search

ChrisTheCoolHut / Firmware_Slap

Discovering vulnerabilities in firmware through concolic analysis and function clustering.
GNU General Public License v3.0
470 stars 79 forks source link

Not getting results from running the example (exiting prematurely?) #16

Open Alien-AV opened 5 years ago

Alien-AV commented 5 years ago

After running the example from usage, I'm not getting the described results. It seems like it's exiting prematurely after a 98% mark. Or the results are placed somewhere I can't guess. I'm not dropped into a python REPL.

Any ideas why it happens? I didn't create a python virtualenv, because this VM is only used for slap anyway. Is it critical?

alienav@av-firmware-slap:~/Firmware_Slap$ Vuln_Discover_Celery.py _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/lib/
[+] Getting argument functions
analyzeHeadless /tmp/tmpvgrhxoa3 project_upload_bootloader.cgi
        -max-cpu 1
        -import /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
        -scriptPath /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts
        -preScript /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/SetDecompilerOptions.py
        -postScript /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/DumpFunctions.py "/tmp/tmpvgrhxoa3/upload_bootloader.cgi"
/tmp/tmpvgrhxoa3/upload_bootloader.cgi
[+] Analyzing 44 functions
[~] Finding all the vulnerabilities:  11%|██████████████████▊                                                                                                                                                  | 5/44 [00:09<01:04,  1.66s/it]
Found Command Injection in write_flash_kernel_version in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  16%|██████████████████████████▎                                                                                                                                          | 7/44 [02:18<23:52, 38.72s/it]
Found Command Injection in mtd_write_firmware in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  18%|██████████████████████████████                                                                                                                                       | 8/44 [02:28<18:04, 30.12s/it]
Found Command Injection in mtd_write_bootloader in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  98%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▎   | 43/44 [08:16<00:01,  1.52s/it]
alienav@av-firmware-slap:~/Firmware_Slap$
ChrisTheCoolHut commented 5 years ago

It looks like it ran correctly. Did Vulnerable_Pickle get created? I should move the result dumping to it's own library and use that like that Discover and Dump does.

It printed out:

Found Command Injection in write_flash_kernel_version in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi

Which means it thinks that write_flash_kernel_version is a command injection (hint: It is). It should then dump that information to the vulnerable pickle at the end.

If you're looking to recreate all the CVEs from the demos you'll need to up the timeouts and memory limits set in Vuln_Discover_Celery and run it against all of the cgi-binaries:

Vuln_Discover_Celery.py _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/ -L _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/lib/

Check out #10 for a way to view those results in a pretty format. I'm trying to get #2 pushed soon so we can just use the elastic/kibana view

Alien-AV commented 5 years ago

The Vulnerable_Pickle indeed was created, managed to print the values from it.

Copy-pasting the way to print the pickle for future reference:

import pickle
from firmware_slap.ghidra_handler import print_function
pickle_name = "Your_results.pickle"
with open(pickle_name, 'rb') as f:
    results = pickle.load(f)
for result in results:
    print_function(result)

I feel that the README should be edited to better represent what a user would see when running those commands. Also, I don't understand what the different scripts in the bin directory do (without reading them). Can you add a short description in the readme?

Thanks :)

ChrisTheCoolHut commented 5 years ago

@Alien-AV I just updated the README and added some of the elastic search/kibana stuff. Check it out, it might be a better way to visualize some of the returned vulnerability results. 05ea0514d7f870e350393afabee9cd4c4e518c7f