Open Alien-AV opened 5 years ago
It looks like it ran correctly. Did Vulnerable_Pickle
get created? I should move the result dumping to it's own library and use that like that Discover and Dump does.
It printed out:
Found Command Injection in write_flash_kernel_version in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
Which means it thinks that write_flash_kernel_version
is a command injection (hint: It is). It should then dump that information to the vulnerable pickle at the end.
If you're looking to recreate all the CVEs from the demos you'll need to up the timeouts and memory limits set in Vuln_Discover_Celery
and run it against all of the cgi-binaries:
Vuln_Discover_Celery.py _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/ -L _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/lib/
Check out #10 for a way to view those results in a pretty format. I'm trying to get #2 pushed soon so we can just use the elastic/kibana view
The Vulnerable_Pickle
indeed was created, managed to print the values from it.
Copy-pasting the way to print the pickle for future reference:
import pickle
from firmware_slap.ghidra_handler import print_function
pickle_name = "Your_results.pickle"
with open(pickle_name, 'rb') as f:
results = pickle.load(f)
for result in results:
print_function(result)
I feel that the README should be edited to better represent what a user would see when running those commands. Also, I don't understand what the different scripts in the bin directory do (without reading them). Can you add a short description in the readme?
Thanks :)
@Alien-AV I just updated the README and added some of the elastic search/kibana stuff. Check it out, it might be a better way to visualize some of the returned vulnerability results. 05ea0514d7f870e350393afabee9cd4c4e518c7f
After running the example from usage, I'm not getting the described results. It seems like it's exiting prematurely after a 98% mark. Or the results are placed somewhere I can't guess. I'm not dropped into a python REPL.
Any ideas why it happens? I didn't create a python virtualenv, because this VM is only used for slap anyway. Is it critical?