Firmware Slap - Discovering Vulnerabilities Inwards Firmware Through Concolic Analysis Too Percentage Clustering
Firmware slap combines concolic analysis amongst part clustering for vulnerability uncovering together with part similarity inwards firmware. Firmware slap is built every bit a serial of libraries together with exports most information every bit either pickles or JSON for integration amongst other tools.
Slides from the verbalize tin live institute here
Setup
Firmware slap should live run inwards a virtual environment. It has been tested on Python3.6
python setup.py install# Ubuntu sudo apt install rabbitmq-server # OSX brew install rabbitmq # Radare2 git clone https://github.com/radare/radare2.git sudo ./radare2/sys/install.sh # Ghidra wget https://ghidra-sre.org/ghidra_9.0.4_PUBLIC_20190516.zip unzip ghidra_9.0.4_PUBLIC_20190516.zip -d ghidra echo "export PATH=\$PATH:$PWD/ghidra/ghidra_9.0.4/support" >> /.bashrcElasticsearch_and_kibana.sh scriptQuickstart
Ensure rabbitmq-server is running.
# In a Separate terminal celery -A firmware_slap.celery_tasks worker --loglevel=info # Basic buffer overflow Discover_And_Dump.py examples/iwconfig # Command injection tar -xvf examples/Almond_libs.tar.gz Vuln_Discover_Celery.py examples/upload.cgi -L Almond_Root/lib/Usage
# Get the firmware used for examples wget https://firmware.securifi.com/AL3_64MB/AL3-R024-64MB binwalk -Mre AL3-R024-64MB# In a divide terminal celery -A firmware_slap.celery_tasks worker --loglevel=info$ Vuln_Discover_Celery.py Almond_Root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L Almond_Root/lib/ [+] Getting declaration functions [+] Analyzing 1 functions 0%| | 0/1 [00:01The returned vulnerability object
The inwards a higher house ascendance volition render an object inwards the
result variable. This is a lexicon volition all sorts of awesome information virtually the vulnerability. There are iii major keys inwards the object: The part arguments, The memory, together with the injected location.In [3]: result.keys() Out[3]: dict_keys(['args', 'file_name', 'type', 'mem', 'Injected_Location'])args
The args telephone commutation volition especial information virtually the recovered declaration together with what the declaration values must live to recreate the vulnerability. In the below example, i declaration is recovered, together with to trigger the command injection that declaration must live a char* that contains "`reboot`" to trigger a reboot.
In [1]: result['args'] Out[1]: [{'base': 'a1', 'type': 'int', 'value': "0x0 -> b'`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00'"}]Memory
The retentiveness cistron of the object keeps runway of the required retentiveness values ready to trigger the vulnerability. It also offers stack addresses together with .text addresses amongst the offending commands for setting the required retentiveness constraints. The kickoff retentiveness trial required is at
mtd_write_firmware+0x0 together with the minute is at mtd_write_firmware+0x38. Assembly is provided to assistance prettify hereafter display work.In [2]: result['mem'] Out[2]: [{'BBL_ADDR': '0x401138', 'BBL_DESC': {'DESCRIPTION': 'mtd_write_firmware+0x0 inwards upload_bootloader.cgi (0x401138)', 'DISASSEMBLY': ['0x401138:\tlui\t$gp, 0x42', '0x40113c:\taddiu\t$sp, $sp, -0x228', '0x401140:\taddiu\t$gp, $gp, -0x5e90', '0x401144:\tlw\t$t9, -0x7f84($gp)', '0x401148:\tsw\t$a2, 0x10($sp)', '0x40114c:\tlui\t$a2, 0x40', '0x401150:\tmove\t$a3, $a1', '0x401154:\tsw\t$ra, 0x224($sp)', '0x401158:\tsw\t$gp, 0x18($sp)', '0x40115c:\tsw\t$a0, 0x14($sp)', '0x401160:\taddiu\t$a1, $zero, 0x200', '0x401164:\taddiu\t$a0, $sp, 0x20', '0x401168:\tjalr\t$t9', '0x40116c:\taddiu\t$a2, $a2, 0x196c']}, 'DATA': "b'`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01 \\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\ x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'", 'DATA_ADDRS': ['0x0']}, {'BBL_ADDR': '0x401170', 'BBL_DESC': {'DESCRIPTION': 'mtd_write_firmware+0x38 inwards upload_bootloader.cgi (0x401170)', 'DISASSEMBLY': ['0x401170:\tlw\t$gp, 0x18($sp)', '0x401174:\tnop\t', '0x401178:\tlw\t$t9, -0x7f68($gp)', '0x40117c:\tnop\t', '0x401180:\tjalr\t$t9', '0x401184:\taddiu\t$a0, $sp, 0x20']}, 'DATA': "b'/bin/mtd_write -o 0 -l 0 write `reboot`'", 'DATA_ADDRS': ['0x7ffefe07']}]Command Injection Specific
Since ascendance injections are the easiest to demo, I've created a convenience lexicon telephone commutation to demonstrate the place of the ascendance injection easily.
In [4]: result['Injected_Location'] Out[4]: {'base': '0x7ffefde8', 'type': 'char *', 'value': '/bin/mtd_write -o 0 -l 0 write `reboot`'}Sample Vulnerability Cluster Script
The vulnerability cluster script volition endeavour to regain vulnerabilities using the method inwards the Sample Vulnerability Discovery script together with and therefore construct k-means clusters of a ready of given functions across an extracted firmware to notice like functions to vulnerable ones.
$ Vuln_Cluster_Celery.py -h usage: Vuln_Cluster_Celery.py [-h] [-L LD_PATH] [-F FUNCTION] [-V VULN_PICKLE] Directory positional arguments: Directory optional arguments: -h, --help present this assistance message together with snuff it -L LD_PATH, --LD_PATH LD_PATH Path to libraries to charge -F FUNCTION, --Function FUNCTION -V VULN_PICKLE, --Vuln_Pickle VULN_PICKLE $ python Vuln_Cluster_Celery.py -F mtd_write_firmware -L Almond_Root/lib/ Almond_Root/etc_ro/lighttpd/www/cgi-bin/ [+] Reading Files 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████& #9608;██████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 2.80it/s] Getting functions from executables Starting primary ... Snip ... 