Not getting results from running the example (exiting prematurely?)

[Alien-AV]

After running the example from usage, I'm not getting the described results. It seems like it's exiting prematurely after a 98% mark. Or the results are placed somewhere I can't guess. I'm not dropped into a python REPL.

Any ideas why it happens?
I didn't create a python virtualenv, because this VM is only used for slap anyway. Is it critical?

alienav@av-firmware-slap:~/Firmware_Slap$ Vuln_Discover_Celery.py _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/lib/
[+] Getting argument functions
analyzeHeadless /tmp/tmpvgrhxoa3 project_upload_bootloader.cgi
        -max-cpu 1
        -import /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
        -scriptPath /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts
        -preScript /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/SetDecompilerOptions.py
        -postScript /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/DumpFunctions.py "/tmp/tmpvgrhxoa3/upload_bootloader.cgi"
/tmp/tmpvgrhxoa3/upload_bootloader.cgi
[+] Analyzing 44 functions
[~] Finding all the vulnerabilities:  11%|██████████████████▊                                                                                                                                                  | 5/44 [00:09<01:04,  1.66s/it]
Found Command Injection in write_flash_kernel_version in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  16%|██████████████████████████▎                                                                                                                                          | 7/44 [02:18<23:52, 38.72s/it]
Found Command Injection in mtd_write_firmware in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  18%|██████████████████████████████                                                                                                                                       | 8/44 [02:28<18:04, 30.12s/it]
Found Command Injection in mtd_write_bootloader in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  98%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▎   | 43/44 [08:16<00:01,  1.52s/it]
alienav@av-firmware-slap:~/Firmware_Slap$

[ChrisTheCoolHut]

It looks like it ran correctly. Did Vulnerable_Pickle get created? I should move the result dumping to it's own library and use that like that Discover and Dump does.

It printed out:

Found Command Injection in write_flash_kernel_version in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi

Which means it thinks that write_flash_kernel_version is a command injection (hint: It is). It should then dump that information to the vulnerable pickle at the end.

If you're looking to recreate all the CVEs from the demos you'll need to up the timeouts and memory limits set in Vuln_Discover_Celery and run it against all of the cgi-binaries:

Vuln_Discover_Celery.py _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/ -L _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/lib/

Check out #10 for a way to view those results in a pretty format. I'm trying to get #2 pushed soon so we can just use the elastic/kibana view

[Alien-AV]

The Vulnerable_Pickle indeed was created, managed to print the values from it.

Copy-pasting the way to print the pickle for future reference:

import pickle
from firmware_slap.ghidra_handler import print_function
pickle_name = "Your_results.pickle"
with open(pickle_name, 'rb') as f:
    results = pickle.load(f)
for result in results:
    print_function(result)

I feel that the README should be edited to better represent what a user would see when running those commands.
Also, I don't understand what the different scripts in the bin directory do (without reading them). Can you add a short description in the readme?

Thanks :)

[ChrisTheCoolHut]

@Alien-AV I just updated the README and added some of the elastic search/kibana stuff. Check it out, it might be a better way to visualize some of the returned vulnerability results. 05ea051