I haven't debugged it heavily. I'll do it when I'm free.
using --serialshell option
The qemu options are -cpu Haswell -smp 4,sockets=4,cores=1,threads=1 -serial telnet:127.0.0.1:15002,server,nowait.
The outputs of device in vnc are as follows.

Does it works as expected when using --serialshell option? How can I access to the serial shell?

Any advice would be appreciated! Thanks in advance.

how to configure gdbserver port when enable gdb in GNS3 mode?

Hi,
Recently I have read your great posts about Cisco ASA. When I do experiments with GNS3, I came accross some problems.

Since a GNS3 instance will be debugged over TCP/IP(telnet), why still need to enable and change "/dev/ttyS1" to "/dev/ttyS0" in rcS script when patch the qcow2 image? Why not use -n instead? (-n : gdb ethernet device, eg, 'eth0'). I have tried use -n option and made some corresponding changes, but it didn't work.
When use asadbg to debug, a asacfg file is needed. In GNS3 mode, we have to specify a gns3_port filed (in your case, use 12005 instead). But during patching the qcow2 image, I can't find the corresponding port. Is it the default port used by gdbserver? How can I configure that port when enable gdb?

Now I get the following at the boot (default console type is vnc), but I don't know which port to use in gdb (target remote < GNS3's ip>:<which port???>).

Any advice would be appricated! Thanks in advance.

Hardcoded Python location in bin.py and helper.py

The shebang in the bin.py and helper.py programs uses a hardcoded Python location instead of using env. Switching this over would allow asafw to work on platforms that don't put python3 in /usr/bin, like on macOS.

issue running unpack_repack_bin.sh

I get the following error. and do not know how to source env.sh, can you point me in the right direction?

error:
[unpack_repack_bin] This tool relies on env.sh which has not been sourced

Thanks
Darrell

something wrong when I enable gdb

when I follow your step to Configuring a Cisco ASA test environment, the last step trouble me. Something wrong with the gdb inside the firmware. The firmware I use is asav-941-200.qcow2. Please look at the picture

Please Help Me !!!!!

Serial debugging failing to start

This issue was found on a physical ASA 5505 running version 9.1(6).

When enabling gdbserver on the serial interface in asafw, the gdb script generated by asadbg hangs at target extended-remote [serial port].

Turning on gdb's remote debugging shows that gdbserver continually prints this string, preventing gdb from attaching:

It looks like a fix for this would be modifying the inittab file to run /tmp/start_cmd on a different tty. This will still cause gdbserver to attach to the serial interface, but will result in the error message being printed on the other tty as opposed to over the serial interface. Manually making this change on my end results in asadbg hanging (since it's waiting for the "Remote debugging over /dev/ttyS0" string) but eventually connecting over USB:

I'm willing to write the code to implement this change, but I'll hold off on implementing and making a pull request since this is a little more involved than my previous two issues.

How to unpack asa*.bin for using in GNS3?

I unpack asa944-16-smp-k8.bin using bin.py and get two files asa944-16-smp-k8-initrd-original.gz and asa944-16-smp-k8-vmlinuz. When I'm trying to run them in GNS3 I have an error
INIT: version 2.88 booting
Starting udev
[ 9.928700] udevd[505]: starting version 182
[ 10.855231] ACPI: PCI Interrupt Link [LNKB] enabled at IRQ 10
[ 10.947480] e1000_uio(e1000_pci.0.2.0): user interrupt driver successfully loaded.
Configuring network interfaces... done.
Populating dev cache
no cdrom devices
[ 13.722192] tipc: Started in network mode
[ 13.722721] tipc: Own node address <1.1.1>, network identity 1234
[ 13.725539] tipc: Enabled bearer <eth:tap0>, discovery domain <1.1.0>, priority 10
info: Running in kvm virtual environment.
/asa/scripts/vm_lib: line 221: /mnt/disk0/system-serial-number: No such file or directory
cp: cannot stat '/mnt/disk0/system-serial-number': No such file or directory
[ 15.584344] IHM: Initializing Interface Helper Module
[ 15.584403] IHM: registering chr device
[ 15.584470] Module registered 251, from (pid 1079)
[ 15.760572] 988.760510 [2606] netmap_init run mknod /dev/netmap c 10 60 # error 0
[ 15.761156] netmap: loaded module

Loading...

Starting image verification
[ 20.781129] traps: lina_monitor[1141] trap invalid opcode ip:40f4da sp:7fffffffe3f8 error:0 in lina_monitor[400000+26000]
/tmp/run_cmd: line 5: 1141 Illegal instruction (core dumped) cgexec -g memory:privileged -g cpuset:restricted/lina /asa/bin/lina_monitor -l
INIT: Switching to runlevel: 6
INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... [ 32.317855] Restarting system.
[ 32.317855] reboot: machine restart

I'm using these args:
Kernel Command Line: no-hlt -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Option: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Please help to run asa in GNS3 using bin file!

lina : aaa_admin_authenticate

Hello,

what that message

[lina] Error: can't find aaa_admin_authenticate, you need to add symbol with asafw first

relates to ?

Regards

The repacked image cannot pass the checksum verification.

I used the "./unpack_repack_bin.sh -i asa924-k8.bin -f -g" command to repack an ASA image but this image cannot use by the ASA.
I used the both the ASDM and CLI command to upload the image but got the same error. Would you please tell me some suggestions?
This is the error information:
sumval(0x7688) chksum(0x 0)md5(0x627f79f7 0xef30d361 0xdc06d033 0x47d62959)
md5(0x4f5398c1 0xfeefb16a 0x9380fe65 0x44370bc5)
Checksum verification on new image failed

How to disable aslr for the newest images?

Hi, thanks your guys for providing these great tools.
Recently, when I use asafw to deal with the newest image (e.g. asav9101.qcow2), trying to disable aslr is unsuccessful. The root cause is there is no echo 0 > /proc/sys/kernel/randomize_va_space inside the fileasa/scripts/rcS.common.

# tune the VM system
if sf_asa_is_ngfw; then
    echo 0 > /proc/sys/vm/overcommit_memory
else
    MemTotal=`awk '/^MemTotal:/ {print \$2}' /proc/meminfo`
    let MemThreshold=1024*1024
    #disable overcommit only for system with more than 1G memory
    if [ $MemTotal  -le $MemThreshold ]; then
         echo 0 > /proc/sys/vm/overcommit_memory
    else
         echo 2 > /proc/sys/vm/overcommit_memory
    fi
    echo 100 > /proc/sys/vm/overcommit_ratio
 fi
ulimit -s 1024

So I modify the disable_aslr() inside the file unpack_repack_bin.sh as follows:

sed -i 's/ulimit -s 1024/echo 0 > \/proc\/sys\/kernel\/randomize_va_space\nulimit -s 1024/' asa/scripts/rcS.common

The command works well and the file is changed as I want. But when I emulate the device with the repacked image inside GSN3, it seems the aslr is still on.

I notice there are some comments inside the disable_aslr() as follows. Does it mean the command echo 0 > /proc/sys/kernel/randomize_va_space added manually is also overriden?

log "DISABLE ASLR"
# we can't just add the following line
#echo "kernel.randomize_va_space = 0" >> etc/sysctl.conf.procps
# because it looks like rcS.common overrides our value later in the boot process
# so we just make the modification in rcS.common :)

By the way, I search randomize_va_space using grep inside rootfs and get no results except for asa/bin/lina.

Is there any other way to disable aslr? Debugging with aslr is annoying.
Any advice would be appreciated! Thanks in advance.

How to repack file to bin

I Already extract the bin and make some change in the file
Now how to repack folder to bin

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

nccgroup / asafw Goto Github PK

asafw's Introduction

asafw

Requirements

unpack_repack_bin.sh

Extract multiple firmare

Enable gdb at boot / debug shell

Retrieve lina and co files for future analysis

unpack_repack_qcow2.sh

Extract one firmware

Enable gdb at boot / disable ASLR

Retrieve lina and co files for future analysis

Firmware helpers

bin.py

cpio.sh

lina.py

Datamining

info.sh

info.py

Mitigation summary

End-of-life ASA versions

Known issues

sudo -E not keeping the PATH

asafw's People

Contributors

Stargazers

Watchers

Forkers

asafw's Issues

Recommend Projects

Recommend Topics

Recommend Org