search

binarly-io / fwhunt-scan

Tools for analyzing UEFI firmware and checking UEFI modules with FwHunt rules
GNU General Public License v3.0
214 stars 30 forks source link

ValueError: bytes_le is not a 16-char string #49

Closed m-1-k-3 closed 2 years ago

m-1-k-3 commented 2 years ago

Currently testing fwhunt-scan on Kali Linux:

sudo python3 ./fwhunt_scan_analyzer.py scan /home/m1k3/firmware_stuff/Firmware_images/UEFI-Bios/bc0064.cap -r FwHunt/rules/Vulnerabilities/HP/BRLY-2021-007.yml -r FwHunt/rules/Vulnerabilities/HP/BRLY-2021-005.yml -r FwHunt/rules/Vulnerabilities/HP/BRLY-2022-010.yml -r FwHunt/rules/Vulnerabilities/HP/BRLY-2021-034.yml -r FwHunt/rules/Vulnerabilities/HP/BRLY-2021-040.yml -r <snip>

Was running into the following exception:

  File "/home/m1k3/git-repos/fwhunt-scan/fwhunt_scan/uefi_smm.py", line 269, in get_child_sw_smi_handler_bb
    handler_guid = str(uuid.UUID(bytes_le=guid_b)).upper()
  File "/usr/lib/python3.10/uuid.py", line 181, in __init__
    raise ValueError('bytes_le is not a 16-char string')
ValueError: bytes_le is not a 16-char string

Quick and dirty fix:

~/git-repos/fwhunt-scan/fwhunt_scan/uefi_smm.py - Line 269:
                try:
                    handler_guid = str(uuid.UUID(bytes_le=guid_b)).upper()
                except:
                    pass
yeggor commented 2 years ago

Thank you. You pass the capsule file to the input of the analyzer. Not surprisingly, it falls with an exception. The scanner can be used in two ways:

As far as I understand, you are trying to scan this file:

image

This is a capsule in AMIPFAT format, which we need to unpack first. AMI_PFAT_Extract should work just fine.

After using AMI_PFAT_Extract you will find this file bc0064.cap_extracted/bc0064.cap -- 1_00 -- AMI_PFAT_1_DATA_ALL.bin. This is the unpacked firmware file, which will be perfectly parsed by UEFITool or uefi_firmware (used by fwhunt_scan).

To scan this file with fwhunt_scan, you can use the command: python3 fwhunt_scan_analyzer.py scan-firmware ~/Downloads/bc0064.cap_extracted/bc0064.cap\ --\ 1_00\ --\ AMI_PFAT_1_DATA_ALL.bin --rules_dir ~/github/FwHunt/rules/Vulnerabilities/AMI

image
yeggor commented 2 years ago

@m-1-k-3 I've add check for bytes_le argument before converting it to uuid. Let me know if you have any other problems using fwhunt_scan.

m-1-k-3 commented 2 years ago

@yeggor now I got the same results. Thank you for your support.