dissect.target 3.17.dev13__py3-none-any.whl → 3.17.dev17__py3-none-any.whl

dissect/target/container.py

@@ -258,3 +258,4 @@ register("vdi", "VdiContainer")
 register("hdd", "HddContainer")
 register("hds", "HdsContainer")
 register("split", "SplitContainer")
+register("fortifw", "FortiFirmwareContainer")

dissect/target/containers/fortifw.py

@@ -0,0 +1,190 @@
+from __future__ import annotations
+
+import gzip
+import io
+import logging
+import zlib
+from itertools import cycle, islice
+from pathlib import Path
+from typing import BinaryIO
+
+from dissect.util.stream import AlignedStream, RangeStream, RelativeStream
+
+from dissect.target.container import Container
+from dissect.target.tools.utils import catch_sigpipe
+
+log = logging.getLogger(__name__)
+
+
+def find_xor_key(fh: BinaryIO) -> bytes:
+    """Find the XOR key for the firmware file by using known plaintext of zeros.
+
+    File-like object ``fh`` must be seeked to the correct offset where it should decode to all zeroes (0x00).
+
+    Arguments:
+        fh: File-like object to read from.
+
+    Returns:
+        bytes: XOR key, note that the XOR key is not validated and may be incorrect.
+    """
+    key = bytearray()
+
+    pos = fh.tell()
+    buf = fh.read(32)
+    fh.seek(pos)
+
+    if pos % 512 == 0:
+        xor_char = 0xFF
+    else:
+        fh.seek(pos - 1)
+        xor_char = ord(fh.read(1))
+
+    for i, k_char in enumerate(buf):
+        idx = (i + pos) & 0x1F
+        key.append((xor_char ^ k_char ^ idx) & 0xFF)
+        xor_char = k_char
+
+    # align xor key
+    koffset = 32 - (pos & 0x1F)
+    key = islice(cycle(key), koffset, koffset + 32)
+    return bytes(key)
+
+
+class FortiFirmwareFile(AlignedStream):
+    """Fortinet firmware file, handles transparant decompression and deobfuscation of the firmware file."""
+
+    def __init__(self, fh: BinaryIO):
+        self.fh = fh
+        self.trailer_offset = None
+        self.trailer_data = None
+        self.xor_key = None
+        self.is_gzipped = False
+
+        size = None
+
+        # Check if the file is gzipped
+        self.fh.seek(0)
+        header = self.fh.read(4)
+        if header.startswith(b"\x1f\x8b"):
+            self.is_gzipped = True
+
+            # Find the extra metadata behind the gzip compressed data
+            # as a bonus we can also calculate the size of the firmware here
+            dec = zlib.decompressobj(wbits=16 + zlib.MAX_WBITS)
+            self.fh.seek(0)
+            size = 0
+            while True:
+                data = self.fh.read(io.DEFAULT_BUFFER_SIZE)
+                if not data:
+                    break
+                d = dec.decompress(dec.unconsumed_tail + data)
+                size += len(d)
+
+            # Ignore the trailer data of the gzip file if we have any
+            if dec.unused_data:
+                self.trailer_offset = self.fh.seek(-len(dec.unused_data), io.SEEK_END)
+                self.trailer_data = self.fh.read()
+                log.info("Found trailer offset: %d, data: %r", self.trailer_offset, self.trailer_data)
+                self.fh = RangeStream(self.fh, 0, self.trailer_offset)
+
+            self.fh.seek(0)
+            self.fh = gzip.GzipFile(fileobj=self.fh)
+
+        # Find the xor key based on known offsets where the firmware should decode to zero bytes
+        for zero_offset in (0x30, 0x40, 0x400):
+            self.fh.seek(zero_offset)
+            xor_key = find_xor_key(self.fh)
+            if xor_key.isalnum():
+                self.xor_key = xor_key
+                log.info("Found key %r @ offset %s", self.xor_key, zero_offset)
+                break
+        else:
+            log.info("No xor key found")
+
+        # Determine the size of the firmware file if we didn't calculate it yet
+        if size is None:
+            size = self.fh.seek(0, io.SEEK_END)
+
+        log.info("firmware size: %s", size)
+        log.info("xor key: %r", self.xor_key)
+        log.info("gzipped: %s", self.is_gzipped)
+        self.fh.seek(0)
+
+        # Align the stream to 512 bytes which simplifies the XOR deobfuscation code
+        super().__init__(size=size, align=512)
+
+    def _read(self, offset: int, length: int) -> bytes:
+        self.fh.seek(offset)
+        buf = self.fh.read(length)
+
+        if not self.xor_key:
+            return buf
+
+        buf = bytearray(buf)
+        xor_char = 0xFF
+        for i, cur_char in enumerate(buf):
+            if (i + offset) % 512 == 0:
+                xor_char = 0xFF
+            idx = (i + offset) & 0x1F
+            buf[i] = ((self.xor_key[idx] ^ cur_char ^ xor_char) - idx) & 0xFF
+            xor_char = cur_char
+
+        return bytes(buf)
+
+
+class FortiFirmwareContainer(Container):
+    __type__ = "fortifw"
+
+    def __init__(self, fh: BinaryIO | Path, *args, **kwargs):
+        if not hasattr(fh, "read"):
+            fh = fh.open("rb")
+
+        # Open the firmware file
+        self.ff = FortiFirmwareFile(fh)
+
+        # seek to MBR
+        self.fw = RelativeStream(self.ff, 0x200)
+        super().__init__(self.fw, self.ff.size, *args, **kwargs)
+
+    @staticmethod
+    def detect_fh(fh: BinaryIO, original: list | BinaryIO) -> bool:
+        return False
+
+    @staticmethod
+    def detect_path(path: Path, original: list | BinaryIO) -> bool:
+        # all Fortinet firmware files end with `-FORTINET.out`
+        return str(path).lower().endswith("-fortinet.out")
+
+    def read(self, length: int) -> bytes:
+        return self.fw.read(length)
+
+    def seek(self, offset: int, whence: int = io.SEEK_SET) -> int:
+        return self.fw.seek(offset, whence)
+
+    def tell(self) -> int:
+        return self.fw.tell()
+
+    def close(self) -> None:
+        pass
+
+
+@catch_sigpipe
+def main(argv: list[str] | None = None) -> None:
+    import argparse
+    import shutil
+    import sys
+
+    parser = argparse.ArgumentParser(description="Decompress and deobfuscate Fortinet firmware file to stdout.")
+    parser.add_argument("file", type=argparse.FileType("rb"), help="Fortinet firmware file")
+    parser.add_argument("--verbose", "-v", action="store_true", help="verbose output")
+    args = parser.parse_args(argv)
+
+    if args.verbose:
+        logging.basicConfig(level=logging.INFO)
+
+    ff = FortiFirmwareFile(args.file)
+    shutil.copyfileobj(ff, sys.stdout.buffer)
+
+
+if __name__ == "__main__":
+    main()

dissect/target/loader.py

@@ -77,7 +77,7 @@ class Loader:
         raise NotImplementedError()
 
     @staticmethod
-    def find_all(path: Path) -> Iterator[Path]:
+    def find_all(path: Path, **kwargs) -> Iterator[Path]:
         """Finds all targets to load from ``path``.
 
         This can be used to open multiple targets from a target path that doesn't necessarily map to files on a disk.

dissect/target/loaders/mqtt.py

@@ -6,17 +6,15 @@ import time
 import urllib
 from dataclasses import dataclass
 from functools import lru_cache
-from io import BytesIO
 from pathlib import Path
 from struct import pack, unpack_from
-from typing import Any, Callable, Optional, Union
+from typing import Any, Callable, Iterator, Optional, Union
 
 import paho.mqtt.client as mqtt
 from dissect.util.stream import AlignedStream
 
 from dissect.target.containers.raw import RawContainer
 from dissect.target.exceptions import LoaderError
-from dissect.target.filesystem import VirtualFilesystem
 from dissect.target.loader import Loader
 from dissect.target.plugin import arg
 from dissect.target.target import Target
@@ -74,7 +72,7 @@ class MQTTConnection:
         self.info = lru_cache(128)(self.info)
         self.read = lru_cache(128)(self.read)
 
-    def topo(self, peers: int):
+    def topo(self, peers: int) -> list[str]:
         self.broker.topology(self.host)
 
         while len(self.broker.peers(self.host)) < peers:
@@ -148,7 +146,7 @@ class Broker:
     def disk(self, host: str) -> DiskMessage:
         return self.diskinfo[host]
 
-    def peers(self, host: str) -> int:
+    def peers(self, host: str) -> list[str]:
         return self.topo[host]
 
     def _on_disk(self, hostname: str, payload: bytes) -> None:
@@ -252,9 +250,6 @@ class Broker:
 class MQTTLoader(Loader):
     """Load remote targets through a broker."""
 
-    PATH = "/remote/data/hosts.txt"
-    FOLDER = "/remote/hosts"
-
     connection = None
     broker = None
     peers = []
@@ -262,10 +257,15 @@ class MQTTLoader(Loader):
     def __init__(self, path: Union[Path, str], **kwargs):
         super().__init__(path)
         cls = MQTTLoader
+        self.broker = cls.broker
+        self.connection = MQTTConnection(self.broker, path)
 
-        if str(path).startswith("/remote/hosts/host"):
-            self.path = path.read_text()  # update path to reflect the resolved host
+    @staticmethod
+    def detect(path: Path) -> bool:
+        return False
 
+    def find_all(path: Path, **kwargs) -> Iterator[str]:
+        cls = MQTTLoader
         num_peers = 1
         if cls.broker is None:
             if (uri := kwargs.get("parsed_path")) is None:
@@ -275,26 +275,10 @@ class MQTTLoader(Loader):
             cls.broker.connect()
             num_peers = int(options.get("peers", 1))
 
-        self.broker = cls.broker
-        self.connection = MQTTConnection(self.broker, self.path)
-        self.peers = self.connection.topo(num_peers)
+        cls.connection = MQTTConnection(cls.broker, path)
+        cls.peers = cls.connection.topo(num_peers)
+        yield from cls.peers
 
     def map(self, target: Target) -> None:
-        if len(self.peers) == 1 and self.peers[0] == str(self.path):
-            target.path = Path(str(self.path))
-            for disk in self.connection.info():
-                target.disks.add(RawContainer(disk))
-        else:
-            target.props["mqtt"] = True
-
-            vfs = VirtualFilesystem()
-            vfs.map_file_fh(self.PATH, BytesIO("\n".join(self.peers).encode("utf-8")))
-            for index, peer in enumerate(self.peers):
-                vfs.map_file_fh(f"{self.FOLDER}/host{index}-{peer}", BytesIO(peer.encode("utf-8")))
-
-            target.fs.mount("/data", vfs)
-            target.filesystems.add(vfs)
-
-    @staticmethod
-    def detect(path: Path) -> bool:
-        return str(path).startswith("/remote/hosts/host")
+        for disk in self.connection.info():
+            target.disks.add(RawContainer(disk))

dissect/target/plugins/os/unix/linux/sockets.py

@@ -17,9 +17,9 @@ NetSocketRecord = TargetRecordDescriptor(
         ("uint32", "rx_queue"),
         ("uint32", "tx_queue"),
         ("string", "local_ip"),
-        ("string", "local_port"),
+        ("uint16", "local_port"),
         ("string", "remote_ip"),
-        ("string", "remote_port"),
+        ("uint16", "remote_port"),
         ("string", "state"),
         ("string", "owner"),
         ("uint32", "inode"),

dissect/target/target.py

@@ -280,7 +280,7 @@ class Target:
                     continue
 
                 getlogger(entry).debug("Attempting to use loader: %s", loader_cls)
-                for sub_entry in loader_cls.find_all(entry):
+                for sub_entry in loader_cls.find_all(entry, parsed_path=parsed_path):
                     try:
                         ldr = loader_cls(sub_entry, parsed_path=parsed_path)
                     except Exception as e:

{dissect.target-3.17.dev13.dist-info → dissect.target-3.17.dev17.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.17.dev13
+Version: 3.17.dev17
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.17.dev13.dist-info → dissect.target-3.17.dev17.dist-info}/RECORD

@@ -1,15 +1,16 @@
 dissect/target/__init__.py,sha256=Oc7ounTgq2hE4nR6YcNabetc7SQA40ldSa35VEdZcQU,63
-dissect/target/container.py,sha256=9ixufT1_0WhraqttBWwQjG80caToJqvCX8VjFk8d5F0,9307
+dissect/target/container.py,sha256=0YcwcGmfJjhPXUB6DEcjWEoSuAtTDxMDpoTviMrLsxM,9353
 dissect/target/exceptions.py,sha256=VVW_Rq_vQinapz-2mbJ3UkxBEZpb2pE_7JlhMukdtrY,2877
 dissect/target/filesystem.py,sha256=VD1BA6hLqH_FPWFZ-wliEuCxnFrUK61S9VbGK7CtA5w,55597
-dissect/target/loader.py,sha256=HVNHcNhLixbxHl8glbEEC4njkp85hzj0Qdn4of1EnDY,7288
+dissect/target/loader.py,sha256=_mrMOzKdpb7nlZJpLENOLuU4Ty92PzJem9GFDuo0PK4,7298
 dissect/target/plugin.py,sha256=HAN8maaDt-Rlqt8Rr1IW7gXQpzNQZjCVz-i4aSPphSw,48677
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
-dissect/target/target.py,sha256=xNJdecZSt2oHcZwf775kOSTFRA-c_hKoScXaDuK-8FI,32155
+dissect/target/target.py,sha256=jq0Ii8073GOfwfqRj7UMuJT5jTVvQ_FD9Vrl9TMGpVc,32180
 dissect/target/volume.py,sha256=aQZAJiny8jjwkc9UtwIRwy7nINXjCxwpO-_UDfh6-BA,15801
 dissect/target/containers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/containers/asdf.py,sha256=DJp0QEFwUjy2MFwKYcYqIR_BS1fQT1Yi9Kcmqt0aChM,1366
 dissect/target/containers/ewf.py,sha256=FTEPZpogDzymrbAeSnLuHNNStifLzNVhUvtbEMOyo0E,1342
+dissect/target/containers/fortifw.py,sha256=2Ga89c0qPguHAPigcte8wptgF2aM9qfPTZHddkfQ8J4,5874
 dissect/target/containers/hdd.py,sha256=Y1qYpk3GePCpq2HZIyqyoGch7nzN8aeI3zWG3UGhf5o,1069
 dissect/target/containers/hds.py,sha256=xijSUSRM392Ckc9QsOsvjx7PMyeoR4qOlWGG0w4nqUU,1145
 dissect/target/containers/qcow2.py,sha256=FtXLZA-Xkegbv--dStusQntUiDqM1idSFWMtJRiL7eM,1128
@@ -84,7 +85,7 @@ dissect/target/loaders/itunes.py,sha256=69aMTQiiGYpmD_EYSmf9mO1re8C3jAZIEStmwlMx
 dissect/target/loaders/kape.py,sha256=t5TfrGLqPeIpUUpXzIl6aHsqXMEGDqJ5YwDCs07DiBA,1237
 dissect/target/loaders/local.py,sha256=Ul-LCd_fY7SyWOVR6nH-NqbkuNpxoZVmffwrkvQElU8,16453
 dissect/target/loaders/log.py,sha256=cCkDIRS4aPlX3U-n_jUKaI2FPSV3BDpfqKceaU7rBbo,1507
-dissect/target/loaders/mqtt.py,sha256=J5RG35EwsshJtpFGkwMA6IOm638Xkl5df3SolO_BvCE,10225
+dissect/target/loaders/mqtt.py,sha256=b0VrQ75_tmc4POkcfnUwKJoj1qmcjm1OKsVBQ9MjgqI,9552
 dissect/target/loaders/multiraw.py,sha256=4a3ZST0NwjnfPDxHkcEfAcX2ddUlT_C-rcrMHNg1wp4,1046
 dissect/target/loaders/ova.py,sha256=6h4O-7i87J394C6KgLsPkdXRAKNwtPubzLNS3vBGs7U,744
 dissect/target/loaders/ovf.py,sha256=ELMq6J2y6cPKbp7pjWAqMMnFYefWxXNqzIiAQdvGGXQ,1061
@@ -151,7 +152,6 @@ dissect/target/plugins/apps/webserver/webserver.py,sha256=a7a2lLrhsa9c1AXnwiLP-t
 dissect/target/plugins/child/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/child/esxi.py,sha256=GfgQzxntcHcyxAE2QjMJ-TrFhklweSXLbYh0uuv-klg,693
 dissect/target/plugins/child/hyperv.py,sha256=R2qVeu4p_9V53jO-65znN0LwX9v3FVA-9jbbtOQcEz8,2236
-dissect/target/plugins/child/mqtt.py,sha256=8nLCm71FhQarqPMQ8JL-I-jjxSB9ct2pZGbq4FJO7ao,1189
 dissect/target/plugins/child/virtuozzo.py,sha256=Mx4ZxEl21g7IYkzraw4FBZup5EfrkFDv4WuTE3hxguw,1206
 dissect/target/plugins/child/vmware_workstation.py,sha256=8wkA_tSufvBUyp4XQHzRzFETf5ROlyyO_MVS3TExyfw,1570
 dissect/target/plugins/child/wsl.py,sha256=IssQgYET1T-XR5ZX2lGlNFJ_u_3QECpMF_7kXu09HTE,2469
@@ -216,7 +216,7 @@ dissect/target/plugins/os/unix/linux/netstat.py,sha256=MAC4ZdeNqcKpxT2ZMh1-7rjt4
 dissect/target/plugins/os/unix/linux/proc.py,sha256=jm35fAasnNbObN2tpflwQuCfVYLDkTP2EDrzYG42ZSk,23354
 dissect/target/plugins/os/unix/linux/processes.py,sha256=sTQqZYPW-_gs7Z3f0wwsV6clUX4NK44GGyMiZToBIrg,1936
 dissect/target/plugins/os/unix/linux/services.py,sha256=-d2y073mOXUM3XCzRgDVCRFR9eTLoVuN8FsZVewHzRg,4075
-dissect/target/plugins/os/unix/linux/sockets.py,sha256=l7Zq4J_xioyl8V7-Q9GLStOyYLNrcpKoWWWSzJaSIZQ,9765
+dissect/target/plugins/os/unix/linux/sockets.py,sha256=11de73KiF2D2s1eyPBA4EWDpNsEzOunbj3YqSlMYZ2Y,9765
 dissect/target/plugins/os/unix/linux/android/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/linux/android/_os.py,sha256=trmESlpHdwVu7wV18RevEhh_TsVyfKPFCd5Usb5-fSU,2056
 dissect/target/plugins/os/unix/linux/debian/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -336,10 +336,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.17.dev13.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.17.dev13.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.17.dev13.dist-info/METADATA,sha256=r2xQoOApd3QGiaNTpuo27XM3t1YkKLaNSLkywaWejJ8,11300
-dissect.target-3.17.dev13.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-dissect.target-3.17.dev13.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.17.dev13.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.17.dev13.dist-info/RECORD,,
+dissect.target-3.17.dev17.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.17.dev17.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.17.dev17.dist-info/METADATA,sha256=BAALMIovnkuqmnNGuxrQv3CM7ptX_oBXUyLi_LRWAPs,11300
+dissect.target-3.17.dev17.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+dissect.target-3.17.dev17.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.17.dev17.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.17.dev17.dist-info/RECORD,,

dissect/target/plugins/child/mqtt.py

@@ -1,35 +0,0 @@
-from __future__ import annotations
-
-from typing import TYPE_CHECKING, Iterator
-
-from flow.record.fieldtypes import posix_path
-
-from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.record import ChildTargetRecord
-from dissect.target.plugin import ChildTargetPlugin
-
-if TYPE_CHECKING:
-    from dissect.target.target import Target
-
-
-class MQTT(ChildTargetPlugin):
-    """Child target plugin that yields from remote broker."""
-
-    __type__ = "mqtt"
-
-    PATH = "/remote/data/hosts.txt"
-    FOLDER = "/remote/hosts"
-
-    def __init__(self, target: Target):
-        super().__init__(target)
-
-    def check_compatible(self) -> None:
-        if not self.target.props.get("mqtt") or not self.target.fs.path(self.PATH).exists():
-            raise UnsupportedPluginError("No remote children.txt file found.")
-
-    def list_children(self) -> Iterator[ChildTargetRecord]:
-        hosts = self.target.fs.path(self.PATH).read_text(encoding="utf-8").split("\n")
-        for index, host in enumerate(hosts):
-            yield ChildTargetRecord(
-                type=self.__type__, path=posix_path(f"{self.FOLDER}/host{index}-{host}"), _target=self.target
-            )