Firmware Slap - Discovering Vulnerabilities Inwards Firmware Through Concolic Analysis Too Percentage Clustering


Firmware slap combines concolic analysis amongst part clustering for vulnerability uncovering together with part similarity inwards firmware. Firmware slap is built every bit a serial of libraries together with exports most information every bit either pickles or JSON for integration amongst other tools.

Slides from the verbalize tin live institute here

Setup
Firmware slap should live run inwards a virtual environment. It has been tested on Python3.6
python setup.py install
You volition demand rabbitmq together with (radare2 or Ghidra)
# Ubuntu sudo apt install rabbitmq-server # OSX brew install rabbitmq  # Radare2 git clone https://github.com/radare/radare2.git sudo ./radare2/sys/install.sh # Ghidra wget https://ghidra-sre.org/ghidra_9.0.4_PUBLIC_20190516.zip unzip ghidra_9.0.4_PUBLIC_20190516.zip -d ghidra echo "export PATH=\$PATH:$PWD/ghidra/ghidra_9.0.4/support" >>  /.bashrc
If y'all desire to exercise the Elastic search materials run the Elasticsearch_and_kibana.sh script

Quickstart
Ensure rabbitmq-server is running.
# In a Separate terminal celery -A firmware_slap.celery_tasks worker --loglevel=info # Basic buffer overflow Discover_And_Dump.py examples/iwconfig # Command injection tar -xvf examples/Almond_libs.tar.gz Vuln_Discover_Celery.py examples/upload.cgi -L Almond_Root/lib/

Usage
# Get the firmware used for examples wget https://firmware.securifi.com/AL3_64MB/AL3-R024-64MB binwalk -Mre AL3-R024-64MB
Start a celery piece of work from the projection root directory:
# In a divide terminal celery -A firmware_slap.celery_tasks worker --loglevel=info
In a dissimilar terminal window, run a vulnerability uncovering job.
$ Vuln_Discover_Celery.py Almond_Root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L Almond_Root/lib/ [+] Getting declaration functions [+] Analyzing 1 functions   0%|                                                                                                                                                                                                                                   | 0/1 [00:01

The returned vulnerability object
The inwards a higher house ascendance volition render an object inwards the result variable. This is a lexicon volition all sorts of awesome information virtually the vulnerability. There are iii major keys inwards the object: The part arguments, The memory, together with the injected location.
In [3]: result.keys()                                                                                  Out[3]: dict_keys(['args', 'file_name', 'type', 'mem', 'Injected_Location'])

args
The args telephone commutation volition especial information virtually the recovered declaration together with what the declaration values must live to recreate the vulnerability. In the below example, i declaration is recovered, together with to trigger the command injection that declaration must live a char* that contains "`reboot`" to trigger a reboot.
In [1]: result['args']                                                            Out[1]:  [{'base': 'a1',   'type': 'int',   'value': "0x0 -> b'`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00'"}]

Memory
The retentiveness cistron of the object keeps runway of the required retentiveness values ready to trigger the vulnerability. It also offers stack addresses together with .text addresses amongst the offending commands for setting the required retentiveness constraints. The kickoff retentiveness trial required is at mtd_write_firmware+0x0 together with the minute is at mtd_write_firmware+0x38. Assembly is provided to assistance prettify hereafter display work.
In [2]: result['mem']                                                                    Out[2]:  [{'BBL_ADDR': '0x401138',   'BBL_DESC': {'DESCRIPTION': 'mtd_write_firmware+0x0 inwards upload_bootloader.cgi (0x401138)',    'DISASSEMBLY': ['0x401138:\tlui\t$gp, 0x42',     '0x40113c:\taddiu\t$sp, $sp, -0x228',     '0x401140:\taddiu\t$gp, $gp, -0x5e90',     '0x401144:\tlw\t$t9, -0x7f84($gp)',     '0x401148:\tsw\t$a2, 0x10($sp)',     '0x40114c:\tlui\t$a2, 0x40',     '0x401150:\tmove\t$a3, $a1',     '0x401154:\tsw\t$ra, 0x224($sp)',     '0x401158:\tsw\t$gp, 0x18($sp)',     '0x40115c:\tsw\t$a0, 0x14($sp)',     '0x401160:\taddiu\t$a1, $zero, 0x200',     '0x401164:\taddiu\t$a0, $sp, 0x20',     '0x401168:\tjalr\t$t9',     '0x40116c:\taddiu\t$a2, $a2, 0x196c']},   'DATA': "b'`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01   \\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\   x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'",   'DATA_ADDRS': ['0x0']},  {'BBL_ADDR': '0x401170',   'BBL_DESC': {'DESCRIPTION': 'mtd_write_firmware+0x38 inwards upload_bootloader.cgi (0x401170)',    'DISASSEMBLY': ['0x401170:\tlw\t$gp, 0x18($sp)',     '0x401174:\tnop\t',     '0x401178:\tlw\t$t9, -0x7f68($gp)',     '0x40117c:\tnop\t',     '0x401180:\tjalr\t$t9',     '0x401184:\taddiu\t$a0, $sp, 0x20']},   'DATA': "b'/bin/mtd_write -o 0 -l 0 write `reboot`'",   'DATA_ADDRS': ['0x7ffefe07']}]

Command Injection Specific
Since ascendance injections are the easiest to demo, I've created a convenience lexicon telephone commutation to demonstrate the place of the ascendance injection easily.
In [4]: result['Injected_Location']                                                                       Out[4]: {'base': '0x7ffefde8', 'type': 'char *', 'value': '/bin/mtd_write -o 0 -l 0 write `reboot`'}

Sample Vulnerability Cluster Script
The vulnerability cluster script volition endeavour to regain vulnerabilities using the method inwards the Sample Vulnerability Discovery script together with and therefore construct k-means clusters of a ready of given functions across an extracted firmware to notice like functions to vulnerable ones.
$ Vuln_Cluster_Celery.py -h usage: Vuln_Cluster_Celery.py [-h] [-L LD_PATH] [-F FUNCTION] [-V VULN_PICKLE]                               Directory  positional arguments:   Directory  optional arguments:   -h, --help            present this assistance message together with snuff it   -L LD_PATH, --LD_PATH LD_PATH                         Path to libraries to charge   -F FUNCTION, --Function FUNCTION   -V VULN_PICKLE, --Vuln_Pickle VULN_PICKLE 
The below ascendance takes -F every bit a known vulnerable function. -V every bit a dumped pickle from a previous run to non demand to regain novel vulnerabilites together with -L for the library path. Influenza A virus subtype H5N1 sample usage:
$ python Vuln_Cluster_Celery.py -F mtd_write_firmware -L Almond_Root/lib/ Almond_Root/etc_ro/lighttpd/www/cgi-bin/ [+] Reading Files 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████&   #9608;██████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00,  2.80it/s] Getting functions from executables Starting primary ... Snip ...