[+] Getting argument functions
[+] Analyzing 14 functions
[~] Finding all the vulnerabilities: 93%|████████████████████████████████▌ | 13/14 [09:26<00:43, 43.55s/it]
It doesn't find the injection vulnerbaility. There is an error I can see in the celery log:
[2020-09-23 18:39:57,990: INFO/MainProcess] Received task: firmware_slap.celery_tasks.async_trace_func[530d180a-3aab-4b42-a179-26f31b0b2c47]
[2020-09-23 18:40:05,244: ERROR/ForkPoolWorker-3] Task firmware_slap.celery_tasks.async_trace_func[05e27192-2f3c-4199-acd7-0d30210d8614] raised unexpected: TypeError('Must provide size to load')
Traceback (most recent call last):
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/celery/app/trace.py", line 412, in trace_task
R = retval = fun(*args, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/celery/app/trace.py", line 704, in protected_call__
return self.run(*args, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/celery_tasks.py", line 27, in async_trace_func
proj, simgr = do_trace(start_addr,
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/function_analyzer.py", line 274, in do_trace
simgr.explore(step_func=check_mem_corrupt)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 239, in explore
self.run(stash=stash, n=n, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 261, in run
self.step(stash=stash, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/misc/hookset.py", line 75, in call__
result = current_hook(self.func.self, *args, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/exploration_techniques/explorer.py", line 96, in step
return simgr.step(stash=stash, extra_stop_points=base_extra_stop_points | self._extra_stop_points, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/misc/hookset.py", line 80, in call
return self.func(args, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 346, in step
successors = self.step_state(state, successor_func=successor_func, run_args)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 383, in step_state
successors = self.successors(state, successor_func=successor_func, run_args)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 422, in successors
return self._project.factory.successors(state, run_args)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/factory.py", line 60, in successors
return self.default_engine.process(args, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/vex/light/slicing.py", line 19, in process
return super().process(*args, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/engine.py", line 149, in process
self.process_successors(self.successors, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/failure.py", line 21, in process_successors
return super().process_successors(successors, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/syscall.py", line 18, in process_successors
return super().process_successors(successors, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/hook.py", line 61, in process_successors
return self.process_procedure(state, successors, procedure, *kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/procedure.py", line 37, in process_procedure
inst = procedure.execute(state, successors, ret_to=ret_to)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_procedure.py", line 226, in execute
r = getattr(inst, inst.run_func)(sim_args, inst.kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/command_injection.py", line 111, in run
self.check_exploitable(cmd)
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/command_injection.py", line 11, in check_exploitable
value = self.state.memory.load(cmd)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/unwrapper_mixin.py", line 14, in load
return super().load(_raw_ast(addr),
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/name_resolution_mixin.py", line 57, in load
return super().load(addr, size=size, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/bvv_conversion_mixin.py", line 28, in load
return super().load(addr, size=size, fallback=fallback_bv, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/clouseau_mixin.py", line 53, in load
return super().load(addr,
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/actions_mixin.py", line 13, in load
r = super().load(addr, size=size, condition=condition, fallback=fallback, action=action, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/underconstrained_mixin.py", line 17, in load
return super().load(addr, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/size_resolution_mixin.py", line 69, in load
return super().load(addr, size=size, kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/size_resolution_mixin.py", line 20, in load
raise TypeError("Must provide size to load")
TypeError: Must provide size to load
It seems like angr is requiering a size to load. I didn't find a file where I could set a value.
Hi,
when running the example with the provided cgi example:
I get this output:
It doesn't find the injection vulnerbaility. There is an error I can see in the celery log:
It seems like angr is requiering a size to load. I didn't find a file where I could set a value.