Exemplo n.º 1
0
def async_get_arg_funcs(file_name, use_ghidra=True):

    if use_ghidra:
        ret_list = gh.get_arg_funcs(file_name)
    else:
        ret_list = fh.get_arg_funcs(file_name)
    for func in ret_list:
        func['file_name'] = file_name
    return ret_list
Exemplo n.º 2
0
def get_vulnerabilities(file_name, ld_path):
    print("[+] Recovering Function Prototypes")
    if use_ghidra:
        arg_funcs = gh.get_function_information(file_name)
    else:
        arg_funcs = fh.get_arg_funcs(file_name)
    for func in arg_funcs:
        func['file_name'] = file_name

    arg_funcs = fix_functions(arg_funcs)
    print("[+] Analyzing {} functions".format(len(arg_funcs)))

    return get_bugs_from_functions(arg_funcs, ld_path)
def get_vulnerabilities(file_name, ld_path):
    print("[+] Getting argument functions")
    if use_ghidra:
        arg_funcs = fh.get_function_information(file_name)
    else:
        arg_funcs = fh.get_arg_funcs(file_name)
    for func in arg_funcs:
        func['file_name'] = file_name

    arg_funcs = fix_functions(arg_funcs)
    #arg_funcs = [x for x in arg_funcs if 'mtd_write_firmware' in x['name']]
    print("[+] Analyzing {} functions".format(len(arg_funcs)))

    return get_bugs_from_functions(arg_funcs, ld_path)
Exemplo n.º 4
0
def main():

    parser = argparse.ArgumentParser()

    parser.add_argument("FILE")
    parser.add_argument("-L",
                        "--LD_PATH",
                        default="",
                        help="Path to libraries to load")

    args = parser.parse_args()

    print("[+] Getting argument functions")
    arg_funcs = fh.get_arg_funcs(args.FILE)
    #arg_funcs = [x for x in arg_funcs if 'remove_routing_rule' in x['name']]
    print("[+] Analyzing {} functions".format(len(arg_funcs)))

    global file_name
    file_name = args.FILE

    for func in arg_funcs:
        func['file_name'] = file_name

    cores = psutil.cpu_count() - 1
    func_list = list(arg_funcs)
    func_iter = 0
    func_timeout = 120
    #Available mememory divided by cores
    mem_limit = (psutil.virtual_memory()[1] / (1024 * 1024)) / cores
    print("Memory Limit : {} MB | Analysis Timeout : {} seconds".format(
        mem_limit, func_timeout))
    global limited_processes
    while func_iter < len(func_list) or len(
            limited_processes):  #len(func_list):
        while len(limited_processes) < cores and len(
                func_list) > 0 and func_iter < len(func_list):
            proc_queue = Queue()
            m_data = (func_list[func_iter], proc_queue, args.LD_PATH)
            p = Process(target=trace_function, args=m_data)
            p.start()
            my_proc = Limited_Process(p, func_list[func_iter], func_timeout,
                                      mem_limit, proc_queue)
            limited_processes.append(my_proc)
            print("Starting {}".format(func_list[func_iter]['name']))
            func_iter += 1

        #Check for results
        to_remove = []
        for lim_proc in limited_processes:

            result = lim_proc.get()

            #Process returned!
            if result is not None and not isinstance(result, str):
                if "vulnerable" in result.stashes.keys():
                    print("[+] Memory Corruption {}".format(
                        lim_proc.function['name']))
                    path = result.stashes['vulnerable'][0]
                    if path.globals['args']:
                        print_format = "{:<16} : {:<15} | {}"
                        print("[+] Function Arguments")
                        print(
                            print_format.format("Arg Location", "Arg Type",
                                                "Arg Value"))

                    for x, y, z in path.globals['args']:
                        value = unravel(y, z, path)
                        pretty_print(x['ref'], str(y), value)
                    display_corruption_location(path)

                elif "exploitable" in result.stashes.keys() and len(
                        result.stashes['exploitable']) > 0:
                    print("[+] Command Injection {}".format(
                        lim_proc.function['name']))
                    path = result.stashes['exploitable'][0]

                    val_loc = path.globals['val_offset']
                    val_addr = path.globals['val_addr']
                    solved_loc = hex(path.se.eval(val_loc))
                    solved_addr = hex(path.se.eval(val_addr))

                    if path.globals['args']:
                        print_format = "{:<16} : {:<15} | {}"
                        print("[+] Function Arguments")
                        print(
                            print_format.format("Arg Location", "Arg Type",
                                                "Arg Value"))
                    for x, y, z in path.globals['args']:
                        value = unravel(y, z, path)
                        pretty_print(x['ref'], str(y), value)
                    print("[+] Command Injected memory location:")
                    temp = unravel(None, val_addr, path)
                    pretty_print(solved_addr, "char *", temp)

                    display_corruption_location(path, path.globals['cmd'])

                    #temp = unravel(None, val_loc, path)
                    #pretty_print(solved_loc, "char *", temp)

                else:
                    print("{} returned no results".format(
                        lim_proc.function['name']))

                func_list.remove(lim_proc.function)
                to_remove.append(lim_proc)
                lim_proc.die()

            elif lim_proc.mem_overused() or lim_proc.time_is_up():
                print("{} timed out or reached memory limit".format(
                    lim_proc.function['name']))
                func_list.remove(lim_proc.function)
                to_remove.append(lim_proc)
                lim_proc.die()

            elif lim_proc.finished:
                print("{} finished".format(lim_proc.function['name']))
                func_list.remove(lim_proc.function)
                to_remove.append(lim_proc)

        #Remove processes
        for lim_proc in to_remove:
            limited_processes.remove(lim_proc)
        time.sleep(.1)
Exemplo n.º 5
0
def main():

    parser = argparse.ArgumentParser()

    parser.add_argument("FILE")

    args = parser.parse_args()

    print("[+] Getting argument functions")
    arg_funcs = fh.get_arg_funcs(args.FILE)

    global file_name
    file_name = args.FILE

    cores = psutil.cpu_count() - 1
    func_list = list(arg_funcs)
    func_iter = 0
    func_timeout = 120
    #Available mememory divided by cores
    mem_limit = (psutil.virtual_memory()[1] / (1024 * 1024)) / cores
    global limited_processes
    while len(func_list):
        while len(limited_processes) < cores and len(
                func_list) > 0 and func_iter < len(func_list):
            proc_queue = Queue()
            m_data = (func_list[func_iter], proc_queue)
            p = Process(target=trace_function, args=m_data)
            p.start()
            my_proc = Limited_Process(p, func_list[func_iter], func_timeout,
                                      mem_limit, proc_queue)
            limited_processes.append(my_proc)
            print("Starting {}".format(func_list[func_iter]['name']))
            func_iter += 1

        #Check for results
        to_remove = []
        for lim_proc in limited_processes:

            result = lim_proc.get()

            #Process returned!
            if result is not None and type(
                    result) is not "str" and result is not "timeout":
                print("{} : {}".format(lim_proc.function['name'], result))
                if "vulnerable" in result.stashes.keys():
                    path = result.stashes['vulnerable'][0]
                    for x, y, z in path.globals['args']:
                        value = unravel(y, z, path)
                        print("{} : {:<5} | {}".format(x['ref'], str(y),
                                                       value))
                elif "exploitable" in result.stashes.keys() and len(
                        result.stashes['exploitable']) > 0:
                    path = result.stashes['exploitable'][0]
                    for x, y, z in path.globals['args']:
                        value = unravel(y, z, path)
                        print("{} : {:<5} | {}".format(x['ref'], str(y),
                                                       value))

                func_list.remove(lim_proc.function)
                to_remove.append(lim_proc)
                lim_proc.die()

            elif lim_proc.mem_overused() or lim_proc.time_is_up():
                func_list.remove(lim_proc.function)
                to_remove.append(lim_proc)
                lim_proc.die()

            elif lim_proc.finished:
                func_list.remove(lim_proc.function)
                to_remove.append(lim_proc)

        #Remove processes
        for lim_proc in to_remove:
            limited_processes.remove(lim_proc)
        time.sleep(.1)