def async_get_arg_funcs(file_name, use_ghidra=True):
if use_ghidra:
ret_list = gh.get_arg_funcs(file_name)
else:
ret_list = fh.get_arg_funcs(file_name)
for func in ret_list:
func['file_name'] = file_name
return ret_list
def get_vulnerabilities(file_name, ld_path):
print("[+] Recovering Function Prototypes")
if use_ghidra:
arg_funcs = gh.get_function_information(file_name)
else:
arg_funcs = fh.get_arg_funcs(file_name)
for func in arg_funcs:
func['file_name'] = file_name
arg_funcs = fix_functions(arg_funcs)
print("[+] Analyzing {} functions".format(len(arg_funcs)))
return get_bugs_from_functions(arg_funcs, ld_path)
def get_vulnerabilities(file_name, ld_path):
print("[+] Getting argument functions")
if use_ghidra:
arg_funcs = fh.get_function_information(file_name)
else:
arg_funcs = fh.get_arg_funcs(file_name)
for func in arg_funcs:
func['file_name'] = file_name
arg_funcs = fix_functions(arg_funcs)
#arg_funcs = [x for x in arg_funcs if 'mtd_write_firmware' in x['name']]
print("[+] Analyzing {} functions".format(len(arg_funcs)))
return get_bugs_from_functions(arg_funcs, ld_path)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("FILE")
parser.add_argument("-L",
"--LD_PATH",
default="",
help="Path to libraries to load")
args = parser.parse_args()
print("[+] Getting argument functions")
arg_funcs = fh.get_arg_funcs(args.FILE)
#arg_funcs = [x for x in arg_funcs if 'remove_routing_rule' in x['name']]
print("[+] Analyzing {} functions".format(len(arg_funcs)))
global file_name
file_name = args.FILE
for func in arg_funcs:
func['file_name'] = file_name
cores = psutil.cpu_count() - 1
func_list = list(arg_funcs)
func_iter = 0
func_timeout = 120
#Available mememory divided by cores
mem_limit = (psutil.virtual_memory()[1] / (1024 * 1024)) / cores
print("Memory Limit : {} MB | Analysis Timeout : {} seconds".format(
mem_limit, func_timeout))
global limited_processes
while func_iter < len(func_list) or len(
limited_processes): #len(func_list):
while len(limited_processes) < cores and len(
func_list) > 0 and func_iter < len(func_list):
proc_queue = Queue()
m_data = (func_list[func_iter], proc_queue, args.LD_PATH)
p = Process(target=trace_function, args=m_data)
p.start()
my_proc = Limited_Process(p, func_list[func_iter], func_timeout,
mem_limit, proc_queue)
limited_processes.append(my_proc)
print("Starting {}".format(func_list[func_iter]['name']))
func_iter += 1
#Check for results
to_remove = []
for lim_proc in limited_processes:
result = lim_proc.get()
#Process returned!
if result is not None and not isinstance(result, str):
if "vulnerable" in result.stashes.keys():
print("[+] Memory Corruption {}".format(
lim_proc.function['name']))
path = result.stashes['vulnerable'][0]
if path.globals['args']:
print_format = "{:<16} : {:<15} | {}"
print("[+] Function Arguments")
print(
print_format.format("Arg Location", "Arg Type",
"Arg Value"))
for x, y, z in path.globals['args']:
value = unravel(y, z, path)
pretty_print(x['ref'], str(y), value)
display_corruption_location(path)
elif "exploitable" in result.stashes.keys() and len(
result.stashes['exploitable']) > 0:
print("[+] Command Injection {}".format(
lim_proc.function['name']))
path = result.stashes['exploitable'][0]
val_loc = path.globals['val_offset']
val_addr = path.globals['val_addr']
solved_loc = hex(path.se.eval(val_loc))
solved_addr = hex(path.se.eval(val_addr))
if path.globals['args']:
print_format = "{:<16} : {:<15} | {}"
print("[+] Function Arguments")
print(
print_format.format("Arg Location", "Arg Type",
"Arg Value"))
for x, y, z in path.globals['args']:
value = unravel(y, z, path)
pretty_print(x['ref'], str(y), value)
print("[+] Command Injected memory location:")
temp = unravel(None, val_addr, path)
pretty_print(solved_addr, "char *", temp)
display_corruption_location(path, path.globals['cmd'])
#temp = unravel(None, val_loc, path)
#pretty_print(solved_loc, "char *", temp)
else:
print("{} returned no results".format(
lim_proc.function['name']))
func_list.remove(lim_proc.function)
to_remove.append(lim_proc)
lim_proc.die()
elif lim_proc.mem_overused() or lim_proc.time_is_up():
print("{} timed out or reached memory limit".format(
lim_proc.function['name']))
func_list.remove(lim_proc.function)
to_remove.append(lim_proc)
lim_proc.die()
elif lim_proc.finished:
print("{} finished".format(lim_proc.function['name']))
func_list.remove(lim_proc.function)
to_remove.append(lim_proc)
#Remove processes
for lim_proc in to_remove:
limited_processes.remove(lim_proc)
time.sleep(.1)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("FILE")
args = parser.parse_args()
print("[+] Getting argument functions")
arg_funcs = fh.get_arg_funcs(args.FILE)
global file_name
file_name = args.FILE
cores = psutil.cpu_count() - 1
func_list = list(arg_funcs)
func_iter = 0
func_timeout = 120
#Available mememory divided by cores
mem_limit = (psutil.virtual_memory()[1] / (1024 * 1024)) / cores
global limited_processes
while len(func_list):
while len(limited_processes) < cores and len(
func_list) > 0 and func_iter < len(func_list):
proc_queue = Queue()
m_data = (func_list[func_iter], proc_queue)
p = Process(target=trace_function, args=m_data)
p.start()
my_proc = Limited_Process(p, func_list[func_iter], func_timeout,
mem_limit, proc_queue)
limited_processes.append(my_proc)
print("Starting {}".format(func_list[func_iter]['name']))
func_iter += 1
#Check for results
to_remove = []
for lim_proc in limited_processes:
result = lim_proc.get()
#Process returned!
if result is not None and type(
result) is not "str" and result is not "timeout":
print("{} : {}".format(lim_proc.function['name'], result))
if "vulnerable" in result.stashes.keys():
path = result.stashes['vulnerable'][0]
for x, y, z in path.globals['args']:
value = unravel(y, z, path)
print("{} : {:<5} | {}".format(x['ref'], str(y),
value))
elif "exploitable" in result.stashes.keys() and len(
result.stashes['exploitable']) > 0:
path = result.stashes['exploitable'][0]
for x, y, z in path.globals['args']:
value = unravel(y, z, path)
print("{} : {:<5} | {}".format(x['ref'], str(y),
value))
func_list.remove(lim_proc.function)
to_remove.append(lim_proc)
lim_proc.die()
elif lim_proc.mem_overused() or lim_proc.time_is_up():
func_list.remove(lim_proc.function)
to_remove.append(lim_proc)
lim_proc.die()
elif lim_proc.finished:
func_list.remove(lim_proc.function)
to_remove.append(lim_proc)
#Remove processes
for lim_proc in to_remove:
limited_processes.remove(lim_proc)
time.sleep(.1)
