From 39eade4429f58717a729c760637146306ef58dd5 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 27 Mar 2022 10:04:54 +0200 Subject: [PATCH 01/42] known exploited vulns --- .../F20_vul_aggregator-post.sh | 1 + installer/IF20_cve_search.sh | 21 ++++++++++++++++++ modules/F20_vul_aggregator.sh | 22 +++++++++++++++---- modules/P60_firmware_bin_extractor.sh | 6 +++-- 4 files changed, 44 insertions(+), 6 deletions(-) diff --git a/config/report_templates/F20_vul_aggregator-post.sh b/config/report_templates/F20_vul_aggregator-post.sh index 09211d6b1..58d788d5e 100644 --- a/config/report_templates/F20_vul_aggregator-post.sh +++ b/config/report_templates/F20_vul_aggregator-post.sh @@ -5,3 +5,4 @@ print_output "$(indent "${ORANGE}R$NC - remote exploits")" print_output "$(indent "${ORANGE}L$NC - local exploits")" print_output "$(indent "${ORANGE}D$NC - DoS exploits")" print_output "$(indent "${ORANGE}G$NC - PoC code found on Github (unknown exploit vector)")" +print_output "$(indent "${ORANGE}X$NC - Vulnerability is knwon as exploited (See https://www.cisa.gov/known-exploited-vulnerabilities-catalog)")" diff --git a/installer/IF20_cve_search.sh b/installer/IF20_cve_search.sh index 4cb33f95f..425969f2e 100644 --- a/installer/IF20_cve_search.sh +++ b/installer/IF20_cve_search.sh @@ -19,6 +19,7 @@ IF20_cve_search() { module_title "${FUNCNAME[0]}" + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] || [[ $CVE_SEARCH -eq 1 ]] || [[ $FULL -eq 1 ]]; then print_git_info "trickest cve database" "trickest/cve" "Trickest CVE to github exploit database" @@ -142,4 +143,24 @@ IF20_cve_search() { ;; esac fi + + # only in docker or full installations: + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + + # see https://www.cisa.gov/known-exploited-vulnerabilities-catalog + print_file_info "CISA.gov list of known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + ANSWER=("n") + else + echo -e "\\n""$MAGENTA""$BOLD""These rules (if not already on the system) will be downloaded!""$NC" + ANSWER=("y") + fi + + case ${ANSWER:0:1} in + y|Y ) + download_file "CISA.gov list of known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" + ;; + esac + fi } diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index c92b30321..cf07ef093 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -46,6 +46,7 @@ F20_vul_aggregator() { CVE_MINIMAL_LOG="$LOG_PATH_MODULE"/CVE_minimal.txt EXPLOIT_OVERVIEW_LOG="$LOG_PATH_MODULE"/exploits-overview.txt + KNOWN_EXP_CSV="$EXT_DIR"/known_exploited_vulnerabilities.csv if [[ -f $PATH_CVE_SEARCH ]]; then print_output "[*] Aggregate vulnerability details" @@ -360,10 +361,19 @@ cve_extractor() { for CVE_OUTPUT in "${CVEs_OUTPUT[@]}"; do ((CVE_COUNTER+=1)) ((CVE_COUNTER_VERSION+=1)) + KNOWN_EXPLOITED=0 #extract the CVSS and CVE value (remove all spaces and tabs) CVSS_VALUE=$(echo "$CVE_OUTPUT" | cut -d: -f3 | sed -e 's/\t//g' | sed -e 's/\ \+//g') CVE_VALUE=$(echo "$CVE_OUTPUT" | cut -d: -f2 | sed -e 's/\t//g' | sed -e 's/\ \+//g') + # check if the CVE is known as a knwon exploited vulnerability: + if [[ -f "$KNOWN_EXP_CSV" ]]; then + if grep -q "${CVE_VALUE}," "$KNOWN_EXP_CSV"; then + print_output "[+] $ORANGEWARNING:$GREEN Vulnerability $ORANGE$CVE_VALUE$GREEN is a known exploited vulnerability." + KNOWN_EXPLOITED=1 + fi + fi + # default value EXPLOIT="No exploit available" @@ -545,6 +555,10 @@ cve_extractor() { fi fi + if [[ $KNOWN_EXPLOITED -eq 1 ]]; then + EXPLOIT="$EXPLOIT"" (X)" + fi + if [[ $EDB -eq 1 ]]; then EXPLOIT="$EXPLOIT"")" fi @@ -554,21 +568,21 @@ cve_extractor() { #VERSION=$(echo "$CVE_OUTPUT" | cut -d: -f2- | sed -e 's/\t//g' | sed -e 's/\ \+//g' | sed -e 's/:CVE-[0-9].*//') # we do not deal with output formatting the usual way -> we use printf if (( $(echo "$CVSS_VALUE > 6.9" | bc -l) )); then - if [[ "$EXPLOIT" == *MSF* || "$EXPLOIT" == *EDB\ ID* || "$EXPLOIT" == *linux-exploit-suggester* || "$EXPLOIT" == *Routersploit* || "$EXPLOIT" == *Github* ]]; then + if [[ "$EXPLOIT" == *MSF* || "$EXPLOIT" == *EDB\ ID* || "$EXPLOIT" == *linux-exploit-suggester* || "$EXPLOIT" == *Routersploit* || "$EXPLOIT" == *Github* || "$KNOWN_EXPLOITED" -eq 1 ]]; then printf "${MAGENTA}\t%-20.20s\t:\t%-15.15s\t:\t%-15.15s\t:\t%-8.8s:\t%s${NC}\n" "$BINARY" "$VERSION" "$CVE_VALUE" "$CVSS_VALUE" "$EXPLOIT" >> "$LOG_PATH_MODULE"/cve_sum/"$AGG_LOG_FILE" else printf "${RED}\t%-20.20s\t:\t%-15.15s\t:\t%-15.15s\t:\t%-8.8s:\t%s${NC}\n" "$BINARY" "$VERSION" "$CVE_VALUE" "$CVSS_VALUE" "$EXPLOIT" >> "$LOG_PATH_MODULE"/cve_sum/"$AGG_LOG_FILE" fi ((HIGH_CVE_COUNTER+=1)) elif (( $(echo "$CVSS_VALUE > 3.9" | bc -l) )); then - if [[ "$EXPLOIT" == *MSF* || "$EXPLOIT" == *EDB\ ID* || "$EXPLOIT" == *linux-exploit-suggester* || "$EXPLOIT" == *Routersploit* || "$EXPLOIT" == *Github* ]]; then + if [[ "$EXPLOIT" == *MSF* || "$EXPLOIT" == *EDB\ ID* || "$EXPLOIT" == *linux-exploit-suggester* || "$EXPLOIT" == *Routersploit* || "$EXPLOIT" == *Github* || "$KNOWN_EXPLOITED" -eq 1 ]]; then printf "${MAGENTA}\t%-20.20s\t:\t%-15.15s\t:\t%-15.15s\t:\t%-8.8s:\t%s${NC}\n" "$BINARY" "$VERSION" "$CVE_VALUE" "$CVSS_VALUE" "$EXPLOIT" >> "$LOG_PATH_MODULE"/cve_sum/"$AGG_LOG_FILE" else printf "${ORANGE}\t%-20.20s\t:\t%-15.15s\t:\t%-15.15s\t:\t%-8.8s:\t%s${NC}\n" "$BINARY" "$VERSION" "$CVE_VALUE" "$CVSS_VALUE" "$EXPLOIT" >> "$LOG_PATH_MODULE"/cve_sum/"$AGG_LOG_FILE" fi ((MEDIUM_CVE_COUNTER+=1)) else - if [[ "$EXPLOIT" == *MSF* || "$EXPLOIT" == *EDB\ ID* || "$EXPLOIT" == *linux-exploit-suggester* || "$EXPLOIT" == *Routersploit* || "$EXPLOIT" == *Github* ]]; then + if [[ "$EXPLOIT" == *MSF* || "$EXPLOIT" == *EDB\ ID* || "$EXPLOIT" == *linux-exploit-suggester* || "$EXPLOIT" == *Routersploit* || "$EXPLOIT" == *Github* || "$KNOWN_EXPLOITED" -eq 1 ]]; then printf "${MAGENTA}\t%-20.20s\t:\t%-15.15s\t:\t%-15.15s\t:\t%-8.8s:\t%s${NC}\n" "$BINARY" "$VERSION" "$CVE_VALUE" "$CVSS_VALUE" "$EXPLOIT" >> "$LOG_PATH_MODULE"/cve_sum/"$AGG_LOG_FILE" else printf "${GREEN}\t%-20.20s\t:\t%-15.15s\t:\t%-15.15s\t:\t%-8.8s:\t%s${NC}\n" "$BINARY" "$VERSION" "$CVE_VALUE" "$CVSS_VALUE" "$EXPLOIT" >> "$LOG_PATH_MODULE"/cve_sum/"$AGG_LOG_FILE" @@ -617,7 +631,7 @@ cve_extractor() { if ! [[ -f "$LOG_PATH_MODULE"/overview.csv ]]; then echo "BINARY;VERSION;Number of CVEs;Number of EXPLOITS" >> "$LOG_PATH_MODULE"/overview.csv fi - if [[ "$EXPLOIT_COUNTER_VERSION" -gt 0 ]]; then + if [[ "$EXPLOIT_COUNTER_VERSION" -gt 0 || "$KNOWN_EXPLOITED" -eq 1 ]]; then printf "[${MAGENTA}+${NC}]${MAGENTA} Found version details: \t%-20.20s\t:\t%-15.15s\t:\tCVEs: %-8.8s\t:\tExploits: %-8.8s${NC}\n" "$BINARY" "$VERSION" "$CVEs" "$EXPLOITS" >> "$LOG_PATH_MODULE"/overview.txt echo "$BINARY;$VERSION;$CVEs;$EXPLOITS" >> "$LOG_PATH_MODULE"/overview.csv else diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index 25b50b95c..813f855d9 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -314,7 +314,8 @@ extract_binwalk_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt else - binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + #binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi } @@ -337,7 +338,8 @@ binwalk_deep_extract_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true else - binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + #binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi } From db107cecb11e24e903804fe11dbd9cf2407075a2 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 27 Mar 2022 10:06:37 +0200 Subject: [PATCH 02/42] rollbakc --- modules/P60_firmware_bin_extractor.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index 813f855d9..25b50b95c 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -314,8 +314,7 @@ extract_binwalk_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt else - #binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt - binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi } @@ -338,8 +337,7 @@ binwalk_deep_extract_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true else - #binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true - binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi } From 1ff94f2227f61543a1fa308b12bff36fd4c87414 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 30 Mar 2022 09:13:55 +0200 Subject: [PATCH 03/42] full system emulation installer --- emba.sh | 22 +++++ helpers/helpers_emba_print.sh | 2 +- installer.sh | 4 +- installer/IL10_system_emulator.sh | 2 + installer/IL20_firmae_system_emulator.sh | 112 ----------------------- 5 files changed, 28 insertions(+), 114 deletions(-) delete mode 100644 installer/IL20_firmae_system_emulator.sh diff --git a/emba.sh b/emba.sh index e564b8e90..8c6f59fcb 100755 --- a/emba.sh +++ b/emba.sh @@ -409,8 +409,30 @@ main() if [[ "$UPDATE" -eq 1 ]]; then print_output "[*] EMBA update starting ..." "no_log" + git pull + EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker pull embeddedanalyzer/emba + + if command -v cve_searchsploit > /dev/null ; then + print_output "[*] EMBA update - cve_searchsploit update" "no_log" + cve_searchsploit -u + fi + + print_output "[*] EMBA update - cve-search update" "no_log" + /etc/init.d/redis-server start + "$EXT_DIR"/cve-search/sbin/db_updater.py -v + + print_output "[*] EMBA update - trickest PoC update" "no_log" + if [[ -d "$EXT_DIR"/trickest-cve ]]; then + BASE_PATH=$(pwd) + cd "$EXT_DIR"/trickest-cve || exit + git pull + cd "$BASE_PATH" || exit + else + git clone https://github.com/trickest/cve.git "$EXT_DIR"/trickest-cve + fi + print_output "[*] Please restart your EMBA scan to apply the updates ..." "no_log" exit 0 fi diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index 6d5871073..d562cf2c1 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -99,7 +99,7 @@ print_output() if [[ "$TYPE_CHECK" == "[-]" || "$TYPE_CHECK" == "[*]" || "$TYPE_CHECK" == "[!]" || "$TYPE_CHECK" == "[+]" ]] ; then local COLOR_OUTPUT_STRING="" COLOR_OUTPUT_STRING="$(color_output "$OUTPUT")" - echo -e "$COLOR_OUTPUT_STRING" + echo -e "$COLOR_OUTPUT_STRING" || true if [[ "$LOG_SETTING" == "main" ]] ; then echo -e "$(format_log "$COLOR_OUTPUT_STRING")" | tee -a "$MAIN_LOG" >/dev/null elif [[ "$LOG_SETTING" != "no_log" ]] ; then diff --git a/installer.sh b/installer.sh index e1639f881..95efe4214 100755 --- a/installer.sh +++ b/installer.sh @@ -181,7 +181,9 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - IL10_system_emulator # for the future - # IL20_firmae_system_emulator + IL20_system_emulator + IL21_firmae_system_emulator + IL22_firmadyne_system_emulator IL15_emulated_checks_init diff --git a/installer/IL10_system_emulator.sh b/installer/IL10_system_emulator.sh index 524c14ebf..3ac51cb1e 100644 --- a/installer/IL10_system_emulator.sh +++ b/installer/IL10_system_emulator.sh @@ -49,6 +49,8 @@ IL10_system_emulator() { print_file_info "fixImage.sh" "Firmadyne fixImage script" "https://raw.githubusercontent.com/firmadyne/firmadyne/master/scripts/fixImage.sh" "external/firmadyne/scripts/" print_file_info "preInit.sh" "Firmadyne preInit script" "https://raw.githubusercontent.com/firmadyne/firmadyne/master/scripts/preInit.sh" "external/firmadyne/scripts/" + echo -e "\\n""$MAGENTA""$BOLD""This is a deprecated module which will be removed in the future without any further note!""$NC" + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") else diff --git a/installer/IL20_firmae_system_emulator.sh b/installer/IL20_firmae_system_emulator.sh deleted file mode 100644 index b9ec4ba9d..000000000 --- a/installer/IL20_firmae_system_emulator.sh +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/bash - -# EMBA - EMBEDDED LINUX ANALYZER -# -# Copyright 2020-2022 Siemens AG -# Copyright 2020-2022 Siemens Energy AG -# -# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -# EMBA is licensed under GPLv3 -# -# Author(s): Michael Messner, Pascal Eckmann - -# Description: Installs firmae / full system emulation - -IL20_firmae_system_emulator() { - module_title "${FUNCNAME[0]}" - - if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then - INSTALL_APP_LIST=() - cd "$HOME_PATH" || exit 1 - - print_tool_info "busybox-static" 1 - print_tool_info "bash-static" 1 - print_tool_info "fakeroot" 1 - print_tool_info "git" 1 - print_tool_info "dmsetup" 1 - print_tool_info "kpartx" 1 - print_tool_info "uml-utilities" 1 - print_tool_info "util-linux" 1 - print_tool_info "vlan" 1 - print_tool_info "qemu-system-arm" 1 - print_tool_info "qemu-system-mips" 1 - print_tool_info "qemu-system-x86" 1 - print_tool_info "qemu-utils" 1 - - print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" - print_file_info "vmlinux.mipsel.4" "FirmAE - Linux kernel 4.1 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" - print_file_info "vmlinux.mipseb.4" "FirmAE - Linux kernel 4.1 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" - - print_file_info "zImage.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" - print_file_info "vmlinux.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" - - print_file_info "busybox.armel" "FirmAE - busybox - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" - print_file_info "busybox.mipseb" "FirmAE - busybox - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" - print_file_info "busybox.mipsel" "FirmAE - busybox - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" - - print_file_info "console.armel" "FirmAE - Console - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" - print_file_info "console.mipseb" "FirmAE - Console - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" - print_file_info "console.mipsel" "FirmAE - Console - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" - - print_file_info "libnvram.so.armel" "FirmAE - libnvram - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" - print_file_info "libnvram.so.mipseb" "FirmAE - libnvram - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" - print_file_info "libnvram.so.mipsel" "FirmAE - libnvram - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" - print_file_info "libnvram_ioctl.so.armel" "FirmAE - libnvram_ioctl - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" - print_file_info "libnvram_ioctl.so.mipseb" "FirmAE - libnvram_ioctl - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" - print_file_info "libnvram_ioctl.so.mipsel" "FirmAE - libnvram_ioctl - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" - - print_file_info "fixImage.sh" "FirmAE fixImage script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/" - print_file_info "preInit.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/" - print_file_info "network.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/network.sh" "external/firmae/scripts/" - - if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then - ANSWER=("n") - else - echo -e "\\n""$MAGENTA""$BOLD""The firmae dependencies (if not already on the system) will be downloaded and installed!""$NC" - ANSWER=("y") - fi - - case ${ANSWER:0:1} in - y|Y ) - - mkdir -p external/firmae/binaries - mkdir -p external/firmae/scripts - - apt-get install "${INSTALL_APP_LIST[@]}" -y - - download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" - download_file "vmlinux.mipsel.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" - download_file "vmlinux.mipseb.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" - - download_file "zImage.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" - download_file "vmlinux.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" - - download_file "busybox.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" - download_file "busybox.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" - download_file "busybox.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" - - download_file "console.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" - download_file "console.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" - download_file "console.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" - - download_file "libnvram.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" - download_file "libnvram.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" - download_file "libnvram.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" - download_file "libnvram_ioctl.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" - download_file "libnvram_ioctl.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" - download_file "libnvram_ioctl.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" - - download_file "fixImage.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/fixImage.sh" - download_file "preInit.sh" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/preInit.sh" - download_file "network.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/network.sh" "external/firmae/scripts/network.sh" - - ;; - esac - fi -} - From c3fa91097a10755a17d36078ab2aec519f268e1e Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 30 Mar 2022 09:15:26 +0200 Subject: [PATCH 04/42] full system emulation installer --- installer.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/installer.sh b/installer.sh index 95efe4214..23ead2c4c 100755 --- a/installer.sh +++ b/installer.sh @@ -179,10 +179,15 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - I120_cwe_checker + # deprecated: IL10_system_emulator + # for the future - IL20_system_emulator + #IL20_system_emulator + + # deprecated: IL21_firmae_system_emulator + # deprecated: IL22_firmadyne_system_emulator IL15_emulated_checks_init From 6deea0574e4a3407dd9ce9512e7dba9da03d1c3c Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 30 Mar 2022 09:18:22 +0200 Subject: [PATCH 05/42] full system emulation installer --- installer/IL20_system_emulator.sh | 117 ++++++++++++++++++++ installer/IL21_firmae_system_emulator.sh | 51 +++++++++ installer/IL22_firmadyne_system_emulator.sh | 57 ++++++++++ 3 files changed, 225 insertions(+) create mode 100644 installer/IL20_system_emulator.sh create mode 100644 installer/IL21_firmae_system_emulator.sh create mode 100644 installer/IL22_firmadyne_system_emulator.sh diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh new file mode 100644 index 000000000..34054a8a6 --- /dev/null +++ b/installer/IL20_system_emulator.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens AG +# Copyright 2020-2022 Siemens Energy AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Installs full system emulation dependencies +# Module is based on FirmAE and firmadyne + +IL20_system_emulator() { + module_title "${FUNCNAME[0]}" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + INSTALL_APP_LIST=() + cd "$HOME_PATH" || exit 1 + + print_tool_info "busybox-static" 1 + print_tool_info "bash-static" 1 + print_tool_info "fakeroot" 1 + print_tool_info "git" 1 + print_tool_info "dmsetup" 1 + print_tool_info "kpartx" 1 + print_tool_info "uml-utilities" 1 + print_tool_info "util-linux" 1 + print_tool_info "vlan" 1 + print_tool_info "qemu-system-arm" 1 + print_tool_info "qemu-system-mips" 1 + print_tool_info "qemu-system-x86" 1 + print_tool_info "qemu-utils" 1 + + print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + print_file_info "vmlinux.mipsel.4" "FirmAE - Linux kernel 4.1 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" + print_file_info "vmlinux.mipseb.4" "FirmAE - Linux kernel 4.1 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" + + print_file_info "zImage.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" + print_file_info "vmlinux.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" + + print_file_info "busybox.armel" "FirmAE - busybox - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" + print_file_info "busybox.mipseb" "FirmAE - busybox - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" + print_file_info "busybox.mipsel" "FirmAE - busybox - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" + + print_file_info "console.armel" "FirmAE - Console - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" + print_file_info "console.mipseb" "FirmAE - Console - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" + print_file_info "console.mipsel" "FirmAE - Console - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" + + print_file_info "libnvram.so.armel" "FirmAE - libnvram - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" + print_file_info "libnvram.so.mipseb" "FirmAE - libnvram - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" + print_file_info "libnvram.so.mipsel" "FirmAE - libnvram - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" + print_file_info "libnvram_ioctl.so.armel" "FirmAE - libnvram_ioctl - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" + print_file_info "libnvram_ioctl.so.mipseb" "FirmAE - libnvram_ioctl - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" + print_file_info "libnvram_ioctl.so.mipsel" "FirmAE - libnvram_ioctl - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" + + print_file_info "fixImage.sh" "FirmAE fixImage script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/" + print_file_info "preInit.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/" + print_file_info "network.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/network.sh" "external/firmae/scripts/" + print_file_info "inferNetwork.sh" "FirmAE inferNetwork script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/" + print_file_info "run_service.sh" "FirmAE run_service script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + ANSWER=("n") + else + echo -e "\\n""$MAGENTA""$BOLD""The system emulation dependencies (if not already on the system) will be downloaded and installed!""$NC" + ANSWER=("y") + fi + + case ${ANSWER:0:1} in + y|Y ) + + mkdir -p external/firmae/binaries + mkdir -p external/firmae/scripts + + apt-get install "${INSTALL_APP_LIST[@]}" -y + + download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + download_file "vmlinux.mipsel.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" + download_file "vmlinux.mipseb.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" + + download_file "zImage.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" + download_file "vmlinux.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" + + download_file "busybox.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" + download_file "busybox.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" + download_file "busybox.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" + + download_file "console.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" + download_file "console.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" + download_file "console.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" + + download_file "libnvram.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" + download_file "libnvram.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" + download_file "libnvram.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" + download_file "libnvram_ioctl.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" + download_file "libnvram_ioctl.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" + download_file "libnvram_ioctl.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" + + download_file "fixImage.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/fixImage.sh" + download_file "preInit.sh" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/preInit.sh" + download_file "network.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/network.sh" "external/firmae/scripts/network.sh" + download_file "inferNetwork.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/inferNetwork.sh" + download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" + + ;; + esac + fi +} + diff --git a/installer/IL21_firmae_system_emulator.sh b/installer/IL21_firmae_system_emulator.sh new file mode 100644 index 000000000..de4c7aac3 --- /dev/null +++ b/installer/IL21_firmae_system_emulator.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens AG +# Copyright 2020-2022 Siemens Energy AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Installs FirmAE / full system emulation + +IL21_firmae_system_emulator() { + module_title "${FUNCNAME[0]}" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + cd "$HOME_PATH" || exit 1 + + print_git_info "FirmAE system mode emulator" "pr0v3rbs/FirmAE" "FirmAE is a fully-automated framework that performs emulation and vulnerability analysis." + echo -e "\\n""$MAGENTA""$BOLD""This is a temporary module which will be removed in the future without any further note!""$NC" + + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + ANSWER=("n") + else + echo -e "\\n""$MAGENTA""$BOLD""The FirmAE system emulation dependencies (if not already on the system) will be downloaded and installed!""$NC" + ANSWER=("y") + fi + + case ${ANSWER:0:1} in + y|Y ) + + git clone --recursive https://github.com/pr0v3rbs/FirmAE.git external/FirmAE_orig + cd external/FirmAE_orig || exit 1 + + ./download.sh + ./install.sh + ./init.sh + + cd "$HOME_PATH" || exit 1 + + ;; + esac + fi +} + diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh new file mode 100644 index 000000000..4e555e6b9 --- /dev/null +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens AG +# Copyright 2020-2022 Siemens Energy AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Installs firmadyne / full system emulation + +IL20_firmadyne_system_emulator() { + module_title "${FUNCNAME[0]}" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + cd "$HOME_PATH" || exit 1 + + print_git_info "Firmadyne system mode emulator" "firmadyne/firmadyne" "FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware" + echo -e "\\n""$MAGENTA""$BOLD""This is a temporary module which will be removed in the future without any further note!""$NC" + + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + ANSWER=("n") + else + echo -e "\\n""$MAGENTA""$BOLD""The firmadyne system emulation dependencies (if not already on the system) will be downloaded and installed!""$NC" + ANSWER=("y") + fi + + case ${ANSWER:0:1} in + y|Y ) + + apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan + git clone --recursive https://github.com/firmadyne/firmadyne.git external/firmadyne_orig + cd external/firmadyne_orig || exit 1 + apt-get install postgresql + sudo -u postgres createuser -P firmadyne + sudo -u postgres createdb -O firmadyne firmware + # shellcheck disable=SC2024 + sudo -u postgres psql -d firmware < ./firmadyne/database/schema + + ./download.sh + + apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils + + cd "$HOME_PATH" || exit 1 + + ;; + esac + fi +} + From fa86de808a9d84772c32acf321b00db6f19d954d Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 31 Mar 2022 21:48:23 +0200 Subject: [PATCH 06/42] installer cleanup --- installer/IL21_firmae_system_emulator.sh | 11 ++++++--- installer/IL22_firmadyne_system_emulator.sh | 25 ++++++++++++++------- modules/P60_firmware_bin_extractor.sh | 6 +++-- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/installer/IL21_firmae_system_emulator.sh b/installer/IL21_firmae_system_emulator.sh index de4c7aac3..12f4d4790 100644 --- a/installer/IL21_firmae_system_emulator.sh +++ b/installer/IL21_firmae_system_emulator.sh @@ -14,6 +14,7 @@ # Author(s): Michael Messner, Pascal Eckmann # Description: Installs FirmAE / full system emulation +# This is a temporary module which will be removed in the future without any further note! IL21_firmae_system_emulator() { module_title "${FUNCNAME[0]}" @@ -24,7 +25,6 @@ IL21_firmae_system_emulator() { print_git_info "FirmAE system mode emulator" "pr0v3rbs/FirmAE" "FirmAE is a fully-automated framework that performs emulation and vulnerability analysis." echo -e "\\n""$MAGENTA""$BOLD""This is a temporary module which will be removed in the future without any further note!""$NC" - if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") else @@ -35,8 +35,13 @@ IL21_firmae_system_emulator() { case ${ANSWER:0:1} in y|Y ) - git clone --recursive https://github.com/pr0v3rbs/FirmAE.git external/FirmAE_orig - cd external/FirmAE_orig || exit 1 + if ! [[ -d external/FirmAE_orig ]]; then + git clone --recursive https://github.com/pr0v3rbs/FirmAE.git external/FirmAE_orig + cd external/FirmAE_orig || exit 1 + else + cd external/FirmAE_orig || exit 1 + git pull + fi ./download.sh ./install.sh diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index 4e555e6b9..1b9287ef7 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -14,8 +14,9 @@ # Author(s): Michael Messner, Pascal Eckmann # Description: Installs firmadyne / full system emulation +# This is a temporary module which will be removed in the future without any further note! -IL20_firmadyne_system_emulator() { +IL22_firmadyne_system_emulator() { module_title "${FUNCNAME[0]}" if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then @@ -35,14 +36,22 @@ IL20_firmadyne_system_emulator() { case ${ANSWER:0:1} in y|Y ) - apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan - git clone --recursive https://github.com/firmadyne/firmadyne.git external/firmadyne_orig - cd external/firmadyne_orig || exit 1 - apt-get install postgresql - sudo -u postgres createuser -P firmadyne - sudo -u postgres createdb -O firmadyne firmware + apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan + + if ! [[ -d external/firmadyne_orig ]]; then + git clone --recursive https://github.com/firmadyne/firmadyne.git external/firmadyne_orig + cd external/firmadyne_orig || exit 1 + else + cd external/firmadyne_orig || exit 1 + git pull + fi + + # this is already done via IL21 installer + #apt-get install postgresql + #sudo -u postgres createuser -P firmadyne + #sudo -u postgres createdb -O firmadyne firmware # shellcheck disable=SC2024 - sudo -u postgres psql -d firmware < ./firmadyne/database/schema + #sudo -u postgres psql -d firmware < ./firmadyne/database/schema ./download.sh diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index 25b50b95c..813f855d9 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -314,7 +314,8 @@ extract_binwalk_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt else - binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + #binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi } @@ -337,7 +338,8 @@ binwalk_deep_extract_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true else - binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + #binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi } From a86cecd53bf6e9ee5a12db32f45b6fbd7eb5e89a Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 1 Apr 2022 09:15:28 +0200 Subject: [PATCH 07/42] installer --- installer.sh | 4 ++-- installer/IL20_system_emulator.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/installer.sh b/installer.sh index 23ead2c4c..98d7579b1 100755 --- a/installer.sh +++ b/installer.sh @@ -183,12 +183,12 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - IL10_system_emulator # for the future - #IL20_system_emulator + IL20_system_emulator # deprecated: IL21_firmae_system_emulator # deprecated: - IL22_firmadyne_system_emulator + #IL22_firmadyne_system_emulator IL15_emulated_checks_init diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh index 34054a8a6..4bbf47721 100644 --- a/installer/IL20_system_emulator.sh +++ b/installer/IL20_system_emulator.sh @@ -63,7 +63,7 @@ IL20_system_emulator() { print_file_info "fixImage.sh" "FirmAE fixImage script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/" print_file_info "preInit.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/" print_file_info "network.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/network.sh" "external/firmae/scripts/" - print_file_info "inferNetwork.sh" "FirmAE inferNetwork script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/" + print_file_info "makeNetwork.sh" "FirmAE makeNetwork script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/makeNetwork.sh" "external/firmae/scripts/" print_file_info "run_service.sh" "FirmAE run_service script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/" if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then From 5751b30102d9ef5da78a5ea4c2c86c33b3ff9bba Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 1 Apr 2022 15:15:58 +0200 Subject: [PATCH 08/42] installer --- installer/IF20_cve_search.sh | 3 ++- installer/IL20_system_emulator.sh | 10 +++++----- modules/P60_firmware_bin_extractor.sh | 8 ++++++-- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/installer/IF20_cve_search.sh b/installer/IF20_cve_search.sh index 425969f2e..9db8fcb70 100644 --- a/installer/IF20_cve_search.sh +++ b/installer/IF20_cve_search.sh @@ -146,9 +146,10 @@ IF20_cve_search() { # only in docker or full installations: if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + cd "$HOME_PATH" || exit 1 # see https://www.cisa.gov/known-exploited-vulnerabilities-catalog - print_file_info "CISA.gov list of known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" + print_file_info "known_exploited_vulnerabilities.csv" "CISA.gov list of known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh index 4bbf47721..5597e82a0 100644 --- a/installer/IL20_system_emulator.sh +++ b/installer/IL20_system_emulator.sh @@ -37,8 +37,8 @@ IL20_system_emulator() { print_tool_info "qemu-system-x86" 1 print_tool_info "qemu-utils" 1 - print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + #print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + #print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" print_file_info "vmlinux.mipsel.4" "FirmAE - Linux kernel 4.1 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" print_file_info "vmlinux.mipseb.4" "FirmAE - Linux kernel 4.1 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" @@ -62,7 +62,7 @@ IL20_system_emulator() { print_file_info "fixImage.sh" "FirmAE fixImage script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/" print_file_info "preInit.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/" - print_file_info "network.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/network.sh" "external/firmae/scripts/" + print_file_info "network.sh" "FirmAE network script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/network.sh" "external/firmae/scripts/" print_file_info "makeNetwork.sh" "FirmAE makeNetwork script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/makeNetwork.sh" "external/firmae/scripts/" print_file_info "run_service.sh" "FirmAE run_service script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/" @@ -81,8 +81,8 @@ IL20_system_emulator() { apt-get install "${INSTALL_APP_LIST[@]}" -y - download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + #download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + #download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" download_file "vmlinux.mipsel.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" download_file "vmlinux.mipseb.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index 813f855d9..33a38fe30 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -314,7 +314,9 @@ extract_binwalk_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt else - #binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + if [[ "$IN_DOCKER" -eq 1 ]]; then + binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + fi binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi } @@ -338,7 +340,9 @@ binwalk_deep_extract_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true else - #binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + if [[ "$IN_DOCKER" -eq 1 ]]; then + binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + fi binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi } From 37c9a86c5554e09ffb014de00ef2b9fbcd531c23 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 7 Apr 2022 13:29:07 +0200 Subject: [PATCH 09/42] known exploits --- .../report_templates/F20_vul_aggregator-post.sh | 2 +- emba.sh | 8 ++++++++ helpers/helpers_emba_prepare.sh | 16 +++++++++++++++- modules/F20_vul_aggregator.sh | 8 +++++--- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/config/report_templates/F20_vul_aggregator-post.sh b/config/report_templates/F20_vul_aggregator-post.sh index 58d788d5e..dac2ce4f8 100644 --- a/config/report_templates/F20_vul_aggregator-post.sh +++ b/config/report_templates/F20_vul_aggregator-post.sh @@ -5,4 +5,4 @@ print_output "$(indent "${ORANGE}R$NC - remote exploits")" print_output "$(indent "${ORANGE}L$NC - local exploits")" print_output "$(indent "${ORANGE}D$NC - DoS exploits")" print_output "$(indent "${ORANGE}G$NC - PoC code found on Github (unknown exploit vector)")" -print_output "$(indent "${ORANGE}X$NC - Vulnerability is knwon as exploited (See https://www.cisa.gov/known-exploited-vulnerabilities-catalog)")" +print_output "$(indent "${ORANGE}X$NC - Vulnerability is known as exploited")" diff --git a/emba.sh b/emba.sh index 8c6f59fcb..d32b5fa00 100755 --- a/emba.sh +++ b/emba.sh @@ -610,6 +610,14 @@ main() generate_trickest_db & fi + # we update the known_exploited_vulnerabilities.csv file on the host - if the file is here + # typically this is on installations in full mode + export KNOWN_EXP_CSV="$TMP_DIR"/known_exploited_vulnerabilities.csv + if [[ -f "$EXT_DIR/known_exploited_vulnerabilities.csv" && "$IN_DOCKER" -eq 0 ]]; then + # we update the known_exploited_vulnerabilities.csv file on every scan and store the database in the tmp directory + update_known_exploitable & + fi + if [[ $IN_DOCKER -eq 0 ]] ; then check_cve_search_job "$EMBA_PID" & fi diff --git a/helpers/helpers_emba_prepare.sh b/helpers/helpers_emba_prepare.sh index d96958d6a..1afe379dc 100755 --- a/helpers/helpers_emba_prepare.sh +++ b/helpers/helpers_emba_prepare.sh @@ -393,7 +393,7 @@ generate_msf_db() { } generate_trickest_db() { - # only running on host in full installation (with trickest database installed) + # only running on host with trickest database installed # search all markdown files in the trickest directory and create a temporary file with the module path (including CVE) and github URL to exploit: if [[ -d "$EXT_DIR"/trickest-cve ]]; then @@ -411,3 +411,17 @@ generate_trickest_db() { fi } +update_known_exploitable() { + # only running on host with known_exploited_vulnerabilities.csv installed + + if [[ -f "$EXT_DIR"/known_exploited_vulnerabilities.csv ]]; then + print_output "[*] Update the known_exploited_vulnerabilities file" "no_log" + wget https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv -O "$EXT_DIR"/known_exploited_vulnerabilities.csv || true + cp "$EXT_DIR"/known_exploited_vulnerabilities.csv "$KNOWN_EXP_CSV" + if [[ -f "$KNOWN_EXP_CSV" ]]; then + print_output "[*] Known exploit database now has $ORANGE$(wc -l "$KNOWN_EXP_CSV" | awk '{print $1}')$NC exploit entries." "no_log" + fi + else + print_output "[*] No update of the known_exploited_vulnerabilities.csv file performed." "no_log" + fi +} diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index cf07ef093..b797ccc0b 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -2,8 +2,8 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020 Siemens Energy AG -# Copyright 2020 Siemens AG +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -46,7 +46,9 @@ F20_vul_aggregator() { CVE_MINIMAL_LOG="$LOG_PATH_MODULE"/CVE_minimal.txt EXPLOIT_OVERVIEW_LOG="$LOG_PATH_MODULE"/exploits-overview.txt - KNOWN_EXP_CSV="$EXT_DIR"/known_exploited_vulnerabilities.csv + if ! [[ -f "$KNOWN_EXP_CSV" ]]; then + KNOWN_EXP_CSV="$EXT_DIR"/known_exploited_vulnerabilities.csv + fi if [[ -f $PATH_CVE_SEARCH ]]; then print_output "[*] Aggregate vulnerability details" From f8f46d521aa5ec606dd2d0f823ff30c8f4354232 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 14 Apr 2022 13:35:43 +0200 Subject: [PATCH 10/42] wording, updater, container extractor --- helpers/helpers_emba_extractors.sh | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100755 helpers/helpers_emba_extractors.sh diff --git a/helpers/helpers_emba_extractors.sh b/helpers/helpers_emba_extractors.sh new file mode 100755 index 000000000..90ee49cc4 --- /dev/null +++ b/helpers/helpers_emba_extractors.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Multiple useful helpers used in the extraction process + +docker_container_extractor() { + local CONT_ID="${1:-}" + LOG_FILE="$LOG_DIR"/p00_docker_extractor.txt + if ! [[ -d "$LOG_DIR"/firmware/ ]]; then + mkdir "$LOG_DIR"/firmware/ + fi + if docker container ls -a | grep -q "$CONT_ID"; then + print_output "[*] Found docker container for extraction:" + docker container ls -a | grep "$CONT_ID" | tee -a "$LOG_FILE" + print_output "" + else + print_output "[-] Warning: Docker container with ID $ORANGE$CONT_ID$NC not found" + exit 1 + fi + + docker export -o "$LOG_DIR"/firmware/firmware_docker_extracted.tar "$CONT_ID" + + if [[ -f "$LOG_DIR"/firmware/firmware_docker_extracted.tar ]]; then + print_output "[+] Exported docker container to $ORANGE$LOG_DIR/firmware/firmware_docker_extracted.tar$NC" + else + print_output "[-] Warning: Docker export for container ID $ORANGE$CONT_ID$NC failed" + exit 1 + fi +} + From bacb4e560cf77033c2686a1498b35b838add4889 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 16 Apr 2022 11:26:14 +0200 Subject: [PATCH 11/42] read only rootfs --- docker-compose.yml | 7 ++- emba.sh | 54 ++++++++++------------ helpers/helpers_emba_helpers.sh | 28 +++++++++++ helpers/helpers_emba_print.sh | 1 + installer.sh | 4 +- installer/I01_default_apps.sh | 1 + installer/IF20_cve_search.sh | 3 +- modules/F20_vul_aggregator.sh | 2 +- modules/F50_base_aggregator.sh | 32 +++++++------ modules/P60_firmware_bin_extractor.sh | 8 ++-- modules/S115_usermode_emulator.sh | 18 ++++---- modules/S30_version_vulnerability_check.sh | 3 -- scan-profiles/default-scan.emba | 10 ++-- scan-profiles/full-scan.emba | 16 +++---- 14 files changed, 112 insertions(+), 75 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 42d72fb27..c07bd70a6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,8 +2,13 @@ version: "3" services: emba: image: embeddedanalyzer/emba:latest + read_only: true + tmpfs: + - /tmp + - /root + - /var/run + - /var/lock build: . - privileged: true volumes: - ${FIRMWARE}/:/firmware:ro - ${LOG}/:/log diff --git a/emba.sh b/emba.sh index d32b5fa00..65e873123 100755 --- a/emba.sh +++ b/emba.sh @@ -211,6 +211,7 @@ main() export ARCH_CHECK=1 export RTOS=0 # Testing RTOS based OS export CWE_CHECKER=0 + export CONTAINER_EXTRACT=0 export DEEP_EXTRACTOR=0 export FACT_EXTRACTOR=0 export FIRMWARE=0 @@ -282,7 +283,7 @@ main() export EMBA_COMMAND EMBA_COMMAND="$(dirname "$0")""/emba.sh ""$*" - while getopts a:bA:cdDe:Ef:Fghik:l:m:MN:op:QrsStUxX:Y:WzZ: OPT ; do + while getopts a:bA:cC:dDe:Ef:Fghik:l:m:MN:op:QrsStUxX:Y:WzZ: OPT ; do case $OPT in a) export ARCH="$OPTARG" @@ -295,6 +296,12 @@ main() banner_printer exit 0 ;; + C) + # container extract only works outside the docker container + # lets extract it outside and afterwards start the EMBA docker + export CONTAINER_ID="$OPTARG" + export CONTAINER_EXTRACT=1 + ;; c) export CWE_CHECKER=1 ;; @@ -408,32 +415,7 @@ main() fi if [[ "$UPDATE" -eq 1 ]]; then - print_output "[*] EMBA update starting ..." "no_log" - - git pull - - EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker pull embeddedanalyzer/emba - - if command -v cve_searchsploit > /dev/null ; then - print_output "[*] EMBA update - cve_searchsploit update" "no_log" - cve_searchsploit -u - fi - - print_output "[*] EMBA update - cve-search update" "no_log" - /etc/init.d/redis-server start - "$EXT_DIR"/cve-search/sbin/db_updater.py -v - - print_output "[*] EMBA update - trickest PoC update" "no_log" - if [[ -d "$EXT_DIR"/trickest-cve ]]; then - BASE_PATH=$(pwd) - cd "$EXT_DIR"/trickest-cve || exit - git pull - cd "$BASE_PATH" || exit - else - git clone https://github.com/trickest/cve.git "$EXT_DIR"/trickest-cve - fi - - print_output "[*] Please restart your EMBA scan to apply the updates ..." "no_log" + emba_updater exit 0 fi @@ -505,7 +487,7 @@ main() # Print additional information about the firmware (-Y, -X, -Z, -N) print_firmware_info "$FW_VENDOR" "$FW_VERSION" "$FW_DEVICE" "$FW_NOTES" - if [[ "$KERNEL" -ne 1 ]]; then + if [[ "$KERNEL" -ne 1 && "$CONTAINER_EXTRACT" -ne 1 ]]; then check_init_size fi @@ -533,6 +515,13 @@ main() # need to set it as fallback: export OUTPUT_DIR="$FIRMWARE_PATH" fi + elif [[ "$CONTAINER_EXTRACT" -eq 1 ]]; then + PRE_CHECK=1 + print_output "[*] Firmware analysis of docker image starting." "no_log" + print_output " EMBA starts with the extracting the docker image $ORANGE$CONTAINER_ID$NC." "no_log" + export FIRMWARE_PATH="$LOG_DIR"/firmware/firmware_docker_extracted.tar + export OUTPUT_DIR="$FIRMWARE_PATH" + export FIRMWARE=1 elif [[ -f "$FIRMWARE_PATH" ]]; then PRE_CHECK=1 print_output "[*] Firmware binary detected." "no_log" @@ -626,6 +615,13 @@ main() matrix_mode & fi + # if $CONTAINER_EXTRACT is set we extract the docker container with id $CONTAINER_ID outside of the + # EMBA container into log directory + # we do this only outside of the EMBA container - otherwise we will not reach the docker environment + if [[ "$CONTAINER_EXTRACT" -eq 1 && "$IN_DOCKER" -eq 0 ]] ; then + docker_container_extractor "$CONTAINER_ID" + fi + ####################################################################################### # Docker ####################################################################################### @@ -643,7 +639,7 @@ main() OPTIND=1 ARGUMENTS=() - while getopts a:A:cdDe:Ef:Fghik:l:m:MN:op:QrsStUX:Y:WxzZ: OPT ; do + while getopts a:A:cC:dDe:Ef:Fghik:l:m:MN:op:QrsStUX:Y:WxzZ: OPT ; do case $OPT in D|f|i|l) ;; diff --git a/helpers/helpers_emba_helpers.sh b/helpers/helpers_emba_helpers.sh index 88b20ec1b..4899b0d0c 100755 --- a/helpers/helpers_emba_helpers.sh +++ b/helpers/helpers_emba_helpers.sh @@ -118,3 +118,31 @@ cleaner() { exit 1 } +emba_updater() { + print_output "[*] EMBA update starting ..." "no_log" + + git pull + + EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker pull embeddedanalyzer/emba + + if command -v cve_searchsploit > /dev/null ; then + print_output "[*] EMBA update - cve_searchsploit update" "no_log" + cve_searchsploit -u + fi + + print_output "[*] EMBA update - cve-search update" "no_log" + /etc/init.d/redis-server start + "$EXT_DIR"/cve-search/sbin/db_updater.py -v + + print_output "[*] EMBA update - trickest PoC update" "no_log" + if [[ -d "$EXT_DIR"/trickest-cve ]]; then + BASE_PATH=$(pwd) + cd "$EXT_DIR"/trickest-cve || exit + git pull + cd "$BASE_PATH" || exit + else + git clone https://github.com/trickest/cve.git "$EXT_DIR"/trickest-cve + fi + + print_output "[*] Please restart your EMBA scan to apply the updates ..." "no_log" +} diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index d562cf2c1..f816987c4 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -452,6 +452,7 @@ print_help() echo -e "$CYAN""-U""$NC"" Check and apply available updates and exit" echo -e "\\nSpecial tests" echo -e "$CYAN""-k [./config]""$NC"" Kernel config path" + echo -e "$CYAN""-C [container id]""$NC"" Extract and analyze a local docker container via container id" echo -e "$CYAN""-x""$NC"" Enable deep extraction - try to extract every file two times with binwalk (WARNING: Uses a lot of disk space)" echo -e "$CYAN""-t""$NC"" Activate multi threading (destroys regular console output)" echo -e "$CYAN""-o""$NC"" Activate online checks (e.g. upload and test with VirusTotal)" diff --git a/installer.sh b/installer.sh index 98d7579b1..f48362eb1 100755 --- a/installer.sh +++ b/installer.sh @@ -183,10 +183,10 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - IL10_system_emulator # for the future - IL20_system_emulator + #IL20_system_emulator # deprecated: - IL21_firmae_system_emulator + #IL21_firmae_system_emulator # deprecated: #IL22_firmadyne_system_emulator diff --git a/installer/I01_default_apps.sh b/installer/I01_default_apps.sh index 7b5e58d42..57ef4e754 100644 --- a/installer/I01_default_apps.sh +++ b/installer/I01_default_apps.sh @@ -34,6 +34,7 @@ I01_default_apps(){ print_tool_info "u-boot-tools" 1 print_tool_info "python3-bandit" 1 print_tool_info "iputils-ping" 1 + print_tool_info "strace" 1 if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") diff --git a/installer/IF20_cve_search.sh b/installer/IF20_cve_search.sh index 9db8fcb70..6c2c07e0b 100644 --- a/installer/IF20_cve_search.sh +++ b/installer/IF20_cve_search.sh @@ -144,8 +144,7 @@ IF20_cve_search() { esac fi - # only in docker or full installations: - if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] || [[ $FULL -eq 1 ]]; then cd "$HOME_PATH" || exit 1 # see https://www.cisa.gov/known-exploited-vulnerabilities-catalog diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index b797ccc0b..0b4390b0a 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -371,7 +371,7 @@ cve_extractor() { # check if the CVE is known as a knwon exploited vulnerability: if [[ -f "$KNOWN_EXP_CSV" ]]; then if grep -q "${CVE_VALUE}," "$KNOWN_EXP_CSV"; then - print_output "[+] $ORANGEWARNING:$GREEN Vulnerability $ORANGE$CVE_VALUE$GREEN is a known exploited vulnerability." + print_output "[+] ${ORANGE}WARNING:$GREEN Vulnerability $ORANGE$CVE_VALUE$GREEN is a known exploited vulnerability." KNOWN_EXPLOITED=1 fi fi diff --git a/modules/F50_base_aggregator.sh b/modules/F50_base_aggregator.sh index 4265b3a2e..3c11afa4c 100755 --- a/modules/F50_base_aggregator.sh +++ b/modules/F50_base_aggregator.sh @@ -42,7 +42,7 @@ F50_base_aggregator() { S85_LOG="s85_ssh_check.txt" S95_LOG="s95_interesting_binaries_check.txt" S107_LOG="s107_deep_password_search.txt" - S108_LOG="s108_linux_common_file_checker.txt" + S108_LOG="s108_stacs_password_search.txt" S110_LOG="s110_yara_check.txt" S120_LOG="s120_cwe_checker.txt" L10_LOG="l10_system_emulator.txt" @@ -214,7 +214,7 @@ output_details() { output_config_issues() { local DATA=0 - if [[ "${PW_COUNTER-0}" -gt 0 || "${S85_SSH_VUL_CNT-0}" -gt 0 || "${FILE_COUNTER-0}" -gt 0 || "${INT_COUNT-0}" -gt 0 || "${POST_COUNT-0}" -gt 0 || "${MOD_DATA_COUNTER-0}" -gt 0 || "${S40_WEAK_PERM_COUNTER-0}" -gt 0 || "${S55_HISTORY_COUNTER-0}" -gt 0 || "${S50_AUTH_ISSUES-0}" -gt 0 || "${PASS_FILES_FOUND-0}" -gt 0 || "${CERT_CNT-0}" -gt 0 ]]; then + if [[ "${PW_COUNTER-0}" -gt 0 || "${S85_SSH_VUL_CNT-0}" -gt 0 || "${STACS_HASHES-0}" -gt 0 || "${INT_COUNT-0}" -gt 0 || "${POST_COUNT-0}" -gt 0 || "${MOD_DATA_COUNTER-0}" -gt 0 || "${S40_WEAK_PERM_COUNTER-0}" -gt 0 || "${S55_HISTORY_COUNTER-0}" -gt 0 || "${S50_AUTH_ISSUES-0}" -gt 0 || "${PASS_FILES_FOUND-0}" -gt 0 || "${CERT_CNT-0}" -gt 0 ]]; then print_output "[+] Found the following configuration issues:" if [[ "${S40_WEAK_PERM_COUNTER-0}" -gt 0 ]]; then print_output "$(indent "$(green "Found $ORANGE$S40_WEAK_PERM_COUNTER$GREEN areas with weak permissions.")")" @@ -240,10 +240,17 @@ output_config_issues() { echo "ssh_issues;\"$S85_SSH_VUL_CNT\"" >> "$CSV_LOG_FILE" DATA=1 fi - if [[ "${PW_COUNTER-0}" -gt 0 ]]; then - print_output "$(indent "$(green "Found $ORANGE$PW_COUNTER$GREEN password hashes.")")" - write_link "s107" - echo "password_hashes;\"$PW_COUNTER\"" >> "$CSV_LOG_FILE" + if [[ "${PW_COUNTER-0}" -gt 0 || "${STACS_HASHES-0}" -gt 0 ]]; then + if [[ "${PW_COUNTER-0}" -gt 0 ]]; then + print_output "$(indent "$(green "Found $ORANGE$PW_COUNTER$GREEN password related details.")")" + write_link "s107" + echo "password_hashes;\"$PW_COUNTER\"" >> "$CSV_LOG_FILE" + fi + if [[ "${STACS_HASHES-0}" -gt 0 ]]; then + print_output "$(indent "$(green "Found $ORANGE$STACS_HASHES$GREEN password related details via STACS.")")" + write_link "s108" + echo "password_hashes_stacs;\"$STACS_HASHES\"" >> "$CSV_LOG_FILE" + fi DATA=1 fi if [[ "${CERT_CNT-0}" -gt 0 ]]; then @@ -260,11 +267,11 @@ output_config_issues() { echo "kernel_modules_lic;\"$KMOD_BAD\"" >> "$CSV_LOG_FILE" DATA=1 fi - if [[ "${FILE_COUNTER-0}" -gt 0 ]]; then - print_output "$(indent "$(green "Found $ORANGE$FILE_COUNTER$GREEN not common Linux files with $ORANGE$FILE_COUNTER_ALL$GREEN files at all.")")" - write_link "s11" - DATA=1 - fi + #if [[ "${FILE_COUNTER-0}" -gt 0 ]]; then + # print_output "$(indent "$(green "Found $ORANGE$FILE_COUNTER$GREEN not common Linux files with $ORANGE$FILE_COUNTER_ALL$GREEN files at all.")")" + # write_link "s11" + # DATA=1 + #fi if [[ "${INT_COUNT-0}" -gt 0 || "${POST_COUNT-0}" -gt 0 ]]; then print_output "$(indent "$(green "Found $ORANGE${INT_COUNT}$GREEN interesting files and $ORANGE${POST_COUNT-0}$GREEN files that could be useful for post-exploitation.")")" write_link "s95" @@ -641,8 +648,7 @@ get_data() { PW_COUNTER=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S107_LOG" | cut -d: -f2 || true) fi if [[ -f "$LOG_DIR"/"$S108_LOG" ]]; then - FILE_COUNTER=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S108_LOG" | cut -d: -f2 || true) - FILE_COUNTER_ALL=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S108_LOG" | cut -d: -f3 || true) + STACS_HASHES=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S108_LOG" | cut -d: -f2 || true) fi if [[ -f "$LOG_DIR"/"$S110_LOG" ]]; then YARA_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S110_LOG" | cut -d: -f2 || true) diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index 33a38fe30..d74bfe2d8 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -280,7 +280,7 @@ binwalking() { print_output "[*] Entropy testing with binwalk ... " # we have to change the working directory for binwalk, because /emba is read-only in the Docker container and binwalk fails to save the entropy picture there if [[ $IN_DOCKER -eq 1 ]] ; then - cd / || return + cd "$LOG_DIR" || return print_output "$(binwalk -E -F -J "$FIRMWARE_PATH_BAK")" mv "$(basename "$FIRMWARE_PATH".png)" "$LOG_DIR"/firmware_entropy.png 2> /dev/null || true cd /emba || return @@ -316,8 +316,9 @@ extract_binwalk_helper() { else if [[ "$IN_DOCKER" -eq 1 ]]; then binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt + else + binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi - binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi } @@ -342,8 +343,9 @@ binwalk_deep_extract_helper() { else if [[ "$IN_DOCKER" -eq 1 ]]; then binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true + else + binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi - binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi } diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh index 07aafcf34..838de7b00 100755 --- a/modules/S115_usermode_emulator.sh +++ b/modules/S115_usermode_emulator.sh @@ -362,17 +362,19 @@ prepare_emulator() { print_output "" print_output "[*] Currently mounted areas:" - print_output "$(indent "$(mount | grep "$R_PATH" 2> /dev/null )")""\\n" + print_output "$(indent "$(mount | grep "$R_PATH" 2> /dev/null || true)")""\\n" + # temp code - currently core dumps are disabled via docker-compose file # we disable core dumps in our docker environment. If running on the host without docker # the user is responsible for useful settings - if [[ $IN_DOCKER -eq 1 ]] ; then - print_output "" - print_output "[*] We disable core dumps to prevent wasting our disk space." - ulimit -c 0 - sysctl -w kernel.core_pattern=/dev/null - ulimit -a - fi + #if [[ $IN_DOCKER -eq 1 ]] ; then + # print_output "" + # print_output "[*] We disable core dumps to prevent wasting our disk space." + # ulimit -c 0 + # # this does not work inside of docker without "privileged: true": + # sysctl -w kernel.core_pattern=/dev/null + # ulimit -a + #fi print_output "[*] Final fixes of the root filesytem in a chroot environment" cp ./helpers/fixImage_user_mode_emulation.sh "$R_PATH"/ diff --git a/modules/S30_version_vulnerability_check.sh b/modules/S30_version_vulnerability_check.sh index 198fe13af..ebe0fbe53 100755 --- a/modules/S30_version_vulnerability_check.sh +++ b/modules/S30_version_vulnerability_check.sh @@ -36,9 +36,6 @@ S30_version_vulnerability_check() { VUL_FEED_CVSS_DB="$EXT_DIR""/allitemscvss.csv" - print_output "[*] Vulnerability database found!" - print_output "" - for LINE in "${BINARIES[@]}"; do if (file "$LINE" | grep -q "ELF"); then diff --git a/scan-profiles/default-scan.emba b/scan-profiles/default-scan.emba index 8a19880a5..76e2b1f20 100644 --- a/scan-profiles/default-scan.emba +++ b/scan-profiles/default-scan.emba @@ -1,17 +1,17 @@ -# emba - EMBEDDED LINUX ANALYZER +# EMBA - EMBEDDED LINUX ANALYZER # # Copyright 2020-2021 Siemens Energy AG # Copyright 2020-2021 Siemens AG # -# emba comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # -# emba is licensed under GPLv3 +# EMBA is licensed under GPLv3 # # Author(s): Michael Messner, Pascal Eckmann # -# Description: This is a default emba profile. You can Use it as a template for your own profiles +# Description: This is a default EMBA profile. You can Use it as a template for your own profiles # or start emba with "-p default-scan.emba" to use it export FORMAT_LOG=1 @@ -31,6 +31,6 @@ if [[ $IN_DOCKER -ne 1 ]] ; then else print_output "$(indent "$(orange "Enables automated qemu emulation tests")")" "no_log" fi - print_output "$(indent "$(orange "Runs emba in docker container")")" "no_log" + print_output "$(indent "$(orange "Runs EMBA in docker container")")" "no_log" export USE_DOCKER=1 fi diff --git a/scan-profiles/full-scan.emba b/scan-profiles/full-scan.emba index c8c9a86ff..cecb28de1 100644 --- a/scan-profiles/full-scan.emba +++ b/scan-profiles/full-scan.emba @@ -1,18 +1,18 @@ -# emba - EMBEDDED LINUX ANALYZER +# EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2021 Siemens Energy AG -# Copyright 2020-2021 Siemens AG +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG # -# emba comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # -# emba is licensed under GPLv3 +# EMBA is licensed under GPLv3 # # Author(s): Michael Messner, Pascal Eckmann # -# Description: This is a default emba profile. You can Use it as a template for your own profiles -# or start emba with "-p full-scan.emba" to use it +# Description: This is a default EMBA profile. You can Use it as a template for your own profiles +# or start EMBA with "-p full-scan.emba" to use it export FORMAT_LOG=1 export THREADED=1 @@ -28,7 +28,7 @@ if [[ $IN_DOCKER -ne 1 ]] ; then print_output "$(indent "$(orange "Activates web report creation in log path")")" "no_log" print_output "$(indent "$(orange "Enable cwe-checker")")" "no_log" print_output "$(indent "$(orange "Enables automated qemu emulation tests (WARNING this module could harm your host!)")")" "no_log" - print_output "$(indent "$(orange "Runs emba in docker container")")" "no_log" + print_output "$(indent "$(orange "Runs EMBA in docker container")")" "no_log" export USE_DOCKER=1 fi From b6648ad35a8c5933b6123e0810e3f87ac3b46ef9 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 20 Apr 2022 22:34:40 +0200 Subject: [PATCH 12/42] android ota extractor --- modules/P02_firmware_bin_file_check.sh | 47 ++++++++++++++++++++ modules/P25_android_ota.sh | 59 ++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100755 modules/P25_android_ota.sh diff --git a/modules/P02_firmware_bin_file_check.sh b/modules/P02_firmware_bin_file_check.sh index 12be574b4..d89c9ec25 100755 --- a/modules/P02_firmware_bin_file_check.sh +++ b/modules/P02_firmware_bin_file_check.sh @@ -36,6 +36,7 @@ P02_firmware_bin_file_check() { export QNAP_ENC_DETECTED=0 export BSD_UFS=0 export FACT_INIT=0 + export ANDROID_OTA=0 if [[ -f "$FIRMWARE_PATH" ]]; then SHA512_CHECKSUM=$(sha512sum "$FIRMWARE_PATH" | awk '{print $1}') @@ -93,6 +94,7 @@ fw_bin_detector() { export ENGENIUS_ENC_DETECTED=0 export GPG_COMPRESS=0 export BSD_UFS=0 + export ANDROID_OTA=0 FILE_BIN_OUT=$(file "$CHECK_FILE") DLINK_ENC_CHECK=$(hexdump -C "$CHECK_FILE" | head -1 || true) @@ -165,4 +167,49 @@ fw_bin_detector() { export GPG_COMPRESS=1 fi fi + if [[ "$DLINK_ENC_CHECK" == *"CrAU"* ]]; then + print_output "[*] Identified Android OTA payload.bin update file - using Android extraction module" + export ANDROID_OTA=1 + fi + if [[ "$DLINK_ENC_CHECK" =~ 00000000\ \ 00\ 00\ 00\ 00\ 00\ 00\ 0.\ ..\ \ 00\ 00\ 0.\ ..\ 31\ 32\ 33\ 00 ]]; then + print_output "[*] Identified Engenius encrpyted firmware - using Engenius extraction module" + export ENGENIUS_ENC_DETECTED=1 + fi + if [[ "$DLINK_ENC_CHECK" =~ 00000000\ \ 00\ 00\ 00\ 00\ 00\ 00\ 01\ 01\ \ 00\ 00\ 0.\ ..\ 33\ 2e\ 3[89]\ 2e ]]; then + print_output "[*] Identified Engenius encrpyted firmware - using Engenius extraction module" + export ENGENIUS_ENC_DETECTED=1 + fi + if [[ "$DLINK_ENC_CHECK" == *"encrpted_img"* ]]; then + print_output "[*] Identified D-Link encrpted_img encrpyted firmware - using D-Link extraction module" + export DLINK_ENC_DETECTED=2 + fi + if [[ "$AVM_CHECK" -gt 0 ]] || [[ "$FW_VENDOR" == *"AVM"* ]]; then + print_output "[*] Identified AVM firmware - using AVM extraction module" + export AVM_DETECTED=1 + fi + if [[ "$FILE_BIN_OUT" == *"u-boot legacy uImage"* ]]; then + print_output "[*] Identified u-boot firmware - using u-boot module" + export UBOOT_IMAGE=1 + fi + if [[ "$FILE_BIN_OUT" == *"Unix Fast File system [v2]"* ]]; then + print_output "[*] Identified UFS filesytem - using UFS filesytem extraction module" + export BSD_UFS=1 + fi + if [[ "$FILE_BIN_OUT" == *"Linux rev 1.0 ext2 filesystem data"* ]]; then + print_output "[*] Identified Linux ext2 filesytem - using EXT filesytem extraction module" + export EXT_IMAGE=1 + fi + if [[ "$FILE_BIN_OUT" == *"Linux rev 1.0 ext3 filesystem data"* ]]; then + print_output "[*] Identified Linux ext3 filesytem - using EXT filesytem extraction module" + export EXT_IMAGE=1 + fi + if [[ "$FILE_BIN_OUT" == *"Linux rev 1.0 ext4 filesystem data"* ]]; then + print_output "[*] Identified Linux ext4 filesytem - using EXT filesytem extraction module" + export EXT_IMAGE=1 + fi + if [[ "$QNAP_ENC_CHECK" == *"QNAP encrypted firmware footer , model"* ]]; then + print_output "[*] Identified QNAP encrpyted firmware - using QNAP extraction module" + export QNAP_ENC_DETECTED=1 + fi + # probably we need to take a deeper look to identify the gpg compressed firmware files better. } diff --git a/modules/P25_android_ota.sh b/modules/P25_android_ota.sh new file mode 100755 index 000000000..92b3e05f3 --- /dev/null +++ b/modules/P25_android_ota.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Extracts Android OTA update files - see https://github.com/e-m-b-a/emba/issues/233 +# Pre-checker threading mode - if set to 1, these modules will run in threaded mode +export PRE_THREAD_ENA=0 + +P25_android_ota() { + module_log_init "${FUNCNAME[0]}" + NEG_LOG=0 + if [[ "$ANDROID_OTA" -eq 1 ]]; then + module_title "Android OTA payload.bin extractor" + pre_module_reporter "${FUNCNAME[0]}" + + EXTRACTION_DIR="$LOG_DIR"/firmware/android_ota/ + + android_ota_extractor "$FIRMWARE_PATH" "$EXTRACTION_DIR" + + if [[ "$FILES_OTA" -gt 0 ]]; then + export FIRMWARE_PATH="$LOG_DIR"/firmware/ + fi + NEG_LOG=1 + fi + module_end_log "${FUNCNAME[0]}" "$NEG_LOG" +} + +android_ota_extractor() { + local OTA_INIT_PATH_="$1" + local EXTRACTION_DIR_="$2" + local DIRS_OTA=0 + FILES_OTA=0 + sub_module_title "Android OTA extractor" + + hexdump -C "$OTA_INIT_PATH_" | head | tee -a "$LOG_FILE" || true + + if [[ -d "$EXT_DIR"/payload_dumper ]]; then + print_output "" + print_output "[*] Extracting Android OTA payload.bin file ..." + print_output "" + python3 "$EXT_DIR"/payload_dumper/payload_dumper.py --out "$EXTRACTION_DIR_" "$OTA_INIT_PATH_" | tee -a "$LOG_FILE" + FILES_OTA=$(find "$EXTRACTION_DIR_" -type f | wc -l) + DIRS_OTA=$(find "$EXTRACTION_DIR_" -type d | wc -l) + print_output "[*] Extracted $ORANGE$FILES_OTA$NC files and $ORANGE$DIRS_OTA$NC directories from the firmware image." + else + print_output "[-] Android OTA payload.bin extractor not found - check your installation" + fi +} From fa967209a1853adb665af7e7395fc321578db5a8 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 20 Apr 2022 22:36:23 +0200 Subject: [PATCH 13/42] argl --- modules/P02_firmware_bin_file_check.sh | 41 -------------------------- 1 file changed, 41 deletions(-) diff --git a/modules/P02_firmware_bin_file_check.sh b/modules/P02_firmware_bin_file_check.sh index d89c9ec25..696bcd793 100755 --- a/modules/P02_firmware_bin_file_check.sh +++ b/modules/P02_firmware_bin_file_check.sh @@ -171,45 +171,4 @@ fw_bin_detector() { print_output "[*] Identified Android OTA payload.bin update file - using Android extraction module" export ANDROID_OTA=1 fi - if [[ "$DLINK_ENC_CHECK" =~ 00000000\ \ 00\ 00\ 00\ 00\ 00\ 00\ 0.\ ..\ \ 00\ 00\ 0.\ ..\ 31\ 32\ 33\ 00 ]]; then - print_output "[*] Identified Engenius encrpyted firmware - using Engenius extraction module" - export ENGENIUS_ENC_DETECTED=1 - fi - if [[ "$DLINK_ENC_CHECK" =~ 00000000\ \ 00\ 00\ 00\ 00\ 00\ 00\ 01\ 01\ \ 00\ 00\ 0.\ ..\ 33\ 2e\ 3[89]\ 2e ]]; then - print_output "[*] Identified Engenius encrpyted firmware - using Engenius extraction module" - export ENGENIUS_ENC_DETECTED=1 - fi - if [[ "$DLINK_ENC_CHECK" == *"encrpted_img"* ]]; then - print_output "[*] Identified D-Link encrpted_img encrpyted firmware - using D-Link extraction module" - export DLINK_ENC_DETECTED=2 - fi - if [[ "$AVM_CHECK" -gt 0 ]] || [[ "$FW_VENDOR" == *"AVM"* ]]; then - print_output "[*] Identified AVM firmware - using AVM extraction module" - export AVM_DETECTED=1 - fi - if [[ "$FILE_BIN_OUT" == *"u-boot legacy uImage"* ]]; then - print_output "[*] Identified u-boot firmware - using u-boot module" - export UBOOT_IMAGE=1 - fi - if [[ "$FILE_BIN_OUT" == *"Unix Fast File system [v2]"* ]]; then - print_output "[*] Identified UFS filesytem - using UFS filesytem extraction module" - export BSD_UFS=1 - fi - if [[ "$FILE_BIN_OUT" == *"Linux rev 1.0 ext2 filesystem data"* ]]; then - print_output "[*] Identified Linux ext2 filesytem - using EXT filesytem extraction module" - export EXT_IMAGE=1 - fi - if [[ "$FILE_BIN_OUT" == *"Linux rev 1.0 ext3 filesystem data"* ]]; then - print_output "[*] Identified Linux ext3 filesytem - using EXT filesytem extraction module" - export EXT_IMAGE=1 - fi - if [[ "$FILE_BIN_OUT" == *"Linux rev 1.0 ext4 filesystem data"* ]]; then - print_output "[*] Identified Linux ext4 filesytem - using EXT filesytem extraction module" - export EXT_IMAGE=1 - fi - if [[ "$QNAP_ENC_CHECK" == *"QNAP encrypted firmware footer , model"* ]]; then - print_output "[*] Identified QNAP encrpyted firmware - using QNAP extraction module" - export QNAP_ENC_DETECTED=1 - fi - # probably we need to take a deeper look to identify the gpg compressed firmware files better. } From a669006e54dba1e45e8957a81645d3a494e3bd90 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 21 Apr 2022 15:08:42 +0200 Subject: [PATCH 14/42] android extractor cleanup --- docker-compose.yml | 3 +- helpers/helpers_emba_dependency_check.sh | 8 ++-- helpers/helpers_emba_prepare.sh | 8 +++- installer.sh | 8 ++-- installer/I01_default_apps.sh | 1 - installer/IL20_system_emulator.sh | 11 +++-- installer/IL21_firmae_system_emulator.sh | 4 +- installer/IL22_firmadyne_system_emulator.sh | 4 +- installer/IP00_extractors.sh | 53 +++++++++++++++++++++ modules/F20_vul_aggregator.sh | 12 +++++ modules/F50_base_aggregator.sh | 9 +++- modules/P14_ext2_mounter.sh | 2 +- 12 files changed, 101 insertions(+), 22 deletions(-) create mode 100644 installer/IP00_extractors.sh diff --git a/docker-compose.yml b/docker-compose.yml index c07bd70a6..c0a3f5af9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,8 @@ version: "3" services: emba: image: embeddedanalyzer/emba:latest - read_only: true + read_only: false + privileged: true tmpfs: - /tmp - /root diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index b54278fcc..fa2ebd218 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -323,10 +323,10 @@ dependency_check() # firmadyne / FirmAE if [[ $FULL_EMULATION -eq 1 ]]; then # check only some of the needed files - check_dep_file "console.mipsel" "$EXT_DIR""/firmadyne/binaries/console.mipsel" - check_dep_file "vmlinux.mipseb" "$EXT_DIR""/firmadyne/binaries/vmlinux.mipseb" - check_dep_file "fixImage.sh" "$EXT_DIR""/firmadyne/scripts/fixImage_firmadyne.sh" - check_dep_file "preInit.sh" "$EXT_DIR""/firmadyne/scripts/preInit_firmadyne.sh" + check_dep_file "console.mipsel" "$EXT_DIR""/firmae/binaries/console.mipsel" + check_dep_file "vmlinux.mipseb" "$EXT_DIR""/firmae/binaries/vmlinux.mipseb.4" + check_dep_file "fixImage.sh" "$EXT_DIR""/firmae/scripts/fixImage.sh" + check_dep_file "preInit.sh" "$EXT_DIR""/firmae/scripts/preInit.sh" check_dep_tool "Qemu system emulator ARM" "qemu-system-arm" check_dep_tool "Qemu system emulator MIPS" "qemu-system-mips" check_dep_tool "Qemu system emulator MIPSel" "qemu-system-mipsel" diff --git a/helpers/helpers_emba_prepare.sh b/helpers/helpers_emba_prepare.sh index 1afe379dc..4867e01ea 100755 --- a/helpers/helpers_emba_prepare.sh +++ b/helpers/helpers_emba_prepare.sh @@ -329,7 +329,9 @@ detect_root_dir_helper() { if [[ -d "$R_PATH" ]]; then ROOT_PATH+=( "$R_PATH" ) if ! echo "$MECHANISM" | grep -q "file names"; then - MECHANISM="$MECHANISM / file names" + MECHANISM="$MECHANISM / dir names" + elif ! echo "$MECHANISM" | grep -q "binary interpreter"; then + MECHANISM="dir names" fi fi done @@ -339,6 +341,8 @@ detect_root_dir_helper() { ROOT_PATH+=( "$R_PATH" ) if ! echo "$MECHANISM" | grep -q "file names"; then MECHANISM="$MECHANISM / file names" + elif ! echo "$MECHANISM" | grep -q "binary interpreter"; then + MECHANISM="file names" fi fi done @@ -348,6 +352,8 @@ detect_root_dir_helper() { ROOT_PATH+=( "$R_PATH" ) if ! echo "$MECHANISM" | grep -q "file names"; then MECHANISM="$MECHANISM / file names" + elif ! echo "$MECHANISM" | grep -q "binary interpreter"; then + MECHANISM="file names" fi fi done diff --git a/installer.sh b/installer.sh index f48362eb1..4ab98dce6 100755 --- a/installer.sh +++ b/installer.sh @@ -157,6 +157,8 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - I05_emba_docker_image_dl + IP00_extractors + IP12_avm_freetz_ng_extract IP18_qnap_decryptor @@ -180,13 +182,13 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - I120_cwe_checker # deprecated: - IL10_system_emulator + #IL10_system_emulator # for the future - #IL20_system_emulator + IL20_system_emulator # deprecated: - #IL21_firmae_system_emulator + IL21_firmae_system_emulator # deprecated: #IL22_firmadyne_system_emulator diff --git a/installer/I01_default_apps.sh b/installer/I01_default_apps.sh index 57ef4e754..7b5e58d42 100644 --- a/installer/I01_default_apps.sh +++ b/installer/I01_default_apps.sh @@ -34,7 +34,6 @@ I01_default_apps(){ print_tool_info "u-boot-tools" 1 print_tool_info "python3-bandit" 1 print_tool_info "iputils-ping" 1 - print_tool_info "strace" 1 if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh index 5597e82a0..a329f382c 100644 --- a/installer/IL20_system_emulator.sh +++ b/installer/IL20_system_emulator.sh @@ -2,8 +2,8 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2022 Siemens AG # Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -37,8 +37,9 @@ IL20_system_emulator() { print_tool_info "qemu-system-x86" 1 print_tool_info "qemu-utils" 1 - #print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - #print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + # future use: + print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" print_file_info "vmlinux.mipsel.4" "FirmAE - Linux kernel 4.1 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" print_file_info "vmlinux.mipseb.4" "FirmAE - Linux kernel 4.1 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" @@ -81,8 +82,8 @@ IL20_system_emulator() { apt-get install "${INSTALL_APP_LIST[@]}" -y - #download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - #download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" download_file "vmlinux.mipsel.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" download_file "vmlinux.mipseb.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" diff --git a/installer/IL21_firmae_system_emulator.sh b/installer/IL21_firmae_system_emulator.sh index 12f4d4790..e28b357e8 100644 --- a/installer/IL21_firmae_system_emulator.sh +++ b/installer/IL21_firmae_system_emulator.sh @@ -2,8 +2,8 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2022 Siemens AG # Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -13,7 +13,7 @@ # # Author(s): Michael Messner, Pascal Eckmann -# Description: Installs FirmAE / full system emulation +# Description: Installs FirmAE full system emulation # This is a temporary module which will be removed in the future without any further note! IL21_firmae_system_emulator() { diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index 1b9287ef7..4ba32b136 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -2,8 +2,8 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2022 Siemens AG # Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -13,7 +13,7 @@ # # Author(s): Michael Messner, Pascal Eckmann -# Description: Installs firmadyne / full system emulation +# Description: Installs firmadyne full system emulation # This is a temporary module which will be removed in the future without any further note! IL22_firmadyne_system_emulator() { diff --git a/installer/IP00_extractors.sh b/installer/IP00_extractors.sh new file mode 100644 index 000000000..66c052bdc --- /dev/null +++ b/installer/IP00_extractors.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Installs basic extractor tools + +IP00_extractors(){ + module_title "${FUNCNAME[0]}" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]] ; then + + print_tool_info "python3-pip" 1 + print_pip_info "protobuf" + print_pip_info "bsdiff4" + print_git_info "payload_dumper" "vm03/payload_dumper" "Android OTA payload.bin extractor" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + ANSWER=("n") + else + echo -e "\\n""$MAGENTA""$BOLD""These applications will be installed/updated!""$NC" + ANSWER=("y") + fi + + case ${ANSWER:0:1} in + y|Y ) + echo + + apt-get install "${INSTALL_APP_LIST[@]}" -y + pip3 install protobuf + pip3 install bsdiff4 + + if ! [[ -d external/payload_dumper ]]; then + git clone https://github.com/vm03/payload_dumper.git external/payload_dumper + else + cd external/payload_dumper || exit 1 + git pull + cd "$HOME_PATH" || exit 1 + fi + ;; + esac + fi +} diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 0b4390b0a..21d1982ee 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -272,9 +272,20 @@ generate_special_log() { fi done + mapfile -t KNOWN_EXPLOITED_VULNS < <(grep -E "known exploited" "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log || true) + if [[ -v KNOWN_EXPLOITED_VULNS[@] ]]; then + print_output "" + print_output "[*] Vulnerability summary on known exploited vulnerabilities stored in $LOG_PATH_MODULE/exploit/known_exploited_vulns.log.\\n" + for KNOWN_EXPLOITED_VULN in "${KNOWN_EXPLOITED_VULNS[@]}"; do + print_output "$KNOWN_EXPLOITED_VULN" + done + print_output "" + fi + echo "$EXPLOIT_HIGH" > "$TMP_DIR"/EXPLOIT_HIGH_COUNTER.tmp echo "$EXPLOIT_MEDIUM" > "$TMP_DIR"/EXPLOIT_MEDIUM_COUNTER.tmp echo "$EXPLOIT_LOW" > "$TMP_DIR"/EXPLOIT_LOW_COUNTER.tmp + echo "${#KNOWN_EXPLOITED_VULNS[@]}" > "$TMP_DIR"/KNOWN_EXPLOITED_COUNTER.tmp fi } @@ -372,6 +383,7 @@ cve_extractor() { if [[ -f "$KNOWN_EXP_CSV" ]]; then if grep -q "${CVE_VALUE}," "$KNOWN_EXP_CSV"; then print_output "[+] ${ORANGE}WARNING:$GREEN Vulnerability $ORANGE$CVE_VALUE$GREEN is a known exploited vulnerability." + echo -e "[+] ${ORANGE}WARNING:$GREEN Vulnerability $ORANGE$CVE_VALUE$GREEN is a known exploited vulnerability." >> "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log KNOWN_EXPLOITED=1 fi fi diff --git a/modules/F50_base_aggregator.sh b/modules/F50_base_aggregator.sh index 3c11afa4c..f2d5735a7 100755 --- a/modules/F50_base_aggregator.sh +++ b/modules/F50_base_aggregator.sh @@ -539,12 +539,13 @@ output_cve_exploits() { print_output "$(indent "$(green "$MAGENTA$BOLD$EXPLOIT_COUNTER$NC$GREEN possible exploits available.")")" write_link "f20#minimalreportofexploitsandcves" fi - if [[ "$REMOTE_EXPLOIT_CNT" -gt 0 || "$LOCAL_EXPLOIT_CNT" -gt 0 || "$DOS_EXPLOIT_CNT" -gt 0 || "$GITHUB_EXPLOIT_CNT" -gt 0 ]]; then - print_output "$(indent "$(green "Remote exploits: $MAGENTA$BOLD$REMOTE_EXPLOIT_CNT$NC$GREEN / Local exploits: $MAGENTA$BOLD$LOCAL_EXPLOIT_CNT$NC$GREEN / DoS exploits: $MAGENTA$BOLD$DOS_EXPLOIT_CNT$NC$GREEN / Github PoCs: $MAGENTA$BOLD$GITHUB_EXPLOIT_CNT$NC$GREEN")")" + if [[ "$REMOTE_EXPLOIT_CNT" -gt 0 || "$LOCAL_EXPLOIT_CNT" -gt 0 || "$DOS_EXPLOIT_CNT" -gt 0 || "$GITHUB_EXPLOIT_CNT" -gt 0 || "$KNOWN_EXPLOITED_COUNTER" -gt 0 ]]; then + print_output "$(indent "$(green "Remote exploits: $MAGENTA$BOLD$REMOTE_EXPLOIT_CNT$NC$GREEN / Local exploits: $MAGENTA$BOLD$LOCAL_EXPLOIT_CNT$NC$GREEN / DoS exploits: $MAGENTA$BOLD$DOS_EXPLOIT_CNT$NC$GREEN / Github PoCs: $MAGENTA$BOLD$GITHUB_EXPLOIT_CNT$NC$GREEN / Known exploited exploits: $MAGENTA$BOLD$KNOWN_EXPLOITED_COUNTER$NC")")" write_csv_log "remote_exploits" "$REMOTE_EXPLOIT_CNT" write_csv_log "local_exploits" "$LOCAL_EXPLOIT_CNT" write_csv_log "dos_exploits" "$DOS_EXPLOIT_CNT" write_csv_log "github_exploits" "$GITHUB_EXPLOIT_CNT" + write_csv_log "known_exploited" "$KNOWN_EXPLOITED_COUNTER" fi # we report only software components with exploits to csv: grep "Found version details" "$LOG_DIR/f20_vul_aggregator/overview.txt" 2>/dev/null | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" | tr -d "\[\+\]" | grep -v "CVEs: 0" | sed -e 's/Found version details:/version_details:/' |sed -e 's/[[:blank:]]//g' | sed -e 's/:/;/g' >> "$CSV_LOG_FILE" || true @@ -568,6 +569,7 @@ get_data() { MSF_MODULE_CNT=0 INT_COUNT=0 POST_COUNT=0 + KNOWN_EXPLOITED_COUNTER=0 if [[ -f "$LOG_DIR"/"$P02_LOG" ]]; then ENTROPY=$(grep -a "Entropy" "$LOG_DIR"/"$P02_LOG" | cut -d= -f2 | sed 's/^\ //' || true) @@ -688,6 +690,9 @@ get_data() { done < "$TMP_DIR"/LOW_CVE_COUNTER.tmp (( CVE_COUNTER="$CVE_COUNTER"+"$LOW_CVE_COUNTER" )) fi + if [[ -f "$TMP_DIR"/KNOWN_EXPLOITED_COUNTER.tmp ]]; then + KNOWN_EXPLOITED_COUNTER=$(cat "$TMP_DIR"/KNOWN_EXPLOITED_COUNTER.tmp) + fi if [[ -f "$F20_EXPLOITS_LOG" ]]; then EXPLOIT_COUNTER="$(grep -c -E "Exploit\ .*" "$F20_EXPLOITS_LOG" || true)" MSF_MODULE_CNT="$(grep -c -E "Exploit\ .*MSF" "$F20_EXPLOITS_LOG" || true)" diff --git a/modules/P14_ext2_mounter.sh b/modules/P14_ext2_mounter.sh index eef05e84d..8681eb3bb 100755 --- a/modules/P14_ext2_mounter.sh +++ b/modules/P14_ext2_mounter.sh @@ -48,7 +48,7 @@ ext2_extractor() { mkdir -p "$TMP_EXT_MOUNT" print_output "[*] Trying to mount $ORANGE$EXT_PATH_$NC to $ORANGE$TMP_EXT_MOUNT$NC directory" - mount "$EXT_PATH_" "$TMP_EXT_MOUNT" + mount -o ro "$EXT_PATH_" "$TMP_EXT_MOUNT" if mount | grep -q ext_mount; then print_output "[*] Copying $ORANGE$TMP_EXT_MOUNT$NC to firmware tmp directory ($EXTRACTION_DIR_)" mkdir -p "$EXTRACTION_DIR_" From c804a6af1373bdc1b4d0a91ec139aa4936272c5f Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 21 Apr 2022 16:06:51 +0200 Subject: [PATCH 15/42] cleanmup, extract --- modules/F50_base_aggregator.sh | 5 ----- modules/P60_firmware_bin_extractor.sh | 12 ++---------- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/modules/F50_base_aggregator.sh b/modules/F50_base_aggregator.sh index f2d5735a7..a78cffb75 100755 --- a/modules/F50_base_aggregator.sh +++ b/modules/F50_base_aggregator.sh @@ -267,11 +267,6 @@ output_config_issues() { echo "kernel_modules_lic;\"$KMOD_BAD\"" >> "$CSV_LOG_FILE" DATA=1 fi - #if [[ "${FILE_COUNTER-0}" -gt 0 ]]; then - # print_output "$(indent "$(green "Found $ORANGE$FILE_COUNTER$GREEN not common Linux files with $ORANGE$FILE_COUNTER_ALL$GREEN files at all.")")" - # write_link "s11" - # DATA=1 - #fi if [[ "${INT_COUNT-0}" -gt 0 || "${POST_COUNT-0}" -gt 0 ]]; then print_output "$(indent "$(green "Found $ORANGE${INT_COUNT}$GREEN interesting files and $ORANGE${POST_COUNT-0}$GREEN files that could be useful for post-exploitation.")")" write_link "s95" diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index d74bfe2d8..d54f03470 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -314,11 +314,7 @@ extract_binwalk_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt else - if [[ "$IN_DOCKER" -eq 1 ]]; then - binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt - else - binwalk --run-as=root --preserve-symlinks -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt - fi + binwalk -e -M -C "$OUTPUT_DIR_binwalk" "$FIRMWARE_PATH" >> "$TMP_DIR"/binwalker.txt fi } @@ -341,11 +337,7 @@ binwalk_deep_extract_helper() { if [[ "$BINWALK_VER_CHECK" == 1 ]]; then binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true else - if [[ "$IN_DOCKER" -eq 1 ]]; then - binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true - else - binwalk --run-as=root --preserve-symlinks -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true - fi + binwalk -e -M -C "$FIRMWARE_PATH_CP" "$FILE_TMP" | tee -a "$LOG_FILE" || true fi } From 8f4fc112066c23b46ac1a6004f929ce834094b23 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 08:57:31 +0200 Subject: [PATCH 16/42] installer --- .gitignore | 1 + emba.sh | 18 +++++++++++++++--- installer.sh | 8 ++++---- installer/I120_cwe_checker.sh | 11 +++++++---- installer/IL21_firmae_system_emulator.sh | 7 +++++++ 5 files changed, 34 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index 79b78b290..07d3971d8 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ log*/ dir-combined.yara external/ +modules_local/ tools/ !external/.keep config/vt_api_key.txt diff --git a/emba.sh b/emba.sh index 65e873123..124949398 100755 --- a/emba.sh +++ b/emba.sh @@ -37,8 +37,12 @@ import_helper() import_module() { local MODULES=() + local MODULES_LOCAL=() + local MODULES_EMBA=() local MODULE_COUNT=0 - mapfile -t MODULES < <(find "$MOD_DIR" -name "*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "*.sh" | sort -V 2> /dev/null) + MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) for MODULE_FILE in "${MODULES[@]}" ; do if ( file "$MODULE_FILE" | grep -q "shell script" ) && ! [[ "$MODULE_FILE" =~ \ |\' ]] ; then # https://github.com/koalaman/shellcheck/wiki/SC1090 @@ -107,7 +111,11 @@ run_modules() if [[ ${#SELECT_MODULES[@]} -eq 0 ]] || [[ $SELECT_PRE_MODULES_COUNT -eq 0 ]]; then local MODULES=() - mapfile -t MODULES < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) + local MODULES_LOCAL=() + local MODULES_EMBA=() + mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" | sort -V 2> /dev/null) + MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 && "${MODULE_GROUP^^}" != "P" ]] ; then sort_modules fi @@ -158,7 +166,11 @@ run_modules() fi elif [[ "$SELECT_NUM" =~ ^["${MODULE_GROUP,,}","${MODULE_GROUP^^}"]{1} ]]; then local MODULES=() - mapfile -t MODULES < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) + local MODULES_LOCAL=() + local MODULES_EMBA=() + mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" | sort -V 2> /dev/null) + MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 ]] ; then sort_modules fi diff --git a/installer.sh b/installer.sh index 4ab98dce6..07fe81b95 100755 --- a/installer.sh +++ b/installer.sh @@ -181,15 +181,15 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - I120_cwe_checker - # deprecated: + # deprecated - will be removed in the future: #IL10_system_emulator - # for the future + # will be the only one in the future IL20_system_emulator - # deprecated: + # deprecated - just for testing: IL21_firmae_system_emulator - # deprecated: + # deprecated - not fully working: #IL22_firmadyne_system_emulator IL15_emulated_checks_init diff --git a/installer/I120_cwe_checker.sh b/installer/I120_cwe_checker.sh index a7b4fea01..9094582a4 100644 --- a/installer/I120_cwe_checker.sh +++ b/installer/I120_cwe_checker.sh @@ -24,7 +24,7 @@ I120_cwe_checker() { print_git_info "cwe-checker" "fkie-cad/cwe_checker" "cwe_checker is a suite of checks to detect common bug classes such as use of dangerous functions and simple integer overflows." echo -e "$ORANGE""cwe-checker will be downloaded.""$NC" print_file_info "OpenJDK" "OpenJDK for cwe-checker" "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.12%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.12_7.tar.gz" "external/jdk.tar.gz" - print_file_info "GHIDRA" "Ghidra for cwe-checker" "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.0.2_build/ghidra_10.0.2_PUBLIC_20210804.zip" "external/ghidra.zip" + print_file_info "GHIDRA" "Ghidra for cwe-checker" "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.1.2_build/ghidra_10.1.2_PUBLIC_20220125.zip" "external/ghidra.zip" if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") @@ -59,17 +59,20 @@ I120_cwe_checker() { # Ghidra if [[ -d ./external/ghidra ]] ; then rm -R ./external/ghidra ; fi - curl -L https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.0.2_build/ghidra_10.0.2_PUBLIC_20210804.zip -Sf -o external/ghidra.zip + #curl -L https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.1.2_build/ghidra_10.1.2_PUBLIC_20210804.zip -Sf -o external/ghidra.zip + curl -L https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.1.2_build/ghidra_10.1.2_PUBLIC_20220125.zip -Sf -o external/ghidra.zip mkdir external/ghidra 2>/dev/null unzip -qo external/ghidra.zip -d external/ghidra - sed -i s@JAVA_HOME_OVERRIDE=@JAVA_HOME_OVERRIDE=external/jdk@g external/ghidra/ghidra_10.0.2_PUBLIC/support/launch.properties + sed -i s@JAVA_HOME_OVERRIDE=@JAVA_HOME_OVERRIDE=external/jdk@g external/ghidra/ghidra_10.1.2_PUBLIC/support/launch.properties rm external/ghidra.zip if [[ -d ./external/cwe_checker ]] ; then rm -R ./external/cwe_checker ; fi mkdir external/cwe_checker 2>/dev/null git clone https://github.com/fkie-cad/cwe_checker.git external/cwe_checker cd external/cwe_checker || exit 1 - make all GHIDRA_PATH=external/ghidra/ghidra_10.0.2_PUBLIC + apt-get autoclean + apt-get autoremove + make all GHIDRA_PATH=external/ghidra/ghidra_10.1.2_PUBLIC cd "$HOME_PATH" || exit 1 mv "$HOME""/.cargo/bin" "external/cwe_checker/bin" diff --git a/installer/IL21_firmae_system_emulator.sh b/installer/IL21_firmae_system_emulator.sh index e28b357e8..925f56010 100644 --- a/installer/IL21_firmae_system_emulator.sh +++ b/installer/IL21_firmae_system_emulator.sh @@ -22,7 +22,12 @@ IL21_firmae_system_emulator() { if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then cd "$HOME_PATH" || exit 1 + print_tool_info "xdg-utils" 1 + print_tool_info "fonts-liberation" 1 + print_tool_info "openjdk-11-jdk" 1 + print_git_info "FirmAE system mode emulator" "pr0v3rbs/FirmAE" "FirmAE is a fully-automated framework that performs emulation and vulnerability analysis." + echo -e "\\n""$MAGENTA""$BOLD""This is a temporary module which will be removed in the future without any further note!""$NC" if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then @@ -35,6 +40,8 @@ IL21_firmae_system_emulator() { case ${ANSWER:0:1} in y|Y ) + apt-get install "${INSTALL_APP_LIST[@]}" -y + if ! [[ -d external/FirmAE_orig ]]; then git clone --recursive https://github.com/pr0v3rbs/FirmAE.git external/FirmAE_orig cd external/FirmAE_orig || exit 1 From e89129df26edd24942c212300f5cc5f39998436e Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 09:05:20 +0200 Subject: [PATCH 17/42] payload dumper dependency checker --- helpers/helpers_emba_dependency_check.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index fa2ebd218..a08665f6b 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -304,6 +304,9 @@ dependency_check() # EnGenius decryptor - https://gist.github.com/ryancdotorg/914f3ad05bfe0c359b79716f067eaa99 check_dep_file "EnGenius decryptor" "$EXT_DIR""/engenius-decrypt.py" + # Android payload.bin extractor + check_dep_file "Android payload.bin extractor" "$EXT_DIR""/payload_dumper/payload_dumper.py" + # CVE-search # TODO change to portcheck and write one for external hosts check_dep_file "cve-search script" "$EXT_DIR""/cve-search/bin/search.py" From a1f710064b78f37a7f265507a90930043ec63487 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 09:23:43 +0200 Subject: [PATCH 18/42] checker updates --- check_project.sh | 25 +++++++++++-------- config/msf_cve-db.txt | 8 +----- .../F20_vul_aggregator-post.sh | 1 + 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/check_project.sh b/check_project.sh index 0f452b04e..579847aa7 100755 --- a/check_project.sh +++ b/check_project.sh @@ -39,6 +39,7 @@ NC='\033[0m' # no color INSTALLER_DIR="./installer" HELP_DIR="./helpers" MOD_DIR="./modules" +MOD_DIR_LOCAL="./modules_local" CONF_DIR="./config" REP_DIR="$CONF_DIR/report_templates" @@ -46,8 +47,8 @@ SOURCES=() MODULES_TO_CHECK_ARR=() import_config_scripts() { - HELPERS=$(find "$CONF_DIR" -iname "*.sh" 2>/dev/null) - for LINE in $HELPERS; do + mapfile -t HELPERS < <(find "$CONF_DIR" -iname "*.sh" 2>/dev/null) + for LINE in "${HELPERS[@]}"; do if (file "$LINE" | grep -q "shell script"); then echo "$LINE" SOURCES+=("$LINE") @@ -56,8 +57,8 @@ import_config_scripts() { } import_helper() { - HELPERS=$(find "$HELP_DIR" -iname "*.sh" 2>/dev/null) - for LINE in $HELPERS; do + mapfile -t HELPERS < <(find "$HELP_DIR" -iname "*.sh" 2>/dev/null) + for LINE in "${HELPERS[@]}"; do if (file "$LINE" | grep -q "shell script"); then echo "$LINE" SOURCES+=("$LINE") @@ -66,8 +67,8 @@ import_helper() { } import_reporting_templates() { - REP_TEMP=$(find "$REP_DIR" -iname "*.sh" 2>/dev/null) - for LINE in $REP_TEMP; do + mapfile -t REP_TEMP < <(find "$REP_DIR" -iname "*.sh" 2>/dev/null) + for LINE in "${REP_TEMP[@]}"; do if (file "$LINE" | grep -q "shell script"); then echo "$LINE" SOURCES+=("$LINE") @@ -76,8 +77,11 @@ import_reporting_templates() { } import_module() { - MODULES=$(find "$MOD_DIR" -iname "*.sh" 2>/dev/null) - for LINE in $MODULES; do + MODULES=() + mapfile -t MODULES_ < <(find "$MOD_DIR" -iname "*.sh" 2>/dev/null) + mapfile -t MODULES_LOCAL < <(find "$MOD_DIR_LOCAL" -iname "*.sh" 2>/dev/null) + MODULES=( "${MODULES_[@]}" "${MODULES_LOCAL[@]}") + for LINE in "${MODULES[@]}"; do if (file "$LINE" | grep -q "shell script"); then echo "$LINE" SOURCES+=("$LINE") @@ -86,8 +90,9 @@ import_module() { } import_installer() { - MODULES=$(find "$INSTALLER_DIR" -iname "*.sh" 2>/dev/null) - for LINE in $MODULES; do + MODULES=() + mapfile -t MODULES < <(find "$INSTALLER_DIR" -iname "*.sh" 2>/dev/null) + for LINE in "${MODULES[@]}"; do if (file "$LINE" | grep -q "shell script"); then echo "$LINE" SOURCES+=("$LINE") diff --git a/config/msf_cve-db.txt b/config/msf_cve-db.txt index 6eb306d60..35c1f0a56 100644 --- a/config/msf_cve-db.txt +++ b/config/msf_cve-db.txt @@ -233,8 +233,6 @@ /usr/share/metasploit-framework/modules/auxiliary/gather/exchange_proxylogon_collector.rb:CVE-2021-26855 /usr/share/metasploit-framework/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb:CVE-2015-4495 /usr/share/metasploit-framework/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb:CVE-2014-4671 -/usr/share/metasploit-framework/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb:CVE-2020-5723 -/usr/share/metasploit-framework/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb:CVE-2020-5724 /usr/share/metasploit-framework/modules/auxiliary/gather/huawei_wifi_info.rb:CVE-2013-6031 /usr/share/metasploit-framework/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb:CVE-2013-3975 /usr/share/metasploit-framework/modules/auxiliary/gather/ibm_sametime_room_brute.rb:CVE-2013-3977 @@ -277,7 +275,6 @@ /usr/share/metasploit-framework/modules/auxiliary/scanner/chargen/chargen_probe.rb:CVE-1999-0103 /usr/share/metasploit-framework/modules/auxiliary/scanner/couchdb/couchdb_enum.rb:CVE-2017-12635 /usr/share/metasploit-framework/modules/auxiliary/scanner/db2/db2_auth.rb:CVE-1999-0502 -/usr/share/metasploit-framework/modules/auxiliary/scanner/dcerpc/petitpotam.rb:CVE-2021-36942 /usr/share/metasploit-framework/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb:CVE-2014-7992 /usr/share/metasploit-framework/modules/auxiliary/scanner/dns/dns_amp.rb:CVE-2006-0987 /usr/share/metasploit-framework/modules/auxiliary/scanner/dns/dns_amp.rb:CVE-2006-0988 @@ -376,7 +373,6 @@ /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2020-35578 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2020-5791 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2020-5792 -/usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2021-37343 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/netdecision_traversal.rb:CVE-2012-1465 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nginx_source_disclosure.rb:CVE-2010-2263 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb:CVE-2012-4958 @@ -680,7 +676,7 @@ /usr/share/metasploit-framework/modules/exploits/linux/http/goautodial_3_rce_command_injection.rb:CVE-2015-2843 /usr/share/metasploit-framework/modules/exploits/linux/http/goautodial_3_rce_command_injection.rb:CVE-2015-2845 /usr/share/metasploit-framework/modules/exploits/linux/http/gpsd_format_string.rb:CVE-2004-1388 -/usr/share/metasploit-framework/modules/exploits/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.rb:CVE-2019-10655 +/usr/share/metasploit-framework/modules/exploits/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec.rb:CVE-2019-10655 /usr/share/metasploit-framework/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb:CVE-2020-5722 /usr/share/metasploit-framework/modules/exploits/linux/http/gravcms_exec.rb:CVE-2021-21425 /usr/share/metasploit-framework/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb:CVE-2013-3502 @@ -712,7 +708,6 @@ /usr/share/metasploit-framework/modules/exploits/linux/http/mobileiron_mdm_hessian_rce.rb:CVE-2020-15505 /usr/share/metasploit-framework/modules/exploits/linux/http/multi_ncc_ping_exec.rb:CVE-2015-1187 /usr/share/metasploit-framework/modules/exploits/linux/http/mutiny_frontend_upload.rb:CVE-2013-0136 -/usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb:CVE-2021-37343 /usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb:CVE-2018-8733 /usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb:CVE-2018-8734 /usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb:CVE-2018-8735 @@ -1237,7 +1232,6 @@ /usr/share/metasploit-framework/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb:CVE-2010-0304 /usr/share/metasploit-framework/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb:CVE-2010-0304 /usr/share/metasploit-framework/modules/exploits/multi/ntp/ntp_overflow.rb:CVE-2001-0414 -/usr/share/metasploit-framework/modules/exploits/multi/php/ignition_laravel_debug_rce.rb:CVE-2021-3129 /usr/share/metasploit-framework/modules/exploits/multi/php/php_unserialize_zval_cookie.rb:CVE-2007-1286 /usr/share/metasploit-framework/modules/exploits/multi/php/wp_duplicator_code_inject.rb:CVE-2018-17207 /usr/share/metasploit-framework/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb:CVE-2019-9193 diff --git a/config/report_templates/F20_vul_aggregator-post.sh b/config/report_templates/F20_vul_aggregator-post.sh index dac2ce4f8..10673674a 100644 --- a/config/report_templates/F20_vul_aggregator-post.sh +++ b/config/report_templates/F20_vul_aggregator-post.sh @@ -6,3 +6,4 @@ print_output "$(indent "${ORANGE}L$NC - local exploits")" print_output "$(indent "${ORANGE}D$NC - DoS exploits")" print_output "$(indent "${ORANGE}G$NC - PoC code found on Github (unknown exploit vector)")" print_output "$(indent "${ORANGE}X$NC - Vulnerability is known as exploited")" +write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" From a0c1d0aeb557f54eec5d353736a615320a55d8e5 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 12:27:39 +0200 Subject: [PATCH 19/42] docker hardening --- docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c0a3f5af9..dfeb2ce86 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,8 +2,8 @@ version: "3" services: emba: image: embeddedanalyzer/emba:latest - read_only: false - privileged: true + read_only: true + privileged: false tmpfs: - /tmp - /root From 54d582beb79eb60c2dee8bec79a70a0580bb3dfa Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 12:31:20 +0200 Subject: [PATCH 20/42] cleanup --- installer/I120_cwe_checker.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/installer/I120_cwe_checker.sh b/installer/I120_cwe_checker.sh index 9094582a4..d83b19929 100644 --- a/installer/I120_cwe_checker.sh +++ b/installer/I120_cwe_checker.sh @@ -70,8 +70,6 @@ I120_cwe_checker() { mkdir external/cwe_checker 2>/dev/null git clone https://github.com/fkie-cad/cwe_checker.git external/cwe_checker cd external/cwe_checker || exit 1 - apt-get autoclean - apt-get autoremove make all GHIDRA_PATH=external/ghidra/ghidra_10.1.2_PUBLIC cd "$HOME_PATH" || exit 1 From 5839b45aa193fe7a8bdddc13fb43d97f1debc13f Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 12:35:36 +0200 Subject: [PATCH 21/42] cleanup --- installer/IL20_system_emulator.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh index a329f382c..68de917db 100644 --- a/installer/IL20_system_emulator.sh +++ b/installer/IL20_system_emulator.sh @@ -106,7 +106,7 @@ IL20_system_emulator() { download_file "libnvram_ioctl.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" download_file "fixImage.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/fixImage.sh" - download_file "preInit.sh" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/preInit.sh" + download_file "preInit.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/preInit.sh" "external/firmae/scripts/preInit.sh" download_file "network.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/network.sh" "external/firmae/scripts/network.sh" download_file "inferNetwork.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/inferNetwork.sh" download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" From acc374d610e6b344deef0124bb972f1b14edc6db Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 15:41:41 +0200 Subject: [PATCH 22/42] removed L10 --- docker-compose.yml | 6 +- emba.sh | 2 +- installer.sh | 4 - installer/IL10_system_emulator.sh | 136 ------ modules/L10_system_emulator.sh | 615 -------------------------- modules/P60_firmware_bin_extractor.sh | 3 +- 6 files changed, 7 insertions(+), 759 deletions(-) delete mode 100644 installer/IL10_system_emulator.sh delete mode 100755 modules/L10_system_emulator.sh diff --git a/docker-compose.yml b/docker-compose.yml index dfeb2ce86..34e4e6624 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,11 +4,13 @@ services: image: embeddedanalyzer/emba:latest read_only: true privileged: false + # /root is needed for binwalk + # /tmp is needed for FACT extractor + # /run is needed for postgresql and others tmpfs: - /tmp - /root - - /var/run - - /var/lock + - /run build: . volumes: - ${FIRMWARE}/:/firmware:ro diff --git a/emba.sh b/emba.sh index 124949398..31b720c90 100755 --- a/emba.sh +++ b/emba.sh @@ -530,7 +530,7 @@ main() elif [[ "$CONTAINER_EXTRACT" -eq 1 ]]; then PRE_CHECK=1 print_output "[*] Firmware analysis of docker image starting." "no_log" - print_output " EMBA starts with the extracting the docker image $ORANGE$CONTAINER_ID$NC." "no_log" + print_output " EMBA starts with extracting the docker image $ORANGE$CONTAINER_ID$NC." "no_log" export FIRMWARE_PATH="$LOG_DIR"/firmware/firmware_docker_extracted.tar export OUTPUT_DIR="$FIRMWARE_PATH" export FIRMWARE=1 diff --git a/installer.sh b/installer.sh index 07fe81b95..bc4da6020 100755 --- a/installer.sh +++ b/installer.sh @@ -181,10 +181,6 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - I120_cwe_checker - # deprecated - will be removed in the future: - #IL10_system_emulator - - # will be the only one in the future IL20_system_emulator # deprecated - just for testing: diff --git a/installer/IL10_system_emulator.sh b/installer/IL10_system_emulator.sh deleted file mode 100644 index 3ac51cb1e..000000000 --- a/installer/IL10_system_emulator.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/bash - -# EMBA - EMBEDDED LINUX ANALYZER -# -# Copyright 2020-2022 Siemens AG -# Copyright 2020-2022 Siemens Energy AG -# -# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -# EMBA is licensed under GPLv3 -# -# Author(s): Michael Messner, Pascal Eckmann -# Contributor(s): Stefan Haboeck, Nikolas Papaioannou - -# Description: Installs firmadyne / full system emulation - -IL10_system_emulator() { - module_title "${FUNCNAME[0]}" - - if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then - INSTALL_APP_LIST=() - cd "$HOME_PATH" || exit 1 - - print_tool_info "busybox-static" 1 - print_tool_info "bash-static" 1 - print_tool_info "fakeroot" 1 - print_tool_info "git" 1 - print_tool_info "dmsetup" 1 - print_tool_info "kpartx" 1 - print_tool_info "uml-utilities" 1 - print_tool_info "util-linux" 1 - print_tool_info "vlan" 1 - print_tool_info "qemu-system-arm" 1 - print_tool_info "qemu-system-mips" 1 - print_tool_info "qemu-system-x86" 1 - print_tool_info "qemu-utils" 1 - - print_file_info "vmlinux.mipsel" "Firmadyne - Linux kernel 2.6 - MIPSel" "https://github.com/firmadyne/kernel-v2.6/releases/download/v1.1/vmlinux.mipsel" "external/firmadyne/binaries/vmlinux.mipsel" - print_file_info "vmlinux.mipseb" "Firmadyne - Linux kernel 2.6 - MIPSeb" "https://github.com/firmadyne/kernel-v2.6/releases/download/v1.1/vmlinux.mipseb" "external/firmadyne/binaries/vmlinux.mipseb" - print_file_info "zImage.armel" "Firmadyne - Linux kernel 4.1 - ARMel" "https://github.com/firmadyne/kernel-v4.1/releases/download/v1.1/zImage.armel" "external/firmadyne/binaries/zImage.armel" - print_file_info "console.armel" "Firmadyne - Console - ARMel" "https://github.com/firmadyne/console/releases/download/v1.0/console.armel" "external/firmadyne/binaries/console.armel" - print_file_info "console.mipseb" "Firmadyne - Console - MIPSeb" "https://github.com/firmadyne/console/releases/download/v1.0/console.mipseb" "external/firmadyne/binaries/console.mipseb" - print_file_info "console.mipsel" "Firmadyne - Console - MIPSel" "https://github.com/firmadyne/console/releases/download/v1.0/console.mipsel" "external/firmadyne/binaries/console.mipsel" - print_file_info "libnvram.so.armel" "Firmadyne - libnvram - ARMel" "https://github.com/firmadyne/libnvram/releases/download/v1.0c/libnvram.so.armel" "external/firmadyne/binaries/libnvram.so.armel" - print_file_info "libnvram.so.mipseb" "Firmadyne - libnvram - MIPSeb" "https://github.com/firmadyne/libnvram/releases/download/v1.0c/libnvram.so.mipseb" "external/firmadyne/binaries/libnvram.so.mipseb" - print_file_info "libnvram.so.mipsel" "Firmadyne - libnvram - MIPSel" "https://github.com/firmadyne/libnvram/releases/download/v1.0c/libnvram.so.mipsel" "external/firmadyne/binaries/libnvram.so.mipsel" - print_file_info "fixImage.sh" "Firmadyne fixImage script" "https://raw.githubusercontent.com/firmadyne/firmadyne/master/scripts/fixImage.sh" "external/firmadyne/scripts/" - print_file_info "preInit.sh" "Firmadyne preInit script" "https://raw.githubusercontent.com/firmadyne/firmadyne/master/scripts/preInit.sh" "external/firmadyne/scripts/" - - echo -e "\\n""$MAGENTA""$BOLD""This is a deprecated module which will be removed in the future without any further note!""$NC" - - if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then - ANSWER=("n") - else - echo -e "\\n""$MAGENTA""$BOLD""The firmadyne dependencies (if not already on the system) will be downloaded and installed!""$NC" - ANSWER=("y") - fi - - case ${ANSWER:0:1} in - y|Y ) - - mkdir -p external/firmadyne/binaries - mkdir -p external/firmadyne/binaries_FirmAE - mkdir -p external/firmadyne/scripts - - apt-get install "${INSTALL_APP_LIST[@]}" -y - - # Firmadyne stuff: - if ! [[ -f "external/firmadyne/binaries/vmlinux.mipsel" ]]; then - download_file "vmlinux.mipsel" "https://github.com/firmadyne/kernel-v2.6/releases/download/v1.1/vmlinux.mipsel" "external/firmadyne/binaries/vmlinux.mipsel" - else - echo -e "$GREEN""vmlinux.mipsel already installed""$NC" - fi - - if ! [[ -f "external/firmadyne/binaries/vmlinux.mipseb" ]]; then - download_file "vmlinux.mipseb" "https://github.com/firmadyne/kernel-v2.6/releases/download/v1.1/vmlinux.mipseb" "external/firmadyne/binaries/vmlinux.mipseb" - else - echo -e "$GREEN""vmlinux.mipseb already installed""$NC" - fi - - if ! [[ -f "external/firmadyne/binaries/zImage.armel" ]]; then - download_file "zImage.armel" "https://github.com/firmadyne/kernel-v4.1/releases/download/v1.1/zImage.armel" "external/firmadyne/binaries/zImage.armel" - else - echo -e "$GREEN""zImage.armel already installed""$NC" - fi - - if ! [[ -f "external/firmadyne/binaries/console.armel" ]]; then - download_file "console.armel" "https://github.com/firmadyne/console/releases/download/v1.0/console.armel" "external/firmadyne/binaries/console.armel" - else - echo -e "$GREEN""console.armel already installed""$NC" - fi - if ! [[ -f "external/firmadyne/binaries/console.mipseb" ]]; then - download_file "console.mipseb" "https://github.com/firmadyne/console/releases/download/v1.0/console.mipseb" "external/firmadyne/binaries/console.mipseb" - else - echo -e "$GREEN""console.mipseb already installed""$NC" - fi - if ! [[ -f "external/firmadyne/binaries/console.mipsel" ]]; then - download_file "console.mipsel" "https://github.com/firmadyne/console/releases/download/v1.0/console.mipsel" "external/firmadyne/binaries/console.mipsel" - else - echo -e "$GREEN""console.mipsel already installed""$NC" - fi - - if ! [[ -f "external/firmadyne/binaries/libnvram.so.armel" ]]; then - download_file "libnvram.so.armel" "https://github.com/firmadyne/libnvram/releases/download/v1.0c/libnvram.so.armel" "external/firmadyne/binaries/libnvram.so.armel" - else - echo -e "$GREEN""libnvram.so.armel already installed""$NC" - fi - if ! [[ -f "external/firmadyne/binaries/libnvram.so.mipseb" ]]; then - download_file "libnvram.so.mipseb" "https://github.com/firmadyne/libnvram/releases/download/v1.0c/libnvram.so.mipseb" "external/firmadyne/binaries/libnvram.so.mipseb" - else - echo -e "$GREEN""libnvram.so.mipseb already installed""$NC" - fi - if ! [[ -f "external/firmadyne/binaries/libnvram.so.mipsel" ]]; then - download_file "libnvram.so.mipsel" "https://github.com/firmadyne/libnvram/releases/download/v1.0c/libnvram.so.mipsel" "external/firmadyne/binaries/libnvram.so.mipsel" - else - echo -e "$GREEN""libnvram.so.mipsel already installed""$NC" - fi - - if ! [[ -f "external/firmadyne/scripts/fixImage_firmadyne.sh" ]]; then - download_file "fixImage.sh" "https://raw.githubusercontent.com/firmadyne/firmadyne/master/scripts/fixImage.sh" "external/firmadyne/scripts/fixImage_firmadyne.sh" - else - echo -e "$GREEN""firmadyne fixImage.sh already installed""$NC" - fi - if ! [[ -f "external/firmadyne/scripts/preInit_firmadyne.sh" ]]; then - download_file "preInit.sh" "https://raw.githubusercontent.com/firmadyne/firmadyne/master/scripts/preInit.sh" "external/firmadyne/scripts/preInit_firmadyne.sh" - else - echo -e "$GREEN""firmadyne preInit.sh already installed""$NC" - fi - - ;; - esac - fi -} - diff --git a/modules/L10_system_emulator.sh b/modules/L10_system_emulator.sh deleted file mode 100755 index 1ad165f9d..000000000 --- a/modules/L10_system_emulator.sh +++ /dev/null @@ -1,615 +0,0 @@ -#!/bin/bash - -# EMBA - EMBEDDED LINUX ANALYZER -# -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG -# -# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -# EMBA is licensed under GPLv3 -# -# Author(s): Michael Messner, Pascal Eckmann - -# Description: Builds and emulates Linux firmware - this module is based on the great work of firmadyne -# Check out the original firmadyne project at https://github.com/firmadyne -# Currently this is an experimental module and needs to be activated separately via the -Q switch. -# Warning: This module changes your network configuration and it could happen that your system looses -# network connectivity. - -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - -L10_system_emulator() { - module_log_init "${FUNCNAME[0]}" - module_title "System emulation of Linux based embedded devices with firmadyne." - - SYS_ONLINE=0 - BOOTED=0 - MODULE_END=0 - IPS=() - - if [[ "$FULL_EMULATION" -eq 1 && "$RTOS" -eq 0 ]]; then - pre_module_reporter "${FUNCNAME[0]}" - - export FIRMADYNE_DIR="$EXT_DIR""/firmadyne" - - print_output "[*] This module creates a full copy of the firmware filesystem in the log directory $LOG_DIR.\\n" - - if [[ "$ARCH" == "MIPS" || "$ARCH" == "ARM" ]]; then - - export BINARY_DIR="$FIRMADYNE_DIR/binaries" - - for R_PATH in "${ROOT_PATH[@]}" ; do - KPANIC=0 - - print_output "[*] Detected root path: $ORANGE$R_PATH$NC" - - if [[ -n "$D_END" ]]; then - D_END="$(echo "$D_END" | tr '[:upper:]' '[:lower:]')" - ARCH_END="$(echo "$ARCH" | tr '[:upper:]' '[:lower:]')$(echo "$D_END" | tr '[:upper:]' '[:lower:]')" - CONSOLE=$(get_console "$ARCH_END") - LIBNVRAM=$(get_nvram "$ARCH_END") - - pre_cleanup - - create_emulation_filesystem "$R_PATH" "$ARCH_END" - if [[ "$FS_CREATED" -eq 1 ]]; then - identify_networking "$IMAGE_NAME" "$ARCH_END" - get_networking_details - - if [[ "$KPANIC" -eq 0 && "${#IPS[@]}" -gt 0 ]]; then - setup_network - run_emulated_system - check_online_stat - EXECUTE=1 - if [[ "$SYS_ONLINE" -eq 1 ]]; then - print_output "[+] System emulation was successful." - print_output "[+] System should be available via IP $IP." - EXECUTE=0 - fi - reset_network "$EXECUTE" - if [[ "$SYS_ONLINE" -eq 1 ]]; then - create_emulation_archive - fi - # if the emulation was successful, we stop here - no emulation of other detected rootfs - break - else - print_output "[!] No further emulation steps are performed" - fi - else - print_output "[!] No further emulation steps are performed" - fi - else - print_output "[!] No supported architecture detected" - fi - done - MODULE_END=1 - else - print_output "[!] No supported architecture found.\\n" - print_output "[!] Curently supported: ARM, MIPS.\\n" - MODULE_END=0 - fi - - fi - - write_log "" - write_log "[*] Statistics:$SYS_ONLINE:${#IPS[@]}:$BOOTED" - module_end_log "${FUNCNAME[0]}" "$MODULE_END" - -} - -pre_cleanup() { - # this cleanup function is to ensure that we have no mounts from previous tests mounted - print_output "[*] Checking for not unmounted proc, sys and run in log directory" - mapfile -t CHECK_MOUNTS < <(mount | grep "$LOG_DIR" | grep "proc\|sys\|run" || true) - for MOUNT in "${CHECK_MOUNTS[@]}"; do - print_output "[*] Unmounting $MOUNT" - MOUNT=$(echo "$MOUNT" | cut -d\ -f3) - umount -l "$MOUNT" || true - done -} - -create_emulation_filesystem() { - # based on the original firmadyne script: - # https://github.com/firmadyne/firmadyne/blob/master/scripts/makeImage.sh - - sub_module_title "Create Qemu filesystem" - ROOT_PATH="${1:-}" - ARCH_END="${2:-}" - export IMAGE_NAME - FS_CREATED=1 - IMAGE_NAME="$(basename "$ROOT_PATH")_$ARCH_END-$RANDOM" - MNT_POINT="$LOG_PATH_MODULE/emulation_tmp_fs" - if [[ -d "$MNT_POINT" ]]; then - MNT_POINT="$MNT_POINT"-"$RANDOM" - fi - mkdir "$MNT_POINT" || true - - print_output "[*] Create filesystem for emulation - $ROOT_PATH.\\n" - IMAGE_SIZE="$(du -b --max-depth=0 "$ROOT_PATH" | awk '{print $1}')" - IMAGE_SIZE=$((IMAGE_SIZE + 150 * 1024 * 1024)) - - print_output "[*] Size of filesystem for emulation - $IMAGE_SIZE.\\n" - print_output "[*] Name of filesystem for emulation - $IMAGE_NAME.\\n" - qemu-img create -f raw "$LOG_PATH_MODULE/$IMAGE_NAME" "$IMAGE_SIZE" - chmod a+rw "$LOG_PATH_MODULE/$IMAGE_NAME" - - print_output "[*] Creating Partition Table" - echo -e "o\nn\np\n1\n\n\nw" | /sbin/fdisk "$LOG_PATH_MODULE/$IMAGE_NAME" - - print_output "[*] Mounting QEMU Image" - DEVICE=$(get_device "$(kpartx -a -s -v "$LOG_PATH_MODULE/$IMAGE_NAME" || true)") - sleep 1 - print_output "[*] Device mapper created at ${DEVICE}" - - print_output "[*] Creating Filesystem" - sync - mkfs.ext2 "${DEVICE}" || true - - print_output "[*] Mounting QEMU Image Partition 1 to $MNT_POINT" - mount "${DEVICE}" "$MNT_POINT" || true - if mount | grep -q "$MNT_POINT"; then - print_output "[*] Copy root filesystem to QEMU image" - #rm -rf "${MNT_POINT:?}/"* - cp -prf "$ROOT_PATH"/* "$MNT_POINT"/ || true - - print_output "[*] Creating FIRMADYNE Directories" - mkdir -p "$MNT_POINT/firmadyne/libnvram/" || true - mkdir -p "$MNT_POINT/firmadyne/libnvram.override/" || true - - print_output "[*] Patching Filesystem (chroot)" - cp "$(which busybox)" "$MNT_POINT" || true - - cp "$FIRMADYNE_DIR/scripts/fixImage_firmadyne.sh" "$MNT_POINT"/fixImage.sh || true - chroot "$MNT_POINT" /busybox ash /fixImage.sh || true - - rm "$MNT_POINT/fixImage.sh" || true - rm "$MNT_POINT/busybox" || true - - print_output "[*] Setting up FIRMADYNE" - cp "${CONSOLE}" "$MNT_POINT/firmadyne/console" || true - chmod a+x "$MNT_POINT/firmadyne/console" - mknod -m 666 "$MNT_POINT/firmadyne/ttyS1" c 4 65 - - cp "${LIBNVRAM}" "$MNT_POINT/firmadyne/libnvram.so" || true - chmod a+x "$MNT_POINT/firmadyne/libnvram.so" - - cp "$FIRMADYNE_DIR/scripts/preInit_firmadyne.sh" "$MNT_POINT/firmadyne/preInit.sh" || true - chmod a+x "$MNT_POINT/firmadyne/preInit.sh" - - print_output "[*] Unmounting QEMU Image" - sync - umount "${DEVICE}" || true - - else - print_output "[!] Filesystem mount failed" - FS_CREATED=0 - fi - print_output "[*] Deleting device mapper" - kpartx -v -d "$LOG_PATH_MODULE/$IMAGE_NAME" - losetup -d "${DEVICE}" &>/dev/null || true - # just in case we check the output and remove our device: - if losetup | grep -q "$(basename "$IMAGE_NAME")"; then - losetup -d "$(losetup | grep "$(basename "$IMAGE_NAME")" | awk '{print $1}' || true)" - fi - dmsetup remove "$(basename "$DEVICE")" &>/dev/null || true - rm -rf "${MNT_POINT:?}/"* || true -} - -identify_networking() { - # based on the original firmadyne script: - # https://github.com/firmadyne/firmadyne/blob/master/scripts/inferNetwork.sh - - sub_module_title "Network identification" - IMAGE_NAME="${1:-}" - IMAGE=$(abs_path "$LOG_PATH_MODULE/$IMAGE_NAME") - - ARCH_END="${2:-}" - - print_output "[*] Test basic emulation and identify network settings.\\n" - print_output "[*] Running firmware $IMAGE_NAME: terminating after 60 secs..." - - QEMU_PARAMS="" - if [[ "$ARCH_END" == "mipsel" ]]; then - KERNEL_="vmlinux" - QEMU="qemu-system-mipsel" - MACHINE="malta" - DRIVE="if=ide,format=raw,file=$IMAGE" - ROOT_DEV="/dev/sda1" - NETWORK="-netdev socket,id=s0,listen=:2000 -device e1000,netdev=s0 -netdev socket,id=s1,listen=:2001 -device e1000,netdev=s1 -netdev socket,id=s2,listen=:2002 -device e1000,netdev=s2 -netdev socket,id=s3,listen=:2003 -device e1000,netdev=s3" - elif [[ "$ARCH_END" == "mipseb" ]]; then - KERNEL_="vmlinux" - QEMU="qemu-system-mips" - MACHINE="malta" - #DRIVE="if=ide,format=raw,file=\"$IMAGE\"" - DRIVE="if=ide,format=raw,file=$IMAGE" - ROOT_DEV="/dev/sda1" - NETWORK="-netdev socket,id=s0,listen=:2000 -device e1000,netdev=s0 -netdev socket,id=s1,listen=:2001 -device e1000,netdev=s1 -netdev socket,id=s2,listen=:2002 -device e1000,netdev=s2 -netdev socket,id=s3,listen=:2003 -device e1000,netdev=s3" - elif [[ "$ARCH_END" == "armel" ]]; then - QEMU="qemu-system-arm" - KERNEL_="zImage" - MACHINE="virt" - DRIVE="if=none,file=$IMAGE,format=raw,id=rootfs -device virtio-blk-device,drive=rootfs" - ROOT_DEV="/dev/vda1" - NETWORK="-device virtio-net-device,netdev=net1 -netdev socket,listen=:2000,id=net1 -device virtio-net-device,netdev=net2 -netdev socket,listen=:2001,id=net2 -device virtio-net-device,netdev=net3 -netdev socket,listen=:2002,id=net3 -device virtio-net-device,netdev=net4 -netdev socket,listen=:2003,id=net4" - QEMU_PARAMS="-audiodev driver=none,id=none" - fi - - run_network_id & - - tail -F "$LOG_PATH_MODULE/qemu.initial.serial.log" 2>/dev/null& - sleep 60 - pkill -f "qemu-system-.*$IMAGE_NAME.*" || true - pkill -f "tail.*$LOG_PATH_MODULE/qemu.initial.serial.log.*" || true - - if [[ -f "$LOG_PATH_MODULE"/qemu.initial.serial.log ]]; then - cat "$LOG_PATH_MODULE"/qemu.initial.serial.log >> "$LOG_FILE" - else - print_output "[-] No $LOG_PATH_MODULE/qemu.initial.serial.log log file generated." - fi - - print_output "[*] Firmware $IMAGE_NAME finished for identification of the network configuration" -} - -run_network_id() { - # based on the original firmadyne scripts: - # https://github.com/firmadyne/firmadyne/blob/master/scripts/run.mipsel.sh - # https://github.com/firmadyne/firmadyne/blob/master/scripts/run.mipseb.sh - # https://github.com/firmadyne/firmadyne/blob/master/scripts/run.armel.sh - - print_output "[*] Qemu network identification run for $ARCH_END - $IMAGE_NAME" - - KERNEL="$FIRMADYNE_DIR/binaries/$KERNEL_.$ARCH_END" - - # shellcheck disable=SC2086 - $QEMU -m 256 -M $MACHINE -kernel $KERNEL -drive $DRIVE \ - -append "firmadyne.syscall=1 root=$ROOT_DEV console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31" \ - -serial file:$LOG_PATH_MODULE/qemu.initial.serial.log -serial unix:/tmp/qemu.$IMAGE_NAME.S1,server,nowait -monitor unix:/tmp/qemu.$IMAGE_NAME,server,nowait -display none \ - $NETWORK $QEMU_PARAMS || true -} - -get_networking_details() { - # based on the original firmadyne script: - # https://github.com/firmadyne/firmadyne/blob/master/scripts/makeNetwork.py - - sub_module_title "Network identification - $IMAGE_NAME" - - if [[ -f "$LOG_PATH_MODULE"/qemu.initial.serial.log ]]; then - INT=() - VLAN=() - - mapfile -t MAC_CHANGES < <(grep -a "ioctl_SIOCSIFHWADDR" "$LOG_PATH_MODULE"/qemu.initial.serial.log | cut -d: -f2- | sort -u || true) - mapfile -t INTERFACE_CANDIDATES < <(grep -a "__inet_insert_ifa" "$LOG_PATH_MODULE"/qemu.initial.serial.log | cut -d: -f2- | sort -u || true) - mapfile -t BRIDGE_INTERFACES < <(grep -a "br_add_if\|br_dev_ioctl" "$LOG_PATH_MODULE"/qemu.initial.serial.log | cut -d: -f2- | sort -u || true) - mapfile -t VLAN_INFOS < <(grep -a "register_vlan_dev" "$LOG_PATH_MODULE"/qemu.initial.serial.log | cut -d: -f2- | sort -u || true) - mapfile -t PANICS < <(grep -a "Kernel panic - " "$LOG_PATH_MODULE"/qemu.initial.serial.log || true) - - if [[ "${#MAC_CHANGES[@]}" -gt 0 || "${#INTERFACE_CANDIDATES[@]}" -gt 0 || "${#BRIDGE_INTERFACES[@]}" -gt 0 || "${#VLAN_INFOS[@]}" -gt 0 ]]; then - BOOTED=1 - fi - - for MAC_CHANGE in "${MAC_CHANGES[@]}"; do - print_output "[*] MAC change detected: $MAC_CHANGE" - print_output "[!] No further action implemented" - done - - for INTERFACE_CAND in "${INTERFACE_CANDIDATES[@]}"; do - print_output "[*] Possible interface candidate detected: $ORANGE$INTERFACE_CAND$NC" - # INTERFACE_CAND -> __inet_insert_ifa[PID: 139 (ifconfig)]: device:br0 ifa:0xc0a80001 - mapfile -t IP_ADDRESS < <(echo "$INTERFACE_CAND" | grep device | cut -d: -f2- | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | sed 's/0x//' | sed 's/../0x&\n/g') - # IP_ADDRESS -> c0a80001 - # as I don't get it to change the hex ip to dec with printf, we do it the poor way: - IP_="" - for IPs in "${IP_ADDRESS[@]}"; do - if [[ "$IPs" == "0x"* ]]; then - #shellcheck disable=SC2004 - IP_="$IP_.$(($IPs))" - fi - done - - #shellcheck disable=SC2001 - IP_="$(echo "$IP_" | sed 's/^\.//')" - - if [[ "$D_END" == "eb" ]]; then - IP_ADDRESS_="$IP_" - elif [[ "$D_END" == "el" ]]; then - IP_ADDRESS_=$(echo "$IP_" | tr '.' '\n' | tac | tr '\n' '.' | sed 's/\.$//') - fi - - if ! [[ "$IP_ADDRESS_" == "127."* ]] && ! [[ "$IP_ADDRESS_" == "0.0.0.0" ]]; then - IPS+=( "$IP_ADDRESS_" ) - NETWORK_DEVICE="$(echo "$INTERFACE_CAND" | grep device | cut -d: -f2- | sed "s/^.*\]:\ //" | awk '{print $1}' | cut -d: -f2)" - if [[ -n "$NETWORK_DEVICE" ]]; then - INT+=( "$NETWORK_DEVICE" ) - fi - fi - done - - for BRIDGE_INT in "${BRIDGE_INTERFACES[@]}"; do - print_output "[*] Possible bridge interface candidate detected: $ORANGE$BRIDGE_INT$NC" - # br_add_if[PID: 138 (brctl)]: br:br0 dev:eth1.1 - BRIDGE_INT_="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $1}' | cut -d: -f2)" - NET_DEV="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | cut -d. -f1)" - - # check if the dev part is something like eth1.2: - # br_add_if[PID: 170 (brctl)]: br:br0 dev:eth0 - #if [[ "$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]")" ]]; then - if echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then - VLAN_ID="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | grep -o "dev:.*" | cut -d. -f2)" - fi - if [[ -n "$BRIDGE_INT_" ]]; then - INT+=( "$BRIDGE_INT_" ) - fi - if [[ -n "$NET_DEV" ]]; then - INT+=( "$NET_DEV" ) - fi - done - - for VLAN_INFO in "${VLAN_INFOS[@]}"; do - print_output "[*] Possible VLAN details detected: $ORANGE$VLAN_INFO$NC" - # register_vlan_dev[PID: 128 (vconfig)]: dev:eth1.1 vlan_id:1 - NET_DEV="$(echo "$VLAN_INFO" | sed "s/^.*\]:\ //" | awk '{print $1}' | cut -d: -f2 | cut -d. -f1)" - VLAN_ID="$(echo "$VLAN_INFO" | grep -o "vlan_id:[0-9]" | cut -d: -f2)" - VLAN+=( "$VLAN_ID" ) - INT+=( "$NET_DEV" ) - done - - # make them unique: - eval "IPS=($(for i in "${IPS[@]}" ; do echo "\"$i\"" ; done | sort -u))" - eval "INT=($(for i in "${INT[@]}" ; do echo "\"$i\"" ; done | sort -u))" - eval "VLAN=($(for i in "${VLAN[@]}" ; do echo "\"$i\"" ; done | sort -u))" - - print_output "" - for IP in "${IPS[@]}"; do - print_output "[+] Found possible IP address: $ORANGE$IP$NC" - done - for INT_ in "${INT[@]}"; do - if [[ "$INT_" == *"br"* ]]; then - print_output "[+] Possible bridge interface detected: $ORANGE$INT_$NC" - else - print_output "[+] Possible network interface detected: $ORANGE$INT_$NC" - fi - done - for VLAN_ in "${VLAN[@]}"; do - print_output "[+] Possible VLAN ID detected: $ORANGE$VLAN_$NC" - done - - for PANIC in "${PANICS[@]}"; do - print_output "[!] WARNING: Kernel Panic detected: $ORANGE$PANIC$NC" - KPANIC=1 - done - - else - print_output "[-] No $LOG_PATH_MODULE/qemu.initial.serial.log log file generated." - fi - print_output "" -} - -setup_network() { - sub_module_title "Setup networking - $IMAGE_NAME" - - # used for generating startup scripts for offline analysis - ARCHIVE_PATH="$LOG_PATH_MODULE"/archive-"$IMAGE_NAME" - if [[ -d "$ARCHIVE_PATH" ]]; then - ARCHIVE_PATH="$ARCHIVE_PATH-$RANDOM" - fi - - if ! [[ -d "$ARCHIVE_PATH" ]]; then - mkdir "$ARCHIVE_PATH" - fi - - TAP_ID=2 #temp - - # bridge, no vlan, ip address - TAPDEV_0=tap$TAP_ID"_0" - HOSTNETDEV_0=$TAPDEV_0 - print_output "[*] Creating TAP device $ORANGE$TAPDEV_0$NC..." - write_script_exec "tunctl -t $TAPDEV_0" "$ARCHIVE_PATH"/run.sh 1 - - if [[ "${#VLAN[@]}" -gt 0 ]]; then - for VLANID in "${VLAN[@]}"; do - print_output "[*] Init VLAN $VLAN_ID ..." - HOSTNETDEV_0x=$TAPDEV_0.$VLANID - print_output "[*] Bringing up HOSTNETDEV $ORANGE$HOSTNETDEV_0x$NC" - write_script_exec "ip link add link $TAPDEV_0 name $HOSTNETDEV_0x type vlan id $VLANID" "$ARCHIVE_PATH"/run.sh 1 - write_script_exec "ip link set $TAPDEV_0 up" "$ARCHIVE_PATH"/run.sh 1 - done - fi - - for IP in "${IPS[@]}"; do - HOSTIP="$(echo "$IP" | sed 's/\./&\n/g' | sed -E 's/^[0-9]+$/2/' | tr -d '\n')" - print_output "[*] Using HOSTIP: $ORANGE$HOSTIP$NC" - print_output "[*] Possible IP address for emulated device: $ORANGE$IP$NC" - print_output "[*] Bringing up TAP device $ORANGE$TAPDEV_0$NC" - - write_script_exec "ip link set ${HOSTNETDEV_0} up" "$ARCHIVE_PATH"/run.sh 1 - write_script_exec "ip addr add $HOSTIP/24 dev ${HOSTNETDEV_0}" "$ARCHIVE_PATH"/run.sh 1 - - print_output "Adding route to $IP..." - write_script_exec "ip route add $IP via $IP dev ${HOSTNETDEV_0}" "$ARCHIVE_PATH"/run.sh 1 - done -} - -run_emulated_system() { - sub_module_title "Final system emulation." - - IMAGE="$LOG_PATH_MODULE/$IMAGE_NAME" - # SYS_ONLINE is used to check the network reachability - SYS_ONLINE=0 - - KERNEL_="vmlinux" - if [[ "$ARCH_END" == "mipsel" ]]; then - QEMU_BIN="qemu-system-$ARCH_END" - QEMU_MACHINE="malta" - elif [[ "$ARCH_END" == "mipseb" ]]; then - QEMU_BIN="qemu-system-mips" - QEMU_MACHINE="malta" - elif [[ "$ARCH_END" == "armel" ]]; then - KERNEL_="zImage" - QEMU_BIN="qemu-system-arm" - QEMU_MACHINE="virt" - else - QEMU_BIN="NA" - fi - KERNEL="$FIRMADYNE_DIR/binaries/$KERNEL_.$ARCH_END" - - if [[ "$ARCH" == "ARM" ]]; then - QEMU_DISK="-drive if=none,file=$IMAGE,format=raw,id=rootfs -device virtio-blk-device,drive=rootfs" - QEMU_PARAMS="-audiodev driver=none,id=none" - QEMU_ROOTFS="/dev/vda1" - NET_ID=0 - # newer kernels use virtio only - QEMU_NETWORK="-device virtio-net-device,netdev=net$NET_ID -netdev tap,id=net$NET_ID,ifname=${TAPDEV_0},script=no" - for NET_ID in 1 2 3; do - QEMU_NETWORK="$QEMU_NETWORK -device virtio-net-device,netdev=net$NET_ID -netdev socket,id=net$NET_ID,listen=:200$NET_ID" - done - - elif [[ "$ARCH" == "MIPS" ]]; then - QEMU_DISK="-drive if=ide,format=raw,file=$IMAGE" - QEMU_PARAMS="" - QEMU_ROOTFS="/dev/sda1" - NET_ID=0 - #QEMU_NETWORK="-netdev socket,id=net$NET_ID,listen=:200$NET_ID -device e1000,netdev=net$NET_ID" - QEMU_NETWORK="-netdev tap,id=net$NET_ID,ifname=${TAPDEV_0},script=no -device e1000,netdev=net$NET_ID" - for NET_ID in 1 2 3; do - QEMU_NETWORK="$QEMU_NETWORK -netdev socket,id=net$NET_ID,listen=:200$NET_ID -device e1000,netdev=net$NET_ID" - done - fi - - if [[ "$QEMU_BIN" != "NA" ]]; then - print_output "[*] Starting firmware emulation $QEMU_BIN / $ARCH / $IMAGE_NAME ... use Ctrl-a + x to exit" - sleep 1s - run_qemu_final_emulation & - else - print_output "[-] No firmware emulation $ARCH / $IMAGE_NAME possible" - fi -} - -run_qemu_final_emulation() { - # run this in the background to be able to test the system in parallel - # kill it afterwards with something like - # pkill -f "qemu-system-.*$IMAGE_NAME.*" - - echo "echo \"[*] Starting firmware emulation $QEMU_BIN / $ARCH / $IMAGE_NAME ... use Ctrl-a + x to exit\"" >> "$ARCHIVE_PATH"/run.sh - write_script_exec "$QEMU_BIN -m 256 -M $QEMU_MACHINE -kernel $KERNEL $QEMU_DISK -append \"root=$QEMU_ROOTFS console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0\" -nographic $QEMU_NETWORK $QEMU_PARAMS | tee \"$LOG_PATH_MODULE\"/qemu.final.serial.log || true" "$ARCHIVE_PATH"/run.sh 1 -} - -check_online_stat() { - # check for a maximum of 60 seconds - PING_CNT=0 - while [[ "$PING_CNT" -lt 12 ]]; do - for IP in "${IPS[@]}"; do - if ping -c 1 "$IP" &> /dev/null; then - print_output "[+] Host with $IP is reachable via ICMP." - print_output "[*] Wait 60 seconds until the boot process is completely finished" - sleep 60 - SYS_ONLINE=1 - break 2 - else - print_output "[*] Host with $IP is not reachable." - SYS_ONLINE=0 - fi - done - sleep 5 - (( PING_CNT+=1 )) - done - - print_output "" - cat "$LOG_PATH_MODULE"/qemu.final.serial.log >> "$LOG_FILE" || true -} - -create_emulation_archive() { - sub_module_title "Create scripts and archive to re-run the emulated system" - - cp "$KERNEL" "$ARCHIVE_PATH" || true - cp "$IMAGE" "$ARCHIVE_PATH" || true - if [[ -f "$ARCHIVE_PATH"/run.sh ]];then - chmod +x "$ARCHIVE_PATH"/run.sh - else - print_output "[-] No run script created ..." - fi - tar -czvf "$LOG_PATH_MODULE"/archive-"$IMAGE_NAME".tar.gz "$ARCHIVE_PATH" - if [[ -f "$LOG_PATH_MODULE"/archive-"$IMAGE_NAME".tar.gz ]]; then - print_output "[*] Qemu emulation archive created in $LOG_PATH_MODULE/archive-$IMAGE_NAME.tar.gz" "" "$LOG_PATH_MODULE/archive-$IMAGE_NAME.tar.gz" - print_output "" - fi -} - -reset_network() { - EXECUTE_="${1:0}" - - if [[ "$EXECUTE" -ne 0 ]]; then - sub_module_title "Reset network environment" - print_output "[*] Stopping Qemu emulation ..." - pkill -9 -f "qemu-system-.*$IMAGE_NAME.*" || true - else - sub_module_title "Create network environment startup script" - fi - - if [[ "$EXECUTE" -eq 1 ]]; then - print_output "[*] Deleting route..." - fi - write_script_exec "ip route flush dev \"${HOSTNETDEV_0}\"" "$ARCHIVE_PATH"/run.sh "$EXECUTE_" - - if [[ "$EXECUTE" -eq 1 ]]; then - print_output "[*] Bringing down TAP device..." - fi - write_script_exec "ip link set $TAPDEV_0 down" "$ARCHIVE_PATH"/run.sh "$EXECUTE_" - - if [[ "$EXECUTE" -eq 1 ]]; then - print_output "Removing VLAN..." - fi - write_script_exec "ip link delete ${HOSTNETDEV_0}" "$ARCHIVE_PATH"/run.sh "$EXECUTE_" - - if [[ "$EXECUTE" -eq 1 ]]; then - print_output "Deleting TAP device ${TAPDEV_0}..." - fi - write_script_exec "tunctl -d ${TAPDEV_0}" "$ARCHIVE_PATH"/run.sh "$EXECUTE_" -} - -write_script_exec() { - COMMAND="${1:-}" - SCRIPT_WRITE="${2:-}" - # EXECUTE: 0 -> just write script - # EXECUTE: 1 -> execute and write script - # EXECUTE: 2 -> just execute - EXECUTE="${3:0}" - - if [[ "$EXECUTE" -ne 0 ]];then - eval "$COMMAND" || true & - fi - - if [[ "$EXECUTE" -ne 2 ]];then - if ! [[ -f "$SCRIPT_WRITE" ]]; then - echo "#!/bin/bash" > "$SCRIPT_WRITE" - fi - - # for the final script we need to adjust the paths: - if echo "$COMMAND" | grep -q qemu-system-; then - #shellcheck disable=SC2001 - COMMAND=$(echo "$COMMAND" | sed "s#${KERNEL:-}#\.\/${KERNEL_:-}.${ARCH_END:-}#g") - #shellcheck disable=SC2001 - COMMAND=$(echo "$COMMAND" | sed "s#${IMAGE:-}#\.\/${IMAGE_NAME:-}#g") - #shellcheck disable=SC2001 - COMMAND=$(echo "$COMMAND" | sed "s#\"${LOG_PATH_MODULE:-}\"#\.#g") - fi - - echo "$COMMAND" >> "$SCRIPT_WRITE" - fi -} - -get_nvram () { - echo "${BINARY_DIR}/libnvram.so.${1}" -} - -get_console () { - echo "${BINARY_DIR}/console.${1}" -} - -get_device () { - # Parses output from kpartx - echo "/dev/mapper/$(echo "$1" | cut -d ' ' -f 3)" -} diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index d54f03470..a80746bfc 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -278,7 +278,8 @@ binwalking() { # we use the original FIRMWARE_PATH for entropy testing, just if it is a file if [[ -f $FIRMWARE_PATH_BAK ]] ; then print_output "[*] Entropy testing with binwalk ... " - # we have to change the working directory for binwalk, because /emba is read-only in the Docker container and binwalk fails to save the entropy picture there + # we have to change the working directory for binwalk, because everything except the log directory is read-only in + # Docker container and binwalk fails to save the entropy picture there if [[ $IN_DOCKER -eq 1 ]] ; then cd "$LOG_DIR" || return print_output "$(binwalk -E -F -J "$FIRMWARE_PATH_BAK")" From a31d917d18a7ac1295e69ffdec9aa18320452cc9 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 22 Apr 2022 19:26:42 +0200 Subject: [PATCH 23/42] clenaup --- emba.sh | 6 +++--- installer/IL20_system_emulator.sh | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/emba.sh b/emba.sh index 31b720c90..8e04ad068 100755 --- a/emba.sh +++ b/emba.sh @@ -41,7 +41,7 @@ import_module() local MODULES_EMBA=() local MODULE_COUNT=0 mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "*.sh" | sort -V 2> /dev/null) - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "*.sh" 2>/dev/null | sort -V 2> /dev/null) MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) for MODULE_FILE in "${MODULES[@]}" ; do if ( file "$MODULE_FILE" | grep -q "shell script" ) && ! [[ "$MODULE_FILE" =~ \ |\' ]] ; then @@ -114,7 +114,7 @@ run_modules() local MODULES_LOCAL=() local MODULES_EMBA=() mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 && "${MODULE_GROUP^^}" != "P" ]] ; then sort_modules @@ -169,7 +169,7 @@ run_modules() local MODULES_LOCAL=() local MODULES_EMBA=() mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" | sort -V 2> /dev/null) + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 ]] ; then sort_modules diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh index 68de917db..f40e07711 100644 --- a/installer/IL20_system_emulator.sh +++ b/installer/IL20_system_emulator.sh @@ -111,6 +111,9 @@ IL20_system_emulator() { download_file "inferNetwork.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/inferNetwork.sh" download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" + # patch network.sh: + sed 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh + ;; esac fi From 9639af572e21d4a3119419a25e26fd250e305f24 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Apr 2022 16:13:05 +0200 Subject: [PATCH 24/42] local check --- config/report_templates/F20_vul_aggregator-post.sh | 1 + emba.sh | 12 +++++++++--- helpers/helpers_emba_dependency_check.sh | 2 +- installer/IL20_system_emulator.sh | 1 + modules/F20_vul_aggregator.sh | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/config/report_templates/F20_vul_aggregator-post.sh b/config/report_templates/F20_vul_aggregator-post.sh index 10673674a..7d2b1cd46 100644 --- a/config/report_templates/F20_vul_aggregator-post.sh +++ b/config/report_templates/F20_vul_aggregator-post.sh @@ -5,5 +5,6 @@ print_output "$(indent "${ORANGE}R$NC - remote exploits")" print_output "$(indent "${ORANGE}L$NC - local exploits")" print_output "$(indent "${ORANGE}D$NC - DoS exploits")" print_output "$(indent "${ORANGE}G$NC - PoC code found on Github (unknown exploit vector)")" +write_link "https://github.com/trickest/cve" print_output "$(indent "${ORANGE}X$NC - Vulnerability is known as exploited")" write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" diff --git a/emba.sh b/emba.sh index 8e04ad068..88d30c94d 100755 --- a/emba.sh +++ b/emba.sh @@ -41,7 +41,9 @@ import_module() local MODULES_EMBA=() local MODULE_COUNT=0 mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "*.sh" | sort -V 2> /dev/null) - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "*.sh" 2>/dev/null | sort -V 2> /dev/null) + if [[ -d "${MOD_DIR}_local" ]]; then + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "*.sh" 2>/dev/null | sort -V 2> /dev/null) + fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) for MODULE_FILE in "${MODULES[@]}" ; do if ( file "$MODULE_FILE" | grep -q "shell script" ) && ! [[ "$MODULE_FILE" =~ \ |\' ]] ; then @@ -114,7 +116,9 @@ run_modules() local MODULES_LOCAL=() local MODULES_EMBA=() mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) + if [[ -d "${MOD_DIR}_local" ]]; then + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) + fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 && "${MODULE_GROUP^^}" != "P" ]] ; then sort_modules @@ -169,7 +173,9 @@ run_modules() local MODULES_LOCAL=() local MODULES_EMBA=() mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) + if [[ -d "${MOD_DIR}_local" ]]; then + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) + fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 ]] ; then sort_modules diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index a08665f6b..97f793518 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -305,7 +305,7 @@ dependency_check() check_dep_file "EnGenius decryptor" "$EXT_DIR""/engenius-decrypt.py" # Android payload.bin extractor - check_dep_file "Android payload.bin extractor" "$EXT_DIR""/payload_dumper/payload_dumper.py" + #check_dep_file "Android payload.bin extractor" "$EXT_DIR""/payload_dumper/payload_dumper.py" # CVE-search # TODO change to portcheck and write one for external hosts diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh index f40e07711..76c07b935 100644 --- a/installer/IL20_system_emulator.sh +++ b/installer/IL20_system_emulator.sh @@ -112,6 +112,7 @@ IL20_system_emulator() { download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" # patch network.sh: + # shellcheck disable=SC2016 sed 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh ;; diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 21d1982ee..5a8f2a727 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -272,7 +272,7 @@ generate_special_log() { fi done - mapfile -t KNOWN_EXPLOITED_VULNS < <(grep -E "known exploited" "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log || true) + mapfile -t KNOWN_EXPLOITED_VULNS < <(grep -E "known exploited" "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log || true 2>/dev/null) if [[ -v KNOWN_EXPLOITED_VULNS[@] ]]; then print_output "" print_output "[*] Vulnerability summary on known exploited vulnerabilities stored in $LOG_PATH_MODULE/exploit/known_exploited_vulns.log.\\n" From 2821d17e80718cd96f319da2f5c7782a7e3f9b3b Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Apr 2022 16:49:48 +0200 Subject: [PATCH 25/42] little fixes --- docker-compose.yml | 2 ++ installer/IF20_cve_search.sh | 6 ++++-- modules/F20_vul_aggregator.sh | 18 ++++++++++-------- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 34e4e6624..98abfcf41 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,10 +7,12 @@ services: # /root is needed for binwalk # /tmp is needed for FACT extractor # /run is needed for postgresql and others + # /external/FirmAE_orig/scratch is needed for FirmAE - this is temp and will be removed in the future tmpfs: - /tmp - /root - /run + - /external/FirmAE_orig/scratch build: . volumes: - ${FIRMWARE}/:/firmware:ro diff --git a/installer/IF20_cve_search.sh b/installer/IF20_cve_search.sh index 6c2c07e0b..368d6c347 100644 --- a/installer/IF20_cve_search.sh +++ b/installer/IF20_cve_search.sh @@ -150,7 +150,7 @@ IF20_cve_search() { # see https://www.cisa.gov/known-exploited-vulnerabilities-catalog print_file_info "known_exploited_vulnerabilities.csv" "CISA.gov list of known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" - if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + if [[ "$LIST_DEP" -eq 1 ]] ; then ANSWER=("n") else echo -e "\\n""$MAGENTA""$BOLD""These rules (if not already on the system) will be downloaded!""$NC" @@ -159,7 +159,9 @@ IF20_cve_search() { case ${ANSWER:0:1} in y|Y ) - download_file "CISA.gov list of known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" + + download_file "known_exploited_vulnerabilities.csv" "https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv" "external/known_exploited_vulnerabilities.csv" + ;; esac fi diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 5a8f2a727..b85576736 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -272,14 +272,16 @@ generate_special_log() { fi done - mapfile -t KNOWN_EXPLOITED_VULNS < <(grep -E "known exploited" "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log || true 2>/dev/null) - if [[ -v KNOWN_EXPLOITED_VULNS[@] ]]; then - print_output "" - print_output "[*] Vulnerability summary on known exploited vulnerabilities stored in $LOG_PATH_MODULE/exploit/known_exploited_vulns.log.\\n" - for KNOWN_EXPLOITED_VULN in "${KNOWN_EXPLOITED_VULNS[@]}"; do - print_output "$KNOWN_EXPLOITED_VULN" - done - print_output "" + if [[ -f "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log ]]; then + mapfile -t KNOWN_EXPLOITED_VULNS < <(grep -E "known exploited" "$LOG_PATH_MODULE"/exploit/known_exploited_vulns.log || true 2>/dev/null) + if [[ -v KNOWN_EXPLOITED_VULNS[@] ]]; then + print_output "" + print_output "[*] Vulnerability summary on known exploited vulnerabilities stored in $LOG_PATH_MODULE/exploit/known_exploited_vulns.log.\\n" + for KNOWN_EXPLOITED_VULN in "${KNOWN_EXPLOITED_VULNS[@]}"; do + print_output "$KNOWN_EXPLOITED_VULN" + done + print_output "" + fi fi echo "$EXPLOIT_HIGH" > "$TMP_DIR"/EXPLOIT_HIGH_COUNTER.tmp From 70a0cd883c9555583cdb47066107ec05e9478af0 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Apr 2022 17:09:08 +0200 Subject: [PATCH 26/42] multiple fixes --- docker-compose.yml | 3 ++- emba.sh | 1 + modules/P02_firmware_bin_file_check.sh | 15 +++++++++------ modules/P11_dlink_SHRS_enc_extract.sh | 12 ++++++++---- modules/P12_avm_freetz_ng_extract.sh | 5 ++++- modules/P17_gpg_decompress.sh | 2 +- modules/S25_kernel_check.sh | 3 +++ 7 files changed, 28 insertions(+), 13 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 98abfcf41..e96835eb3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,8 @@ services: emba: image: embeddedanalyzer/emba:latest read_only: true - privileged: false + # all pre-checker mount modules need privileged mode + privileged: true # /root is needed for binwalk # /tmp is needed for FACT extractor # /run is needed for postgresql and others diff --git a/emba.sh b/emba.sh index 88d30c94d..12605bee5 100755 --- a/emba.sh +++ b/emba.sh @@ -601,6 +601,7 @@ main() mkdir "$LOG_DIR" || true fi S25_kernel_check + exit 0 fi fi diff --git a/modules/P02_firmware_bin_file_check.sh b/modules/P02_firmware_bin_file_check.sh index 696bcd793..f303802a3 100755 --- a/modules/P02_firmware_bin_file_check.sh +++ b/modules/P02_firmware_bin_file_check.sh @@ -101,10 +101,17 @@ fw_bin_detector() { AVM_CHECK=$(strings "$CHECK_FILE" | grep -c "AVM GmbH .*. All rights reserved.\|(C) Copyright .* AVM" || true) QNAP_ENC_CHECK=$(binwalk -y "qnap encrypted" "$CHECK_FILE") + if [[ "$AVM_CHECK" -gt 0 ]] || [[ "$FW_VENDOR" == *"AVM"* ]]; then + print_output "[*] Identified AVM firmware - using AVM extraction module" + export AVM_DETECTED=1 + fi # if we have a zip, tgz, tar archive we are going to use the FACT extractor if [[ "$FILE_BIN_OUT" == *"gzip compressed data"* || "$FILE_BIN_OUT" == *"Zip archive data"* || "$FILE_BIN_OUT" == *"POSIX tar archive"* ]]; then - print_output "[*] Identified gzip/zip/tar archive file - using FACT extraction module" - export FACT_INIT=1 + # as the AVM images are also zip files we need to bypass it here: + if [[ "$AVM_DETECTED" -ne 1 ]]; then + print_output "[*] Identified gzip/zip/tar archive file - using FACT extraction module" + export FACT_INIT=1 + fi fi if [[ "$FILE_BIN_OUT" == *"VMware4 disk image"* ]]; then print_output "[*] Identified VMWware VMDK archive file - using VMDK extraction module" @@ -130,10 +137,6 @@ fw_bin_detector() { print_output "[*] Identified D-Link encrpted_img encrpyted firmware - using D-Link extraction module" export DLINK_ENC_DETECTED=2 fi - if [[ "$AVM_CHECK" -gt 0 ]] || [[ "$FW_VENDOR" == *"AVM"* ]]; then - print_output "[*] Identified AVM firmware - using AVM extraction module" - export AVM_DETECTED=1 - fi if [[ "$FILE_BIN_OUT" == *"u-boot legacy uImage"* ]]; then print_output "[*] Identified u-boot firmware - using u-boot module" export UBOOT_IMAGE=1 diff --git a/modules/P11_dlink_SHRS_enc_extract.sh b/modules/P11_dlink_SHRS_enc_extract.sh index 451da16bb..9f103eaf9 100755 --- a/modules/P11_dlink_SHRS_enc_extract.sh +++ b/modules/P11_dlink_SHRS_enc_extract.sh @@ -48,7 +48,7 @@ dlink_SHRS_enc_extractor() { print_output "" - dd if="$DLINK_ENC_PATH_" skip=1756 iflag=skip_bytes|openssl aes-128-cbc -d -p -nopad -nosalt -K "c05fbf1936c99429ce2a0781f08d6ad8" -iv "67c6697351ff4aec29cdbaabf2fbe346" --nosalt -in /dev/stdin -out "$EXTRACTION_FILE_" 2>&1 | tee -a "$LOG_FILE" + dd if="$DLINK_ENC_PATH_" skip=1756 iflag=skip_bytes|openssl aes-128-cbc -d -p -nopad -nosalt -K "c05fbf1936c99429ce2a0781f08d6ad8" -iv "67c6697351ff4aec29cdbaabf2fbe346" --nosalt -in /dev/stdin -out "$EXTRACTION_FILE_" 2>&1 || true | tee -a "$LOG_FILE" print_output "" if [[ -f "$EXTRACTION_FILE_" ]]; then @@ -75,12 +75,16 @@ dlink_enc_img_extractor(){ IMAGE_SIZE=$(stat -c%s "$TMP_IMAGE_FILE") (( ROOF=IMAGE_SIZE/131072 )) for ((ITERATION=0; ITERATION&1 | tee -a "$LOG_FILE" done -# Now it should be a .ubi file thats somewhat readable and extractable via ubireader + # Now it should be a .ubi file thats somewhat readable and extractable via ubireader print_output "" if [[ -f "$EXTRACTION_FILE_" ]]; then print_output "[+] Decrypted D-Link firmware file to $ORANGE$EXTRACTION_FILE_$NC" @@ -90,4 +94,4 @@ dlink_enc_img_extractor(){ else print_output "[-] Decryption of D-Link firmware file failed" fi -} \ No newline at end of file +} diff --git a/modules/P12_avm_freetz_ng_extract.sh b/modules/P12_avm_freetz_ng_extract.sh index 4481089a2..a90d18333 100755 --- a/modules/P12_avm_freetz_ng_extract.sh +++ b/modules/P12_avm_freetz_ng_extract.sh @@ -42,7 +42,10 @@ avm_extractor() { local FRITZ_VERSION sub_module_title "AVM freetz-ng firmware extractor" - "$EXT_DIR"/freetz-ng/fwmod -u -d "$EXTRACTION_DIR_" "$AVM_FW_PATH_" || true | tee -a "$LOG_FILE" + # read only filesystem bypass: + cp "$EXT_DIR"/freetz-ng/.config "$TMP_DIR"/.config + "$EXT_DIR"/freetz-ng/fwmod -u -i "$TMP_DIR"/.config -d "$EXTRACTION_DIR_" "$AVM_FW_PATH_" || true | tee -a "$LOG_FILE" + FRITZ_FILES=$(find "$EXTRACTION_DIR_" -type f | wc -l) FRITZ_DIRS=$(find "$EXTRACTION_DIR_" -type d | wc -l) diff --git a/modules/P17_gpg_decompress.sh b/modules/P17_gpg_decompress.sh index 3f8ed82a4..def429d50 100755 --- a/modules/P17_gpg_decompress.sh +++ b/modules/P17_gpg_decompress.sh @@ -42,7 +42,7 @@ gpg_decompress_extractor() { sub_module_title "GPG compressed firmware extractor" gpg --list-packets "$GPG_FILE_PATH_" 2>/dev/null | tee -a "$LOG_FILE" - gpg --decrypt "$GPG_FILE_PATH_" > "$EXTRACTION_FILE_" + gpg --decrypt "$GPG_FILE_PATH_" > "$EXTRACTION_FILE_" || true print_output "" if [[ -f "$EXTRACTION_FILE_" ]]; then diff --git a/modules/S25_kernel_check.sh b/modules/S25_kernel_check.sh index 271411381..070285f1a 100755 --- a/modules/S25_kernel_check.sh +++ b/modules/S25_kernel_check.sh @@ -26,6 +26,7 @@ S25_kernel_check() KERNEL_VERSION=() KERNEL_DESC=() + KERNEL_MODULES=() FOUND=0 KMOD_BAD=0 @@ -73,6 +74,8 @@ S25_kernel_check() print_output "[*] Check kernel configuration ""$(print_path "$KERNEL_CONFIG" )"" via checksec.sh" print_output "$("$EXT_DIR""/checksec" --kernel="$KERNEL_CONFIG")" FOUND=1 + export LOG_PATH_MODULE + LOG_PATH_MODULE="$LOG_DIR""/""$(echo "$MODULE_MAIN_NAME" | tr '[:upper:]' '[:lower:]')" elif [[ $KERNEL -eq 1 ]] && [[ $FIRMWARE -eq 1 ]] ; then From c0649571b6a5093c905c245a48c4767fab1b0173 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Apr 2022 17:28:01 +0200 Subject: [PATCH 27/42] docker hardening --- docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index e96835eb3..7f9b951ff 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,6 +5,8 @@ services: read_only: true # all pre-checker mount modules need privileged mode privileged: true + # future: + # privileged: false # /root is needed for binwalk # /tmp is needed for FACT extractor # /run is needed for postgresql and others @@ -13,6 +15,7 @@ services: - /tmp - /root - /run + - /var/run - /external/FirmAE_orig/scratch build: . volumes: From 10fb5a2f90464af445bc00eb218df24656ac382f Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Apr 2022 17:37:22 +0200 Subject: [PATCH 28/42] installer IL22 --- emba.sh | 1 - installer.sh | 6 +++--- installer/IL22_firmadyne_system_emulator.sh | 3 +++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/emba.sh b/emba.sh index 12605bee5..297aede70 100755 --- a/emba.sh +++ b/emba.sh @@ -619,7 +619,6 @@ main() fi # we update the known_exploited_vulnerabilities.csv file on the host - if the file is here - # typically this is on installations in full mode export KNOWN_EXP_CSV="$TMP_DIR"/known_exploited_vulnerabilities.csv if [[ -f "$EXT_DIR/known_exploited_vulnerabilities.csv" && "$IN_DOCKER" -eq 0 ]]; then # we update the known_exploited_vulnerabilities.csv file on every scan and store the database in the tmp directory diff --git a/installer.sh b/installer.sh index bc4da6020..07f2a3d50 100755 --- a/installer.sh +++ b/installer.sh @@ -183,10 +183,10 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - IL20_system_emulator - # deprecated - just for testing: + # deprecated - for testing only: IL21_firmae_system_emulator - # deprecated - not fully working: - #IL22_firmadyne_system_emulator + # deprecated - for testing only: + IL22_firmadyne_system_emulator IL15_emulated_checks_init diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index 4ba32b136..bb44fbaff 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -53,6 +53,9 @@ IL22_firmadyne_system_emulator() { # shellcheck disable=SC2024 #sudo -u postgres psql -d firmware < ./firmadyne/database/schema + if [[ "$IN_DOCKER" -eq 1 ]] && [[ -f /external/firmadyne_orig/firmadyne.config ]]; then + sed -i 's/^FIRMWARE_DIR.*/FIRMWARE_DIR=\/external\/firmadyne_orig\//g' /external/firmadyne_orig/firmadyne.config + fi ./download.sh apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils From ebc533b340e3896834b562c8141a505847846bae Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 25 Apr 2022 14:05:07 +0200 Subject: [PATCH 29/42] installer, docker, fixes --- docker-compose.yml | 1 + installer.sh | 6 +- installer/IL20_system_emulator.sh | 122 ------------------------------ modules/P18_qnap_decryptor.sh | 4 +- modules/P19_bsd_ufs_mounter.sh | 2 +- 5 files changed, 7 insertions(+), 128 deletions(-) delete mode 100644 installer/IL20_system_emulator.sh diff --git a/docker-compose.yml b/docker-compose.yml index 7f9b951ff..6c4e92d83 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,6 +17,7 @@ services: - /run - /var/run - /external/FirmAE_orig/scratch + - /external/firmadyne_orig/scratch build: . volumes: - ${FIRMWARE}/:/firmware:ro diff --git a/installer.sh b/installer.sh index 07f2a3d50..1b0667bb7 100755 --- a/installer.sh +++ b/installer.sh @@ -181,11 +181,11 @@ if [[ "$CVE_SEARCH" -ne 1 ]] || [[ "$DOCKER_SETUP" -ne 1 ]] || [[ "$IN_DOCKER" - I120_cwe_checker - IL20_system_emulator + IL10_system_emulator - # deprecated - for testing only: + # for testing only: IL21_firmae_system_emulator - # deprecated - for testing only: + # for testing only: IL22_firmadyne_system_emulator IL15_emulated_checks_init diff --git a/installer/IL20_system_emulator.sh b/installer/IL20_system_emulator.sh deleted file mode 100644 index 76c07b935..000000000 --- a/installer/IL20_system_emulator.sh +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash - -# EMBA - EMBEDDED LINUX ANALYZER -# -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG -# -# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -# EMBA is licensed under GPLv3 -# -# Author(s): Michael Messner, Pascal Eckmann - -# Description: Installs full system emulation dependencies -# Module is based on FirmAE and firmadyne - -IL20_system_emulator() { - module_title "${FUNCNAME[0]}" - - if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then - INSTALL_APP_LIST=() - cd "$HOME_PATH" || exit 1 - - print_tool_info "busybox-static" 1 - print_tool_info "bash-static" 1 - print_tool_info "fakeroot" 1 - print_tool_info "git" 1 - print_tool_info "dmsetup" 1 - print_tool_info "kpartx" 1 - print_tool_info "uml-utilities" 1 - print_tool_info "util-linux" 1 - print_tool_info "vlan" 1 - print_tool_info "qemu-system-arm" 1 - print_tool_info "qemu-system-mips" 1 - print_tool_info "qemu-system-x86" 1 - print_tool_info "qemu-utils" 1 - - # future use: - print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" - print_file_info "vmlinux.mipsel.4" "FirmAE - Linux kernel 4.1 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" - print_file_info "vmlinux.mipseb.4" "FirmAE - Linux kernel 4.1 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" - - print_file_info "zImage.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" - print_file_info "vmlinux.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" - - print_file_info "busybox.armel" "FirmAE - busybox - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" - print_file_info "busybox.mipseb" "FirmAE - busybox - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" - print_file_info "busybox.mipsel" "FirmAE - busybox - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" - - print_file_info "console.armel" "FirmAE - Console - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" - print_file_info "console.mipseb" "FirmAE - Console - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" - print_file_info "console.mipsel" "FirmAE - Console - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" - - print_file_info "libnvram.so.armel" "FirmAE - libnvram - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" - print_file_info "libnvram.so.mipseb" "FirmAE - libnvram - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" - print_file_info "libnvram.so.mipsel" "FirmAE - libnvram - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" - print_file_info "libnvram_ioctl.so.armel" "FirmAE - libnvram_ioctl - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" - print_file_info "libnvram_ioctl.so.mipseb" "FirmAE - libnvram_ioctl - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" - print_file_info "libnvram_ioctl.so.mipsel" "FirmAE - libnvram_ioctl - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" - - print_file_info "fixImage.sh" "FirmAE fixImage script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/" - print_file_info "preInit.sh" "FirmAE preInit script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/preInit.sh" "external/firmae/scripts/" - print_file_info "network.sh" "FirmAE network script" "https://github.com/pr0v3rbs/FirmAE/blob/master/scripts/network.sh" "external/firmae/scripts/" - print_file_info "makeNetwork.sh" "FirmAE makeNetwork script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/makeNetwork.sh" "external/firmae/scripts/" - print_file_info "run_service.sh" "FirmAE run_service script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/" - - if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then - ANSWER=("n") - else - echo -e "\\n""$MAGENTA""$BOLD""The system emulation dependencies (if not already on the system) will be downloaded and installed!""$NC" - ANSWER=("y") - fi - - case ${ANSWER:0:1} in - y|Y ) - - mkdir -p external/firmae/binaries - mkdir -p external/firmae/scripts - - apt-get install "${INSTALL_APP_LIST[@]}" -y - - download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" - download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" - download_file "vmlinux.mipsel.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" - download_file "vmlinux.mipseb.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" - - download_file "zImage.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" - download_file "vmlinux.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" - - download_file "busybox.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" - download_file "busybox.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" - download_file "busybox.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" - - download_file "console.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" - download_file "console.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" - download_file "console.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" - - download_file "libnvram.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" - download_file "libnvram.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" - download_file "libnvram.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" - download_file "libnvram_ioctl.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" - download_file "libnvram_ioctl.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" - download_file "libnvram_ioctl.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" - - download_file "fixImage.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/fixImage.sh" - download_file "preInit.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/preInit.sh" "external/firmae/scripts/preInit.sh" - download_file "network.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/network.sh" "external/firmae/scripts/network.sh" - download_file "inferNetwork.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/inferNetwork.sh" - download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" - - # patch network.sh: - # shellcheck disable=SC2016 - sed 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh - - ;; - esac - fi -} - diff --git a/modules/P18_qnap_decryptor.sh b/modules/P18_qnap_decryptor.sh index 75d23e6f8..a98fc6271 100755 --- a/modules/P18_qnap_decryptor.sh +++ b/modules/P18_qnap_decryptor.sh @@ -333,7 +333,7 @@ qnap_extractor() { if [[ -v USR_LOCAL[@] ]]; then print_output "" for f in "${USR_LOCAL[@]}"; do - print_output "[*] Extracting $ORANGE$f$NC -> sysroot/usr/local..." + print_output "[*] Extracting $ORANGE$f$NC -> ${ORANGE}sysroot/usr/local$NC ..." mkdir -p "$SYSROOT/usr/local" || true tar xvzf "$f" -C "$SYSROOT/usr/local" done @@ -358,7 +358,7 @@ qnap_extractor() { for name in apache_php5 mysql5 mariadb5; do if [ -e "$QNAP_EXTRACTION_ROOT_DST/qpkg/$name.tgz" ]; then - print_output "[*] Extracting ${ORANGE}qpkg/$name.tgz$NC -> sysroot/usr/local..." + print_output "[*] Extracting ${ORANGE}qpkg/$name.tgz$NC -> ${ORANGE}sysroot/usr/local$NC ..." tar xvzf "$QNAP_EXTRACTION_ROOT_DST/qpkg/$name.tgz" -C "$SYSROOT/usr/local" fi done diff --git a/modules/P19_bsd_ufs_mounter.sh b/modules/P19_bsd_ufs_mounter.sh index 68cec5419..d48c115c2 100755 --- a/modules/P19_bsd_ufs_mounter.sh +++ b/modules/P19_bsd_ufs_mounter.sh @@ -51,7 +51,7 @@ ufs_extractor() { modprobe ufs mount -r -t ufs -o ufstype=ufs2 "$UFS_PATH_" "$TMP_UFS_MOUNT" if mount | grep -q ufs_mount; then - print_output "[*] Copying $ORANGE$TMP_UFS_MOUNT$NC to firmware tmp directory ($EXTRACTION_DIR_)" + print_output "[*] Copying $ORANGE$TMP_UFS_MOUNT$NC to firmware tmp directory ($ORANGE$EXTRACTION_DIR_$NC)" mkdir -p "$EXTRACTION_DIR_" 2>/dev/null || true cp -pri "$TMP_UFS_MOUNT"/* "$EXTRACTION_DIR_" 2>/dev/null || true print_output "" From f32968d0304fd530a56b97d2582941a8cd4a7035 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 25 Apr 2022 14:10:06 +0200 Subject: [PATCH 30/42] installer, docker, fixes --- installer/IL10_system_emulator.sh | 124 ++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 installer/IL10_system_emulator.sh diff --git a/installer/IL10_system_emulator.sh b/installer/IL10_system_emulator.sh new file mode 100644 index 000000000..93b54b151 --- /dev/null +++ b/installer/IL10_system_emulator.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Installs full system emulation dependencies +# Module is based on FirmAE and firmadyne + +IL10_system_emulator() { + module_title "${FUNCNAME[0]}" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then + INSTALL_APP_LIST=() + cd "$HOME_PATH" || exit 1 + + print_tool_info "busybox-static" 1 + print_tool_info "bash-static" 1 + print_tool_info "fakeroot" 1 + print_tool_info "git" 1 + print_tool_info "dmsetup" 1 + print_tool_info "kpartx" 1 + print_tool_info "uml-utilities" 1 + print_tool_info "util-linux" 1 + print_tool_info "vlan" 1 + print_tool_info "qemu-system-arm" 1 + print_tool_info "qemu-system-mips" 1 + print_tool_info "qemu-system-x86" 1 + print_tool_info "qemu-utils" 1 + + # future use: + print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + print_file_info "vmlinux.mipseb.2" "FirmAE - Linux kernel 2.6 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + print_file_info "vmlinux.mipsel.4" "FirmAE - Linux kernel 4.1 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" + print_file_info "vmlinux.mipseb.4" "FirmAE - Linux kernel 4.1 - MIPSeb" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" + + print_file_info "zImage.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" + print_file_info "vmlinux.armel" "FirmAE - Linux kernel 4.1 - ARMel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" + + print_file_info "busybox.armel" "FirmAE - busybox - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/console.armel" + print_file_info "busybox.mipseb" "FirmAE - busybox - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/console.mipseb" + print_file_info "busybox.mipsel" "FirmAE - busybox - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/console.mipsel" + + print_file_info "console.armel" "FirmAE - Console - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" + print_file_info "console.mipseb" "FirmAE - Console - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" + print_file_info "console.mipsel" "FirmAE - Console - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" + + print_file_info "libnvram.so.armel" "FirmAE - libnvram - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" + print_file_info "libnvram.so.mipseb" "FirmAE - libnvram - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" + print_file_info "libnvram.so.mipsel" "FirmAE - libnvram - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" + print_file_info "libnvram_ioctl.so.armel" "FirmAE - libnvram_ioctl - ARMel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" + print_file_info "libnvram_ioctl.so.mipseb" "FirmAE - libnvram_ioctl - MIPSeb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" + print_file_info "libnvram_ioctl.so.mipsel" "FirmAE - libnvram_ioctl - MIPSel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" + + print_file_info "fixImage.sh" "FirmAE fixImage script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/" + print_file_info "preInit.sh" "FirmAE preInit script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/preInit.sh" "external/firmae/scripts/" + print_file_info "network.sh" "FirmAE network script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/network.sh" "external/firmae/scripts/" + print_file_info "makeNetwork.sh" "FirmAE makeNetwork script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/makeNetwork.sh" "external/firmae/scripts/" + print_file_info "run_service.sh" "FirmAE run_service script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/" + print_file_info "inferFile.sh" "FirmAE inferFile script" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferFile.sh" "external/firmae/scripts/" + + if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then + ANSWER=("n") + else + echo -e "\\n""$MAGENTA""$BOLD""The system emulation dependencies (if not already on the system) will be downloaded and installed!""$NC" + ANSWER=("y") + fi + + case ${ANSWER:0:1} in + y|Y ) + + mkdir -p external/firmae/binaries + mkdir -p external/firmae/scripts + + apt-get install "${INSTALL_APP_LIST[@]}" -y + + download_file "vmlinux.mipsel.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" + download_file "vmlinux.mipseb.2" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipseb.2" "external/firmae/binaries/vmlinux.mipseb.2" + download_file "vmlinux.mipsel.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipsel.4" "external/firmae/binaries/vmlinux.mipsel.4" + download_file "vmlinux.mipseb.4" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.mipseb.4" "external/firmae/binaries/vmlinux.mipseb.4" + + download_file "zImage.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/zImage.armel" "external/firmae/binaries/zImage.armel" + download_file "vmlinux.armel" "https://github.com/pr0v3rbs/FirmAE_kernel-v4.1/releases/download/v1.0/vmlinux.armel" "external/firmae/binaries/vmlinux.armel" + + download_file "busybox.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.armel" "external/firmae/binaries/busybox.armel" + download_file "busybox.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipseb" "external/firmae/binaries/busybox.mipseb" + download_file "busybox.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/busybox.mipsel" "external/firmae/binaries/busybox.mipsel" + + download_file "console.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.armel" "external/firmae/binaries/console.armel" + download_file "console.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipseb" "external/firmae/binaries/console.mipseb" + download_file "console.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/console.mipsel" "external/firmae/binaries/console.mipsel" + + download_file "libnvram.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.armel" "external/firmae/binaries/libnvram.so.armel" + download_file "libnvram.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipseb" "external/firmae/binaries/libnvram.so.mipseb" + download_file "libnvram.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram.so.mipsel" "external/firmae/binaries/libnvram.so.mipsel" + download_file "libnvram_ioctl.so.armel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.armel" "external/firmae/binaries/libnvram_ioctl.so.armel" + download_file "libnvram_ioctl.so.mipseb" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipseb" "external/firmae/binaries/libnvram_ioctl.so.mipseb" + download_file "libnvram_ioctl.so.mipsel" "https://github.com/pr0v3rbs/FirmAE/releases/download/v1.0/libnvram_ioctl.so.mipsel" "external/firmae/binaries/libnvram_ioctl.so.mipsel" + + download_file "fixImage.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/fixImage.sh" "external/firmae/scripts/fixImage.sh" + download_file "preInit.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/preInit.sh" "external/firmae/scripts/preInit.sh" + download_file "network.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/network.sh" "external/firmae/scripts/network.sh" + download_file "inferNetwork.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferNetwork.sh" "external/firmae/scripts/inferNetwork.sh" + download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" + download_file "inferFile.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferFile.sh" "external/firmae/scripts/inferFile.sh" + + # patch network.sh: + # shellcheck disable=SC2016 + sed 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh + + ;; + esac + fi +} + From ef8a9f4237ca3374260a184bc8a23d607fbad602 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 25 Apr 2022 16:23:10 +0200 Subject: [PATCH 31/42] removed L15 --- helpers/helpers_emba_prepare.sh | 2 +- modules/L15_emulated_checks_init.sh | 212 ---------------------------- 2 files changed, 1 insertion(+), 213 deletions(-) delete mode 100755 modules/L15_emulated_checks_init.sh diff --git a/helpers/helpers_emba_prepare.sh b/helpers/helpers_emba_prepare.sh index 4867e01ea..340341361 100755 --- a/helpers/helpers_emba_prepare.sh +++ b/helpers/helpers_emba_prepare.sh @@ -328,7 +328,7 @@ detect_root_dir_helper() { for R_PATH in "${ROOTx_PATH[@]}"; do if [[ -d "$R_PATH" ]]; then ROOT_PATH+=( "$R_PATH" ) - if ! echo "$MECHANISM" | grep -q "file names"; then + if ! echo "$MECHANISM" | grep -q "dir names"; then MECHANISM="$MECHANISM / dir names" elif ! echo "$MECHANISM" | grep -q "binary interpreter"; then MECHANISM="dir names" diff --git a/modules/L15_emulated_checks_init.sh b/modules/L15_emulated_checks_init.sh deleted file mode 100755 index 90ae735bf..000000000 --- a/modules/L15_emulated_checks_init.sh +++ /dev/null @@ -1,212 +0,0 @@ -#!/bin/bash - -# EMBA - EMBEDDED LINUX ANALYZER -# -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG -# -# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -# EMBA is licensed under GPLv3 -# -# Author(s): Michael Messner, Pascal Eckmann - -# Description: Tests the emulated live system which is build and started in L10 -# Currently this is an experimental module and needs to be activated separately via the -Q switch. -# It is also recommended to only use this technique in a dockerized or virtualized environment. - -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - -L15_emulated_checks_init() { - module_log_init "${FUNCNAME[0]}" - module_title "Live tests of emulated device." - - SNMP_UP=0 - NIKTO_UP=0 - NMAP_PORTS_SERVICES=() - MODULE_END=0 - - if [[ "$SYS_ONLINE" -eq 1 ]]; then - pre_module_reporter "${FUNCNAME[0]}" - - if [[ $IN_DOCKER -eq 0 ]] ; then - print_output "[!] This module should not be used in developer mode and could harm your host environment." - fi - - check_live_nmap_basic - check_live_snmp - # running into issues with nikto on different systems -> disabling for now: - # check_live_nikto - check_live_routersploit - MODULE_END=1 - pkill -f "qemu-system-.*$IMAGE_NAME.*" || true - reset_network 2 - fi - - write_log "" - write_log "[*] Statistics:${#NMAP_PORTS_SERVICES[@]}:$SNMP_UP:$NIKTO_UP" - module_end_log "${FUNCNAME[0]}" "$MODULE_END" - -} - -check_live_nmap_basic() { - sub_module_title "Nmap portscans for emulated system with IP $IP" - - nmap -sSV "$IP" -oA "$LOG_PATH_MODULE"/nmap-basic-"$IP" | tee -a "$LOG_FILE" - if [[ -f "$LOG_PATH_MODULE"/nmap-basic-"$IP".nmap ]]; then - mapfile -t NMAP_PORTS_SERVICES < <(grep "open" "$LOG_PATH_MODULE"/nmap-basic-"$IP".nmap | awk '{print $4,$5,$6}' | sort -u) - mapfile -t NMAP_PORTS < <(grep "open" "$LOG_PATH_MODULE"/nmap-basic-"$IP".nmap | awk '{print $1}' | cut -d '/' -f1 | sort -u) - fi - - TYPE="Nmap" - - if [[ -v NMAP_PORTS_SERVICES[@] ]]; then - write_csv_log "---" "---" "version_detected" "csv_rule" "license" "static/emulation/nmap" - print_output "" - for SERVICE in "${NMAP_PORTS_SERVICES[@]}"; do - while read -r VERSION_LINE; do - if echo "$VERSION_LINE" | grep -v -q "^[^#*/;]"; then - continue - fi - if echo "$VERSION_LINE" | grep -q "no_static"; then - continue - fi - - STRICT="$(echo "$VERSION_LINE" | cut -d\; -f2)" - - if [[ $STRICT == *"strict"* ]]; then - continue - elif [[ $STRICT == "zgrep" ]]; then - continue - fi - - LIC="$(echo "$VERSION_LINE" | cut -d\; -f3)" - # BIN_NAME="$(echo "$VERSION_LINE" | cut -d\; -f1)" - CSV_REGEX="$(echo "$VERSION_LINE" | cut -d\; -f5)" - VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d\; -f4 | sed s/^\"// | sed s/\"$//)" - - VERSION_FINDER=$(echo "$SERVICE" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2>/dev/null || true) - if [[ -n $VERSION_FINDER ]]; then - print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in Nmap port scanning logs." - # use get_csv_rule from s09: - get_csv_rule "$VERSION_FINDER" "$CSV_REGEX" - write_csv_log "---" "---" "$VERSION_FINDER" "$CSV_RULE" "$LIC" "$TYPE" - continue - fi - done < "$CONFIG_DIR"/bin_version_strings.cfg - done - fi - - print_output "" - print_output "[*] Nmap portscans for emulated system with IP $IP finished" -} - -check_live_snmp() { - sub_module_title "SNMP enumeration for emulated system with IP $IP" - - if command snmp-check > /dev/null; then - print_output "[*] SNMP scan with community name public" - snmp-check -w "$IP"| tee "$LOG_PATH_MODULE"/snmp-check-public-"$IP".txt - if [[ -f "$LOG_PATH_MODULE"/snmp-check-public-"$IP".txt ]]; then - cat "$LOG_PATH_MODULE"/snmp-check-public-"$IP".txt >> "$LOG_FILE" - fi - print_output "" - print_output "[*] SNMP scan with community name private" - snmp-check -c private -w "$IP"| tee "$LOG_PATH_MODULE"/snmp-check-private-"$IP".txt - if [[ -f "$LOG_PATH_MODULE"/snmp-check-private-"$IP".txt ]]; then - cat "$LOG_PATH_MODULE"/snmp-check-private-"$IP".txt >> "$LOG_FILE" - fi - else - print_output "[*] SNMP scan with community name public" - snmpwalk -v2c -c public "$IP" .iso | tee "$LOG_PATH_MODULE"/snmpwalk-public-"$IP".txt - if [[ -f "$LOG_PATH_MODULE"/snmp-check-public-"$IP".txt ]]; then - cat "$LOG_PATH_MODULE"/snmpwalk-public-"$IP".txt >> "$LOG_FILE" - fi - print_output "" - print_output "[*] SNMP scan with community name private" - snmpwalk -v2c -c private "$IP" .iso | tee "$LOG_PATH_MODULE"/snmapwalk-private-"$IP".txt - if [[ -f "$LOG_PATH_MODULE"/snmp-check-private-"$IP".txt ]]; then - cat "$LOG_PATH_MODULE"/snmpwalk-private-"$IP".txt >> "$LOG_FILE" - fi - fi - SNMP_UP=$(wc -l "$LOG_PATH_MODULE"/snmp* | tail -1 | awk '{print $1}') - - if [[ "$SNMP_UP" -gt 20 ]]; then - SNMP_UP=1 - else - SNMP_UP=0 - fi - - print_output "" - print_output "[*] SNMP tests for emulated system with IP $IP finished" -} - -check_live_nikto() { - sub_module_title "Nikto web checks for emulated system with IP $IP" - - NIKTO_UP=0 - NIKTO_DONE=0 - - if [[ "${#NMAP_PORTS[@]}" -gt 0 ]]; then - for PORT in "${NMAP_PORTS[@]}"; do - #PORT=$(echo "$SERVICE" | cut -d/ -f1 | tr -d "[:blank:]") - NIKTO_OPTS="-timeout 3 -nointeractive -maxtime 8m" - if [[ "$SERVICE" == *"ssl|http"* ]];then - #shellcheck disable=SC2086 - nikto $NIKTO_OPTS -ssl -port "$PORT" -host "$IP" | tee -a "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt - NIKTO_DONE=1 - elif [[ "$SERVICE" == *"http"* ]];then - #shellcheck disable=SC2086 - nikto $NIKTO_OPTS -port "$PORT" -host "$IP" | tee -a "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt - NIKTO_DONE=1 - fi - if [[ "$NIKTO_DONE" -eq 1 ]]; then - break - fi - done - if [[ -f "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt ]]; then - cat "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt >> "$LOG_FILE" - print_output "" - mapfile -t VERSIONS < <(grep "Server" "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt | cut -d: -f2 | sort -u | grep -v "null" | sed 's/^\ //') - for VERSION in "${VERSIONS[@]}"; do - if [[ "$VERSION" != *"Server banner has changed from"* ]]; then - print_output "[+] Version information found ${RED}""$VERSION""${NC}${GREEN} in Nikto web server scanning logs." - fi - done - - mapfile -t VERSIONS < <(grep "Retrieved x-powered-by header" "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt | cut -d: -f2 | sort -u | sed 's/^\ //') - for VERSION in "${VERSIONS[@]}"; do - print_output "[+] Version information found ${RED}""$VERSION""${NC}${GREEN} in Nikto web server scanning logs." - done - - print_output "" - if [[ $(grep -c "+ [1-9] host(s) tested" "$LOG_PATH_MODULE"/nikto-scan-"$IP".txt || true) -gt 0 ]]; then - NIKTO_UP=1 - fi - fi - fi - - print_output "[*] Nikto web checks for emulated system with IP $IP finished" -} - -check_live_routersploit() { - sub_module_title "Routersploit tests for emulated system with IP $IP" - - if [[ -f /tmp/routersploit.log ]]; then - rm /tmp/routersploit.log - fi - - timeout --preserve-status --signal SIGINT 300 "$EXT_DIR"/routersploit/rsf.py "$IP" 2>&1 | tee -a "$LOG_PATH_MODULE"/routersploit-"$IP".txt - - if [[ -f /tmp/routersploit.log ]]; then - mv /tmp/routersploit.log "$LOG_PATH_MODULE"/routersploit-detail-"$IP".txt - fi - - cat "$LOG_PATH_MODULE"/routersploit-"$IP".txt >> "$LOG_FILE" - print_output "" - print_output "[*] Routersploit tests for emulated system with IP $IP finished" -} - From 82e191c0f14614997165776798f1d34af0981387 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 26 Apr 2022 16:46:24 +0200 Subject: [PATCH 32/42] modules_local, docker --- docker-compose.yml | 2 ++ emba.sh | 13 +++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6c4e92d83..f8f8afc24 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,12 +19,14 @@ services: - /external/FirmAE_orig/scratch - /external/firmadyne_orig/scratch build: . + # dev is needed for the system emulator (L10) volumes: - ${FIRMWARE}/:/firmware:ro - ${LOG}/:/log - ${EMBA}/:/emba:ro - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro + - /dev:/dev environment: - USER devices: diff --git a/emba.sh b/emba.sh index 297aede70..bd34e705e 100755 --- a/emba.sh +++ b/emba.sh @@ -41,8 +41,8 @@ import_module() local MODULES_EMBA=() local MODULE_COUNT=0 mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "*.sh" | sort -V 2> /dev/null) - if [[ -d "${MOD_DIR}_local" ]]; then - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "*.sh" 2>/dev/null | sort -V 2> /dev/null) + if [[ -d "${MOD_DIR_LOCAL}" ]]; then + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR_LOCAL}" -name "*.sh" 2>/dev/null | sort -V 2> /dev/null) fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) for MODULE_FILE in "${MODULES[@]}" ; do @@ -116,8 +116,8 @@ run_modules() local MODULES_LOCAL=() local MODULES_EMBA=() mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) - if [[ -d "${MOD_DIR}_local" ]]; then - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) + if [[ -d "${MOD_DIR_LOCAL}" ]]; then + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR_LOCAL}" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 && "${MODULE_GROUP^^}" != "P" ]] ; then @@ -173,8 +173,8 @@ run_modules() local MODULES_LOCAL=() local MODULES_EMBA=() mapfile -t MODULES_EMBA < <(find "$MOD_DIR" -name "${MODULE_GROUP^^}""*_*.sh" | sort -V 2> /dev/null) - if [[ -d "${MOD_DIR}_local" ]]; then - mapfile -t MODULES_LOCAL < <(find "${MOD_DIR}_local" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) + if [[ -d "${MOD_DIR_LOCAL}" ]]; then + mapfile -t MODULES_LOCAL < <(find "${MOD_DIR_LOCAL}" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) if [[ $THREADING_SET -eq 1 ]] ; then @@ -276,6 +276,7 @@ main() export EXT_DIR="$INVOCATION_PATH""/external" export HELP_DIR="$INVOCATION_PATH""/helpers" export MOD_DIR="$INVOCATION_PATH""/modules" + export MOD_DIR_LOCAL="$INVOCATION_PATH""/modules_local" export BASE_LINUX_FILES="$CONFIG_DIR""/linux_common_files.txt" export PATH_CVE_SEARCH="$EXT_DIR""/cve-search/bin/search.py" export MSF_PATH="/usr/share/metasploit-framework/modules/" From 8df8a06bdfe2a001383d2e8f7dd71f80620d4357 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Thu, 28 Apr 2022 15:48:47 +0200 Subject: [PATCH 33/42] installer updates --- installer/IL10_system_emulator.sh | 3 ++- installer/IL15_emulated_checks_init.sh | 1 + installer/IL21_firmae_system_emulator.sh | 2 ++ installer/IL22_firmadyne_system_emulator.sh | 21 +++++++++++++++++--- installer/IP60_fact_extractor.sh | 22 +++++++++++++++++++++ 5 files changed, 45 insertions(+), 4 deletions(-) diff --git a/installer/IL10_system_emulator.sh b/installer/IL10_system_emulator.sh index 93b54b151..6bc327272 100644 --- a/installer/IL10_system_emulator.sh +++ b/installer/IL10_system_emulator.sh @@ -36,6 +36,7 @@ IL10_system_emulator() { print_tool_info "qemu-system-mips" 1 print_tool_info "qemu-system-x86" 1 print_tool_info "qemu-utils" 1 + print_tool_info "hping3" 1 # future use: print_file_info "vmlinux.mipsel.2" "FirmAE - Linux kernel 2.6 - MIPSel" "https://github.com/pr0v3rbs/FirmAE_kernel-v2.6/releases/download/v1.0/vmlinux.mipsel.2" "external/firmae/binaries/vmlinux.mipsel.2" @@ -115,7 +116,7 @@ IL10_system_emulator() { # patch network.sh: # shellcheck disable=SC2016 - sed 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh + sed -i 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh ;; esac diff --git a/installer/IL15_emulated_checks_init.sh b/installer/IL15_emulated_checks_init.sh index c83cbaca3..42e884373 100644 --- a/installer/IL15_emulated_checks_init.sh +++ b/installer/IL15_emulated_checks_init.sh @@ -59,6 +59,7 @@ IL15_emulated_checks_init() { fi python3 -m pip install -r requirements.txt + sed -i 's/routersploit\.log/\/tmp\/routersploit\.log/' ./rsf.py cd "$HOME_PATH" || exit 1 diff --git a/installer/IL21_firmae_system_emulator.sh b/installer/IL21_firmae_system_emulator.sh index 925f56010..03f9436e2 100644 --- a/installer/IL21_firmae_system_emulator.sh +++ b/installer/IL21_firmae_system_emulator.sh @@ -54,6 +54,8 @@ IL21_firmae_system_emulator() { ./install.sh ./init.sh + /etc/init.d/postgresql stop + cd "$HOME_PATH" || exit 1 ;; diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index bb44fbaff..3b09a3d43 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -22,6 +22,23 @@ IL22_firmadyne_system_emulator() { if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]]; then cd "$HOME_PATH" || exit 1 + print_tool_info "busybox-static" 1 + print_tool_info "fakeroot" 1 + print_tool_info "git" 1 + print_tool_info "dmsetup" 1 + print_tool_info "kpartx" 1 + print_tool_info "netcat-openbsd" 1 + print_tool_info "nmap" 1 + print_tool_info "python3-psycopg2" 1 + print_tool_info "snmp" 1 + print_tool_info "uml-utilities" 1 + print_tool_info "util-linux" 1 + print_tool_info "vlan" 1 + print_tool_info "qemu-system-arm" 1 + print_tool_info "qemu-system-mips" 1 + print_tool_info "qemu-system-x86" 1 + print_tool_info "qemu-utils" 1 + print_git_info "Firmadyne system mode emulator" "firmadyne/firmadyne" "FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware" echo -e "\\n""$MAGENTA""$BOLD""This is a temporary module which will be removed in the future without any further note!""$NC" @@ -36,7 +53,7 @@ IL22_firmadyne_system_emulator() { case ${ANSWER:0:1} in y|Y ) - apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan + apt-get install "${INSTALL_APP_LIST[@]}" -y if ! [[ -d external/firmadyne_orig ]]; then git clone --recursive https://github.com/firmadyne/firmadyne.git external/firmadyne_orig @@ -58,8 +75,6 @@ IL22_firmadyne_system_emulator() { fi ./download.sh - apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils - cd "$HOME_PATH" || exit 1 ;; diff --git a/installer/IP60_fact_extractor.sh b/installer/IP60_fact_extractor.sh index 44d2f6044..4dfb57672 100644 --- a/installer/IP60_fact_extractor.sh +++ b/installer/IP60_fact_extractor.sh @@ -33,6 +33,28 @@ IP60_fact_extractor() { case ${ANSWER:0:1} in y|Y ) if ! [[ -d ./external/fact_extractor ]]; then + + # This is a temporary solution as long as the installation via pip does not work + cd "$HOME_PATH" || exit 1 + apt-get install curl + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup + chmod +x rustup + ./rustup -y + + git clone https://github.com/fkie-cad/entropython.git + cd entropython || exit 1 + + /root/.cargo/bin/cargo build --release + mv target/release/libentropython.so entropython.so + cp entropython.so /usr/local/lib/python3.10/dist-packages/ + cd "$HOME_PATH" || exit 1 + + git clone https://github.com/fkie-cad/common_helper_unpacking_classifier.git + cd common_helper_unpacking_classifier/ || exit 1 + sed -i "s/'entropython/#'entropython/" setup.py + pip install . + cd "$HOME_PATH" || exit 1 + # this is a temporary solution until the official fact repo supports a current kali linux git clone https://github.com/m-1-k-3/fact_extractor.git external/fact_extractor cd ./external/fact_extractor/fact_extractor/ || exit 1 From c98bf61a5f44d2007fa66f60345218554e848c36 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Thu, 28 Apr 2022 15:53:06 +0200 Subject: [PATCH 34/42] installer updates --- installer/IP60_fact_extractor.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/installer/IP60_fact_extractor.sh b/installer/IP60_fact_extractor.sh index 4dfb57672..dd7f83909 100644 --- a/installer/IP60_fact_extractor.sh +++ b/installer/IP60_fact_extractor.sh @@ -15,6 +15,7 @@ # Contributor(s): Stefan Haboeck, Nikolas Papaioannou # Description: Installs FACT-extractor for EMBA +# FACT will be completely removed in the future IP60_fact_extractor() { module_title "${FUNCNAME[0]}" @@ -36,6 +37,8 @@ IP60_fact_extractor() { # This is a temporary solution as long as the installation via pip does not work cd "$HOME_PATH" || exit 1 + cd external || exit 1 + apt-get install curl curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup chmod +x rustup @@ -47,20 +50,23 @@ IP60_fact_extractor() { /root/.cargo/bin/cargo build --release mv target/release/libentropython.so entropython.so cp entropython.so /usr/local/lib/python3.10/dist-packages/ - cd "$HOME_PATH" || exit 1 + cd .. || exit 1 git clone https://github.com/fkie-cad/common_helper_unpacking_classifier.git cd common_helper_unpacking_classifier/ || exit 1 sed -i "s/'entropython/#'entropython/" setup.py pip install . - cd "$HOME_PATH" || exit 1 + cd .. || exit 1 - # this is a temporary solution until the official fact repo supports a current kali linux + # this is a temporary solution until the official FACT repo supports a current kali linux git clone https://github.com/m-1-k-3/fact_extractor.git external/fact_extractor cd ./external/fact_extractor/fact_extractor/ || exit 1 ./install/pre_install.sh python3 ./install.py + cd "$HOME_PATH" || exit 1 + # cleanup + rm ./external/rustup fi if python3 ./external/fact_extractor/fact_extractor/fact_extract.py -h | grep -q "FACT extractor - Standalone extraction utility"; then From a507fd7e65f81137f9ee61501959be2ab5a88e71 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Thu, 28 Apr 2022 15:59:21 +0200 Subject: [PATCH 35/42] :) --- config/msf_cve-db.txt | 29 +++++++++++++++++++++++++++-- installer/IF20_cve_search.sh | 1 - 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/config/msf_cve-db.txt b/config/msf_cve-db.txt index 35c1f0a56..138a93960 100644 --- a/config/msf_cve-db.txt +++ b/config/msf_cve-db.txt @@ -77,6 +77,7 @@ /usr/share/metasploit-framework/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb:CVE-2015-2673 /usr/share/metasploit-framework/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb:CVE-2018-19207 /usr/share/metasploit-framework/modules/auxiliary/admin/http/wp_google_maps_sqli.rb:CVE-2019-10692 +/usr/share/metasploit-framework/modules/auxiliary/admin/http/wp_masterstudy_privesc.rb:CVE-2022-0441 /usr/share/metasploit-framework/modules/auxiliary/admin/http/wp_symposium_sql_injection.rb:CVE-2015-6522 /usr/share/metasploit-framework/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb:CVE-2014-6324 /usr/share/metasploit-framework/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb:CVE-2020-3952 @@ -189,6 +190,7 @@ /usr/share/metasploit-framework/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb:CVE-2008-5666 /usr/share/metasploit-framework/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb:CVE-2008-5626 /usr/share/metasploit-framework/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb:CVE-2008-5626 +/usr/share/metasploit-framework/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb:CVE-2021-31166 /usr/share/metasploit-framework/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb:CVE-2010-1899 /usr/share/metasploit-framework/modules/auxiliary/dos/windows/http/pi3web_isapi.rb:CVE-2008-6938 /usr/share/metasploit-framework/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb:CVE-2011-0657 @@ -233,6 +235,8 @@ /usr/share/metasploit-framework/modules/auxiliary/gather/exchange_proxylogon_collector.rb:CVE-2021-26855 /usr/share/metasploit-framework/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb:CVE-2015-4495 /usr/share/metasploit-framework/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb:CVE-2014-4671 +/usr/share/metasploit-framework/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb:CVE-2020-5723 +/usr/share/metasploit-framework/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb:CVE-2020-5724 /usr/share/metasploit-framework/modules/auxiliary/gather/huawei_wifi_info.rb:CVE-2013-6031 /usr/share/metasploit-framework/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb:CVE-2013-3975 /usr/share/metasploit-framework/modules/auxiliary/gather/ibm_sametime_room_brute.rb:CVE-2013-3977 @@ -275,6 +279,7 @@ /usr/share/metasploit-framework/modules/auxiliary/scanner/chargen/chargen_probe.rb:CVE-1999-0103 /usr/share/metasploit-framework/modules/auxiliary/scanner/couchdb/couchdb_enum.rb:CVE-2017-12635 /usr/share/metasploit-framework/modules/auxiliary/scanner/db2/db2_auth.rb:CVE-1999-0502 +/usr/share/metasploit-framework/modules/auxiliary/scanner/dcerpc/petitpotam.rb:CVE-2021-36942 /usr/share/metasploit-framework/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.rb:CVE-2014-7992 /usr/share/metasploit-framework/modules/auxiliary/scanner/dns/dns_amp.rb:CVE-2006-0987 /usr/share/metasploit-framework/modules/auxiliary/scanner/dns/dns_amp.rb:CVE-2006-0988 @@ -328,6 +333,7 @@ /usr/share/metasploit-framework/modules/auxiliary/scanner/http/exchange_web_server_pushsubscription.rb:CVE-2019-0724 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.rb:CVE-2020-9294 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb:CVE-2017-5146 +/usr/share/metasploit-framework/modules/auxiliary/scanner/http/gitlab_graphql_user_enum.rb:CVE-2021-4191 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/glassfish_login.rb:CVE-2011-0807 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/glassfish_traversal.rb:CVE-2017-1000028 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/goahead_traversal.rb:CVE-2014-9707 @@ -373,6 +379,7 @@ /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2020-35578 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2020-5791 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2020-5792 +/usr/share/metasploit-framework/modules/auxiliary/scanner/http/nagios_xi_scanner.rb:CVE-2021-37343 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/netdecision_traversal.rb:CVE-2012-1465 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/nginx_source_disclosure.rb:CVE-2010-2263 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb:CVE-2012-4958 @@ -428,7 +435,9 @@ /usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_email_sub_news_sqli.rb:CVE-2019-20361 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_learnpress_sqli.rb:CVE-2020-6010 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_loginizer_log_sqli.rb:CVE-2020-27615 +/usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_modern_events_calendar_sqli.rb:CVE-2021-24946 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_registrationmagic_sqli.rb:CVE-2021-24862 +/usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_secure_copy_content_protection_sqli.rb:CVE-2021-24931 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_wps_hide_login_revealer.rb:CVE-2021-24917 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/yaws_traversal.rb:CVE-2011-4350 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb:CVE-2012-4933 @@ -676,10 +685,11 @@ /usr/share/metasploit-framework/modules/exploits/linux/http/goautodial_3_rce_command_injection.rb:CVE-2015-2843 /usr/share/metasploit-framework/modules/exploits/linux/http/goautodial_3_rce_command_injection.rb:CVE-2015-2845 /usr/share/metasploit-framework/modules/exploits/linux/http/gpsd_format_string.rb:CVE-2004-1388 -/usr/share/metasploit-framework/modules/exploits/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec.rb:CVE-2019-10655 +/usr/share/metasploit-framework/modules/exploits/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.rb:CVE-2019-10655 /usr/share/metasploit-framework/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb:CVE-2020-5722 /usr/share/metasploit-framework/modules/exploits/linux/http/gravcms_exec.rb:CVE-2021-21425 /usr/share/metasploit-framework/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb:CVE-2013-3502 +/usr/share/metasploit-framework/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb:CVE-2021-36260 /usr/share/metasploit-framework/modules/exploits/linux/http/ibm_drm_rce.rb:CVE-2020-4427 /usr/share/metasploit-framework/modules/exploits/linux/http/ibm_drm_rce.rb:CVE-2020-4428 /usr/share/metasploit-framework/modules/exploits/linux/http/ibm_drm_rce.rb:CVE-2020-4429 @@ -708,6 +718,7 @@ /usr/share/metasploit-framework/modules/exploits/linux/http/mobileiron_mdm_hessian_rce.rb:CVE-2020-15505 /usr/share/metasploit-framework/modules/exploits/linux/http/multi_ncc_ping_exec.rb:CVE-2015-1187 /usr/share/metasploit-framework/modules/exploits/linux/http/mutiny_frontend_upload.rb:CVE-2013-0136 +/usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb:CVE-2021-37343 /usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb:CVE-2018-8733 /usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb:CVE-2018-8734 /usr/share/metasploit-framework/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb:CVE-2018-8735 @@ -822,6 +833,8 @@ /usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb:CVE-2021-3490 /usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_3493_overlayfs.rb:CVE-2021-3493 /usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_38648_omigod.rb:CVE-2021-38648 +/usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb:CVE-2021-4034 +/usr/share/metasploit-framework/modules/exploits/linux/local/cve_2022_0847_dirtypipe.rb:CVE-2022-0847 /usr/share/metasploit-framework/modules/exploits/linux/local/docker_runc_escape.rb:CVE-2019-5736 /usr/share/metasploit-framework/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb:CVE-2019-10149 /usr/share/metasploit-framework/modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb:CVE-2010-3847 @@ -938,6 +951,7 @@ /usr/share/metasploit-framework/modules/exploits/multi/browser/chrome_object_create.rb:CVE-2018-17463 /usr/share/metasploit-framework/modules/exploits/multi/browser/chrome_simplifiedlowering_overflow.rb:CVE-2020-16040 /usr/share/metasploit-framework/modules/exploits/multi/browser/firefox_escape_retval.rb:CVE-2009-2477 +/usr/share/metasploit-framework/modules/exploits/multi/browser/firefox_jit_use_after_free.rb:CVE-2020-26950 /usr/share/metasploit-framework/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb:CVE-2015-0802 /usr/share/metasploit-framework/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb:CVE-2015-0816 /usr/share/metasploit-framework/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb:CVE-2012-3993 @@ -984,6 +998,8 @@ /usr/share/metasploit-framework/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb:CVE-2000-0573 /usr/share/metasploit-framework/modules/exploits/multi/http/activecollab_chat.rb:CVE-2012-6554 /usr/share/metasploit-framework/modules/exploits/multi/http/apache_activemq_upload_jsp.rb:CVE-2016-3088 +/usr/share/metasploit-framework/modules/exploits/multi/http/apache_apisix_api_default_token_rce.rb:CVE-2020-13945 +/usr/share/metasploit-framework/modules/exploits/multi/http/apache_apisix_api_default_token_rce.rb:CVE-2022-24112 /usr/share/metasploit-framework/modules/exploits/multi/http/apache_jetspeed_file_upload.rb:CVE-2016-0709 /usr/share/metasploit-framework/modules/exploits/multi/http/apache_jetspeed_file_upload.rb:CVE-2016-0710 /usr/share/metasploit-framework/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb:CVE-2014-6271 @@ -1135,6 +1151,7 @@ /usr/share/metasploit-framework/modules/exploits/multi/http/sonicwall_gms_upload.rb:CVE-2013-1359 /usr/share/metasploit-framework/modules/exploits/multi/http/sonicwall_scrutinizer_methoddetail_sqli.rb:CVE-2014-4977 /usr/share/metasploit-framework/modules/exploits/multi/http/splunk_mappy_exec.rb:CVE-2011-4642 +/usr/share/metasploit-framework/modules/exploits/multi/http/spring_cloud_function_spel_injection.rb:CVE-2022-22963 /usr/share/metasploit-framework/modules/exploits/multi/http/struts2_code_exec_showcase.rb:CVE-2017-9791 /usr/share/metasploit-framework/modules/exploits/multi/http/struts2_content_type_ognl.rb:CVE-2017-5638 /usr/share/metasploit-framework/modules/exploits/multi/http/struts2_multi_eval_ognl.rb:CVE-2019-0230 @@ -1232,6 +1249,7 @@ /usr/share/metasploit-framework/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb:CVE-2010-0304 /usr/share/metasploit-framework/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb:CVE-2010-0304 /usr/share/metasploit-framework/modules/exploits/multi/ntp/ntp_overflow.rb:CVE-2001-0414 +/usr/share/metasploit-framework/modules/exploits/multi/php/ignition_laravel_debug_rce.rb:CVE-2021-3129 /usr/share/metasploit-framework/modules/exploits/multi/php/php_unserialize_zval_cookie.rb:CVE-2007-1286 /usr/share/metasploit-framework/modules/exploits/multi/php/wp_duplicator_code_inject.rb:CVE-2018-17207 /usr/share/metasploit-framework/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb:CVE-2019-9193 @@ -1252,6 +1270,7 @@ /usr/share/metasploit-framework/modules/exploits/osx/arkeia/type77.rb:CVE-2005-0491 /usr/share/metasploit-framework/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb:CVE-2016-4117 /usr/share/metasploit-framework/modules/exploits/osx/browser/osx_gatekeeper_bypass.rb:CVE-2021-30657 +/usr/share/metasploit-framework/modules/exploits/osx/browser/osx_gatekeeper_bypass.rb:CVE-2022-22616 /usr/share/metasploit-framework/modules/exploits/osx/browser/safari_file_policy.rb:CVE-2011-3230 /usr/share/metasploit-framework/modules/exploits/osx/browser/safari_in_operator_side_effect.rb:CVE-2020-9801 /usr/share/metasploit-framework/modules/exploits/osx/browser/safari_in_operator_side_effect.rb:CVE-2020-9850 @@ -1314,6 +1333,7 @@ /usr/share/metasploit-framework/modules/exploits/unix/http/laravel_token_unserialize_exec.rb:CVE-2018-15133 /usr/share/metasploit-framework/modules/exploits/unix/http/lifesize_room.rb:CVE-2011-2763 /usr/share/metasploit-framework/modules/exploits/unix/http/pfsense_clickjacking.rb:CVE-2017-1000479 +/usr/share/metasploit-framework/modules/exploits/unix/http/pfsense_diag_routes_webshell.rb:CVE-2021-41282 /usr/share/metasploit-framework/modules/exploits/unix/http/pfsense_graph_injection_exec.rb:CVE-2016-10709 /usr/share/metasploit-framework/modules/exploits/unix/http/pihole_blocklist_exec.rb:CVE-2020-11108 /usr/share/metasploit-framework/modules/exploits/unix/http/pihole_dhcp_mac_exec.rb:CVE-2020-8816 @@ -1920,6 +1940,7 @@ /usr/share/metasploit-framework/modules/exploits/windows/http/ektron_xslt_exec.rb:CVE-2012-5357 /usr/share/metasploit-framework/modules/exploits/windows/http/ektron_xslt_exec_ws.rb:CVE-2015-0923 /usr/share/metasploit-framework/modules/exploits/windows/http/ericom_access_now_bof.rb:CVE-2014-3913 +/usr/share/metasploit-framework/modules/exploits/windows/http/exchange_chainedserializationbinder_denylist_typo_rce.rb:CVE-2021-42321 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb:CVE-2020-16875 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb:CVE-2020-17132 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_ecp_viewstate.rb:CVE-2020-0688 @@ -2102,9 +2123,12 @@ /usr/share/metasploit-framework/modules/exploits/windows/local/cve_2020_1313_system_orchestrator.rb:CVE-2020-1313 /usr/share/metasploit-framework/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb:CVE-2020-1337 /usr/share/metasploit-framework/modules/exploits/windows/local/cve_2020_17136.rb:CVE-2020-17136 -/usr/share/metasploit-framework/modules/exploits/windows/local/cve_2021_1732_win32k.rb:CVE-2021-1732 /usr/share/metasploit-framework/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb:CVE-2021-21551 /usr/share/metasploit-framework/modules/exploits/windows/local/cve_2021_40449.rb:CVE-2021-40449 +/usr/share/metasploit-framework/modules/exploits/windows/local/cve_2022_21882_win32k.rb:CVE-2021-1732 +/usr/share/metasploit-framework/modules/exploits/windows/local/cve_2022_21882_win32k.rb:CVE-2022-21882 +/usr/share/metasploit-framework/modules/exploits/windows/local/cve_2022_21999_spoolfool_privesc.rb:CVE-2022-21999 +/usr/share/metasploit-framework/modules/exploits/windows/local/cve_2022_26904_superprofile.rb:CVE-2022-26904 /usr/share/metasploit-framework/modules/exploits/windows/local/docker_credential_wincred.rb:CVE-2019-15752 /usr/share/metasploit-framework/modules/exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb:CVE-2019-3999 /usr/share/metasploit-framework/modules/exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb:CVE-2020-5752 @@ -2180,6 +2204,7 @@ /usr/share/metasploit-framework/modules/exploits/windows/misc/cloudme_sync.rb:CVE-2018-6892 /usr/share/metasploit-framework/modules/exploits/windows/misc/commvault_cmd_exec.rb:CVE-2017-18044 /usr/share/metasploit-framework/modules/exploits/windows/misc/crosschex_device_bof.rb:CVE-2019-12518 +/usr/share/metasploit-framework/modules/exploits/windows/misc/cve_2022_28381_allmediaserver_bof.rb:CVE-2022-28381 /usr/share/metasploit-framework/modules/exploits/windows/misc/disk_savvy_adm.rb:CVE-2018-6481 /usr/share/metasploit-framework/modules/exploits/windows/misc/doubletake.rb:CVE-2008-1661 /usr/share/metasploit-framework/modules/exploits/windows/misc/eiqnetworks_esa.rb:CVE-2006-3838 diff --git a/installer/IF20_cve_search.sh b/installer/IF20_cve_search.sh index 368d6c347..ad4e33cef 100644 --- a/installer/IF20_cve_search.sh +++ b/installer/IF20_cve_search.sh @@ -19,7 +19,6 @@ IF20_cve_search() { module_title "${FUNCNAME[0]}" - if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] || [[ $CVE_SEARCH -eq 1 ]] || [[ $FULL -eq 1 ]]; then print_git_info "trickest cve database" "trickest/cve" "Trickest CVE to github exploit database" From 30308a694b3086309e2f52e611ec8630208edf17 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Thu, 28 Apr 2022 16:07:41 +0200 Subject: [PATCH 36/42] wording --- docker-compose.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index f8f8afc24..aba13889b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,11 +5,9 @@ services: read_only: true # all pre-checker mount modules need privileged mode privileged: true - # future: - # privileged: false # /root is needed for binwalk # /tmp is needed for FACT extractor - # /run is needed for postgresql and others + # /run is needed for postgresql (currently only working with rw) and others # /external/FirmAE_orig/scratch is needed for FirmAE - this is temp and will be removed in the future tmpfs: - /tmp From 9fee6ddaa6f813a2a30e97133567455069b95df5 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Fri, 29 Apr 2022 09:20:37 +0200 Subject: [PATCH 37/42] removed FACT for initial decompress (P05) --- helpers/helpers_emba_dependency_check.sh | 7 +- installer/IL10_system_emulator.sh | 4 +- installer/IL22_firmadyne_system_emulator.sh | 2 +- installer/IP00_extractors.sh | 1 + installer/IP60_fact_extractor.sh | 17 +++-- modules/P02_firmware_bin_file_check.sh | 12 ++-- modules/P05_fact_init.sh | 72 --------------------- modules/P05_patools_init.sh | 70 ++++++++++++++++++++ 8 files changed, 96 insertions(+), 89 deletions(-) delete mode 100755 modules/P05_fact_init.sh create mode 100755 modules/P05_patools_init.sh diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index 97f793518..97ff31d9a 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -305,7 +305,7 @@ dependency_check() check_dep_file "EnGenius decryptor" "$EXT_DIR""/engenius-decrypt.py" # Android payload.bin extractor - #check_dep_file "Android payload.bin extractor" "$EXT_DIR""/payload_dumper/payload_dumper.py" + check_dep_file "Android payload.bin extractor" "$EXT_DIR""/payload_dumper/payload_dumper.py" # CVE-search # TODO change to portcheck and write one for external hosts @@ -335,7 +335,7 @@ dependency_check() check_dep_tool "Qemu system emulator MIPSel" "qemu-system-mipsel" # routersploit for full system emulation - #check_dep_file "Routersploit installation" "$EXT_DIR""/routersploit/rsf.py" + check_dep_file "Routersploit installation" "$EXT_DIR""/routersploit/rsf.py" fi # CVE searchsploit @@ -408,6 +408,9 @@ dependency_check() # yara check_dep_tool "yara" + # patool extractor - https://wummel.github.io/patool/ + check_dep_tool "patool" + # stacs - https://github.com/stacscan/stacs check_dep_tool "STACS hash detection" "stacs" diff --git a/installer/IL10_system_emulator.sh b/installer/IL10_system_emulator.sh index 6bc327272..e17d113a6 100644 --- a/installer/IL10_system_emulator.sh +++ b/installer/IL10_system_emulator.sh @@ -114,9 +114,9 @@ IL10_system_emulator() { download_file "run_service.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/run_service.sh" "external/firmae/scripts/run_service.sh" download_file "inferFile.sh" "https://raw.githubusercontent.com/pr0v3rbs/FirmAE/master/scripts/inferFile.sh" "external/firmae/scripts/inferFile.sh" - # patch network.sh: + # patch inferFile.sh: # shellcheck disable=SC2016 - sed -i 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/network.sh + sed -i 's/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS"`/for FILE in `${BUSYBOX} find \/ -name "preinitMT" -o -name "preinit" -o -name "rcS" -o -name "rc.sysinit"`/' external/firmae/scripts/inferFile.sh ;; esac diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index 3b09a3d43..d3067ba6a 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -71,7 +71,7 @@ IL22_firmadyne_system_emulator() { #sudo -u postgres psql -d firmware < ./firmadyne/database/schema if [[ "$IN_DOCKER" -eq 1 ]] && [[ -f /external/firmadyne_orig/firmadyne.config ]]; then - sed -i 's/^FIRMWARE_DIR.*/FIRMWARE_DIR=\/external\/firmadyne_orig\//g' /external/firmadyne_orig/firmadyne.config + sed -i 's/^#FIRMWARE_DIR.*/FIRMWARE_DIR=\/external\/firmadyne_orig\//g' /external/firmadyne_orig/firmadyne.config fi ./download.sh diff --git a/installer/IP00_extractors.sh b/installer/IP00_extractors.sh index 66c052bdc..6515535d0 100644 --- a/installer/IP00_extractors.sh +++ b/installer/IP00_extractors.sh @@ -21,6 +21,7 @@ IP00_extractors(){ if [[ "$LIST_DEP" -eq 1 ]] || [[ $IN_DOCKER -eq 1 ]] || [[ $DOCKER_SETUP -eq 0 ]] || [[ $FULL -eq 1 ]] ; then print_tool_info "python3-pip" 1 + print_tool_info "patool" 1 print_pip_info "protobuf" print_pip_info "bsdiff4" print_git_info "payload_dumper" "vm03/payload_dumper" "Android OTA payload.bin extractor" diff --git a/installer/IP60_fact_extractor.sh b/installer/IP60_fact_extractor.sh index dd7f83909..adb7fe227 100644 --- a/installer/IP60_fact_extractor.sh +++ b/installer/IP60_fact_extractor.sh @@ -35,15 +35,22 @@ IP60_fact_extractor() { y|Y ) if ! [[ -d ./external/fact_extractor ]]; then - # This is a temporary solution as long as the installation via pip does not work + # Note: This is a temporary solution until the official FACT repo supports a current kali linux + # Note: This is a temporary solution as long as the installation via pip does not work cd "$HOME_PATH" || exit 1 cd external || exit 1 apt-get install curl + # get the FACT base repository: + git clone https://github.com/m-1-k-3/fact_extractor.git external/fact_extractor + cd ./external/fact_extractor/ || exit 1 + + # for entropython we need rust: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup chmod +x rustup ./rustup -y + # entropython is currently not available via pip: git clone https://github.com/fkie-cad/entropython.git cd entropython || exit 1 @@ -52,21 +59,19 @@ IP60_fact_extractor() { cp entropython.so /usr/local/lib/python3.10/dist-packages/ cd .. || exit 1 + # now it is possible to build conmmon_helper_unpacking_classifier (without entropython - which is already installed): git clone https://github.com/fkie-cad/common_helper_unpacking_classifier.git cd common_helper_unpacking_classifier/ || exit 1 sed -i "s/'entropython/#'entropython/" setup.py pip install . - cd .. || exit 1 - # this is a temporary solution until the official FACT repo supports a current kali linux - git clone https://github.com/m-1-k-3/fact_extractor.git external/fact_extractor + cd "$HOME_PATH" || exit 1 cd ./external/fact_extractor/fact_extractor/ || exit 1 ./install/pre_install.sh python3 ./install.py + rm rustup cd "$HOME_PATH" || exit 1 - # cleanup - rm ./external/rustup fi if python3 ./external/fact_extractor/fact_extractor/fact_extract.py -h | grep -q "FACT extractor - Standalone extraction utility"; then diff --git a/modules/P02_firmware_bin_file_check.sh b/modules/P02_firmware_bin_file_check.sh index f303802a3..5fcd046d4 100755 --- a/modules/P02_firmware_bin_file_check.sh +++ b/modules/P02_firmware_bin_file_check.sh @@ -35,7 +35,7 @@ P02_firmware_bin_file_check() { export GPG_COMPRESS=0 export QNAP_ENC_DETECTED=0 export BSD_UFS=0 - export FACT_INIT=0 + export PATOOLS_INIT=0 export ANDROID_OTA=0 if [[ -f "$FIRMWARE_PATH" ]]; then @@ -83,7 +83,7 @@ fw_bin_detector() { local DLINK_ENC_CHECK local AVM_CHECK - export FACT_INIT=0 + export PATOOLS_INIT=0 export VMDK_DETECTED=0 export DLINK_ENC_DETECTED=0 export QNAP_ENC_DETECTED=0 @@ -105,12 +105,12 @@ fw_bin_detector() { print_output "[*] Identified AVM firmware - using AVM extraction module" export AVM_DETECTED=1 fi - # if we have a zip, tgz, tar archive we are going to use the FACT extractor - if [[ "$FILE_BIN_OUT" == *"gzip compressed data"* || "$FILE_BIN_OUT" == *"Zip archive data"* || "$FILE_BIN_OUT" == *"POSIX tar archive"* ]]; then + # if we have a zip, tgz, tar archive we are going to use the patools extractor + if [[ "$FILE_BIN_OUT" == *"gzip compressed data"* || "$FILE_BIN_OUT" == *"Zip archive data"* || "$FILE_BIN_OUT" == *"POSIX tar archive"* || "$FILE_BIN_OUT" == *"ISO 9660 CD-ROM filesystem data"* ]]; then # as the AVM images are also zip files we need to bypass it here: if [[ "$AVM_DETECTED" -ne 1 ]]; then - print_output "[*] Identified gzip/zip/tar archive file - using FACT extraction module" - export FACT_INIT=1 + print_output "[*] Identified gzip/zip/tar/iso archive file - using patools extraction module" + export PATOOLS_INIT=1 fi fi if [[ "$FILE_BIN_OUT" == *"VMware4 disk image"* ]]; then diff --git a/modules/P05_fact_init.sh b/modules/P05_fact_init.sh deleted file mode 100755 index 6a5674635..000000000 --- a/modules/P05_fact_init.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash - -# EMBA - EMBEDDED LINUX ANALYZER -# -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG -# -# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -# EMBA is licensed under GPLv3 -# -# Author(s): Michael Messner, Pascal Eckmann - -# Description: Extracts zip, tar, tgz archives with FACT extractor -# Pre-checker threading mode - if set to 1, these modules will run in threaded mode -export PRE_THREAD_ENA=0 - -P05_fact_init() { - module_log_init "${FUNCNAME[0]}" - NEG_LOG=0 - - if [[ "$FACT_INIT" -eq 1 ]]; then - module_title "FACT initial extractor of different archives" - pre_module_reporter "${FUNCNAME[0]}" - - EXTRACTION_DIR="$LOG_DIR"/firmware/fact_extraction/ - - fact_extractor "$FIRMWARE_PATH" "$EXTRACTION_DIR" - - if [[ "$FILES_FACT" -gt 0 ]]; then - export FIRMWARE_PATH="$LOG_DIR"/firmware/ - fi - - NEG_LOG=1 - fi - module_end_log "${FUNCNAME[0]}" "$NEG_LOG" -} - -fact_extractor() { - sub_module_title "FACT filesystem extractor" - - local FIRMWARE_PATH_="$1" - local EXTRACTION_DIR_="$2" - FILES_FACT=0 - local DIRS_FACT=0 - - if [[ -d /tmp/extractor ]]; then - # This directory is currently hard coded in FACT-extractor - rm -rf /tmp/extractor - fi - - "$EXT_DIR"/fact_extractor/fact_extractor/fact_extract.py -d "$FIRMWARE_PATH_" >> "$TMP_DIR"/FACTer.txt - - if [[ -d /tmp/extractor/files ]]; then - cat /tmp/extractor/reports/meta.json >> "$TMP_DIR"/FACTer.txt - cp -r /tmp/extractor/files "$EXTRACTION_DIR_" - rm -rf /tmp/extractor - - print_output "" - print_output "[*] Using the following firmware directory ($ORANGE$EXTRACTION_DIR_$NC) as base directory:" - #shellcheck disable=SC2012 - ls -lh "$EXTRACTION_DIR_" | tee -a "$LOG_FILE" - print_output "" - - FILES_FACT=$(find "$EXTRACTION_DIR_" -type f | wc -l) - DIRS_FACT=$(find "$EXTRACTION_DIR_" -type d | wc -l) - print_output "[*] Extracted $ORANGE$FILES_FACT$NC files and $ORANGE$DIRS_FACT$NC directories from the firmware image." - print_output "" - fi -} diff --git a/modules/P05_patools_init.sh b/modules/P05_patools_init.sh new file mode 100755 index 000000000..e7bf752de --- /dev/null +++ b/modules/P05_patools_init.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2022 Siemens Energy AG +# Copyright 2020-2022 Siemens AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann + +# Description: Extracts zip, tar, tgz archives with patools +# Pre-checker threading mode - if set to 1, these modules will run in threaded mode +export PRE_THREAD_ENA=0 + +P05_patools_init() { + module_log_init "${FUNCNAME[0]}" + NEG_LOG=0 + + if [[ "$PATOOLS_INIT" -eq 1 ]]; then + module_title "Initial extractor of different archive types via patools" + pre_module_reporter "${FUNCNAME[0]}" + + EXTRACTION_DIR="$LOG_DIR"/firmware/patool_extraction/ + + patools_extractor "$FIRMWARE_PATH" "$EXTRACTION_DIR" + + if [[ "$FILES_PATOOLS" -gt 0 ]]; then + export FIRMWARE_PATH="$LOG_DIR"/firmware/ + fi + + NEG_LOG=1 + fi + module_end_log "${FUNCNAME[0]}" "$NEG_LOG" +} + +patools_extractor() { + sub_module_title "Patools filesystem extractor" + + local FIRMWARE_PATH_="$1" + local EXTRACTION_DIR_="$2" + FILES_PATOOLS=0 + local DIRS_PATOOLS=0 + local FIRMWARE_NAME_="$(basename "$FIRMWARE_PATH_")" + + patool -v test "$FIRMWARE_PATH_" | tee -a "$LOG_PATH_MODULE"/paextract_test_"$FIRMWARE_NAME_".log + + if grep -q "patool: ... tested ok." "$LOG_PATH_MODULE"/paextract_test_"$FIRMWARE_NAME_".log ; then + + print_output "" + print_output "[*] Valid compressed file detected - extraction process via patool started" + + patool -v extract "$FIRMWARE_PATH_" --outdir "$EXTRACTION_DIR_" | tee -a "$LOG_PATH_MODULE"/paextract_extract_"$FIRMWARE_NAME_".log + + print_output "" + print_output "[*] Using the following firmware directory ($ORANGE$EXTRACTION_DIR_$NC) as base directory:" + #shellcheck disable=SC2012 + ls -lh "$EXTRACTION_DIR_" | tee -a "$LOG_FILE" + print_output "" + + FILES_PATOOLS=$(find "$EXTRACTION_DIR_" -type f | wc -l) + DIRS_PATOOLS=$(find "$EXTRACTION_DIR_" -type d | wc -l) + print_output "[*] Extracted $ORANGE$FILES_PATOOLS$NC files and $ORANGE$DIRS_PATOOLS$NC directories from the firmware image." + print_output "" + fi +} From 92ae46cf9d84941e9e02cad1699d0637996d1de0 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Fri, 29 Apr 2022 09:22:30 +0200 Subject: [PATCH 38/42] shellcheck --- modules/P05_patools_init.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/P05_patools_init.sh b/modules/P05_patools_init.sh index e7bf752de..1c7212e43 100755 --- a/modules/P05_patools_init.sh +++ b/modules/P05_patools_init.sh @@ -45,7 +45,8 @@ patools_extractor() { local EXTRACTION_DIR_="$2" FILES_PATOOLS=0 local DIRS_PATOOLS=0 - local FIRMWARE_NAME_="$(basename "$FIRMWARE_PATH_")" + local FIRMWARE_NAME_ + FIRMWARE_NAME_="$(basename "$FIRMWARE_PATH_")" patool -v test "$FIRMWARE_PATH_" | tee -a "$LOG_PATH_MODULE"/paextract_test_"$FIRMWARE_NAME_".log From 7faff651d9484b3d1cbfc9406e22f8682747a933 Mon Sep 17 00:00:00 2001 From: m1k3 Date: Fri, 29 Apr 2022 11:43:25 +0200 Subject: [PATCH 39/42] little fixes --- helpers/helpers_emba_helpers.sh | 9 +++++++++ helpers/helpers_emba_print.sh | 4 ++++ installer/IP60_fact_extractor.sh | 9 +++++---- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/helpers/helpers_emba_helpers.sh b/helpers/helpers_emba_helpers.sh index 4899b0d0c..bb1b6ac0e 100755 --- a/helpers/helpers_emba_helpers.sh +++ b/helpers/helpers_emba_helpers.sh @@ -144,5 +144,14 @@ emba_updater() { git clone https://github.com/trickest/cve.git "$EXT_DIR"/trickest-cve fi + print_output "[*] Please note that this was only a data update and no installed packages were updated." "no_log" print_output "[*] Please restart your EMBA scan to apply the updates ..." "no_log" } + +# this checks if a function is available +function_exists() { + + FCT_TO_CHECK="${1:-}" + declare -f -F "$FCT_TO_CHECK" > /dev/null + return $? +} diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index f816987c4..0a73baedd 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -536,6 +536,10 @@ module_start_log() { MODULE_MAIN_NAME="${1:-}" print_output "[*] $(date) - $MODULE_MAIN_NAME starting" "main" export LOG_PATH_MODULE + if [[ "$(echo ${LOG_DIR: -1})" == "/" ]]; then + #strip final slash from log dir + LOG_DIR="${LOG_DIR:: -1}" + fi LOG_PATH_MODULE="$LOG_DIR""/""$(echo "$MODULE_MAIN_NAME" | tr '[:upper:]' '[:lower:]')" if ! [[ -d "$LOG_PATH_MODULE" ]] ; then mkdir "$LOG_PATH_MODULE" || true; fi } diff --git a/installer/IP60_fact_extractor.sh b/installer/IP60_fact_extractor.sh index adb7fe227..4ae73d6b4 100644 --- a/installer/IP60_fact_extractor.sh +++ b/installer/IP60_fact_extractor.sh @@ -37,13 +37,13 @@ IP60_fact_extractor() { # Note: This is a temporary solution until the official FACT repo supports a current kali linux # Note: This is a temporary solution as long as the installation via pip does not work + apt-get install curl + cd "$HOME_PATH" || exit 1 - cd external || exit 1 - apt-get install curl # get the FACT base repository: git clone https://github.com/m-1-k-3/fact_extractor.git external/fact_extractor - cd ./external/fact_extractor/ || exit 1 + cd external/fact_extractor/ || exit 1 # for entropython we need rust: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup @@ -66,9 +66,10 @@ IP60_fact_extractor() { pip install . cd "$HOME_PATH" || exit 1 - cd ./external/fact_extractor/fact_extractor/ || exit 1 + cd external/fact_extractor/fact_extractor/ || exit 1 ./install/pre_install.sh python3 ./install.py + cd .. || exit 1 rm rustup cd "$HOME_PATH" || exit 1 From 4caba41f73475bb606f3dcbb1ec85aabe459999e Mon Sep 17 00:00:00 2001 From: m1k3 Date: Fri, 29 Apr 2022 11:57:17 +0200 Subject: [PATCH 40/42] shellcheck --- helpers/helpers_emba_print.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index 0a73baedd..e3013c64b 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -536,7 +536,7 @@ module_start_log() { MODULE_MAIN_NAME="${1:-}" print_output "[*] $(date) - $MODULE_MAIN_NAME starting" "main" export LOG_PATH_MODULE - if [[ "$(echo ${LOG_DIR: -1})" == "/" ]]; then + if [[ "${LOG_DIR: -1}" == "/" ]]; then #strip final slash from log dir LOG_DIR="${LOG_DIR:: -1}" fi From d2ac283b5a35cd88297f0816f874229c3c46a7e2 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 29 Apr 2022 18:11:44 +0200 Subject: [PATCH 41/42] IL22 update --- installer/IL22_firmadyne_system_emulator.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index d3067ba6a..3feb10c2b 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -70,9 +70,8 @@ IL22_firmadyne_system_emulator() { # shellcheck disable=SC2024 #sudo -u postgres psql -d firmware < ./firmadyne/database/schema - if [[ "$IN_DOCKER" -eq 1 ]] && [[ -f /external/firmadyne_orig/firmadyne.config ]]; then - sed -i 's/^#FIRMWARE_DIR.*/FIRMWARE_DIR=\/external\/firmadyne_orig\//g' /external/firmadyne_orig/firmadyne.config - fi + sed -i "s/^#FIRMWARE_DIR.*/FIRMWARE_DIR=$(pwd)/g" firmadyne.config + ./download.sh cd "$HOME_PATH" || exit 1 From 79edbfaf206c65b4b4a3d6a86ff24eec9f5eec7c Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 29 Apr 2022 20:25:24 +0200 Subject: [PATCH 42/42] firmadyne installer update, full system emulator startup preparations --- emba.sh | 12 ++++++++++-- installer/IL22_firmadyne_system_emulator.sh | 3 +++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/emba.sh b/emba.sh index bd34e705e..8172cda0f 100755 --- a/emba.sh +++ b/emba.sh @@ -690,8 +690,16 @@ main() if [[ "$STRICT_MODE" -eq 1 ]]; then set +e fi - EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /log -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" - D_RETURN=$? + if [[ "$FULL_EMULATION" -eq 1 && -f ./docker-compose-insecure.yml ]]; then + # in full system emulation we currently need rw filesystem for FirmAE and firmadyne + # we will remove this in final system emulation mode + print_output "[!] Warning: Starting docker environment with insecure settings (Full system emulation)!" "no_log" + EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose -f ./docker-compose-insecure.yml run --rm emba -c './emba.sh -l /log -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" + D_RETURN=$? + else + EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /log -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" + D_RETURN=$? + fi if [[ "$STRICT_MODE" -eq 1 ]]; then set -e fi diff --git a/installer/IL22_firmadyne_system_emulator.sh b/installer/IL22_firmadyne_system_emulator.sh index 3feb10c2b..2f6c0fe86 100644 --- a/installer/IL22_firmadyne_system_emulator.sh +++ b/installer/IL22_firmadyne_system_emulator.sh @@ -70,6 +70,9 @@ IL22_firmadyne_system_emulator() { # shellcheck disable=SC2024 #sudo -u postgres psql -d firmware < ./firmadyne/database/schema + # as we are currently using the old binwalk version, we need to downgrade the extractor: + wget https://raw.githubusercontent.com/firmadyne/extractor/6e05a6a8e5d553da70e27c2a653a40f992378557/extractor.py -O ./extractor/extractor.py + sed -i "s/^#FIRMWARE_DIR.*/FIRMWARE_DIR=$(pwd)/g" firmadyne.config ./download.sh