forked from pr0v3rbs/FirmAE
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun.sh
executable file
·322 lines (279 loc) · 9.62 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
#!/bin/bash
function print_usage()
{
echo "Usage: ${0} [mode]... [brand] [firmware|firmware_directory]"
echo "mode: use one option at once"
echo " -r, --run : run mode - run emulation (no quit)"
echo " -c, --check : check mode - check network reachable and web access (quit)"
echo " -a, --analyze : analyze mode - analyze vulnerability (quit)"
echo " -d, --debug : debug mode - debugging emulation (no quit)"
echo " -b, --boot : boot debug mode - kernel boot debugging using QEMU (no quit)"
}
if [ $# -ne 3 ]; then
print_usage ${0}
exit 1
fi
set -e
set -u
if [ -e ./firmae.config ]; then
source ./firmae.config
elif [ -e ../firmae.config ]; then
source ../firmae.config
else
echo "Error: Could not find 'firmae.config'!"
exit 1
fi
function get_option()
{
OPTION=${1}
if [ ${OPTION} = "-c" ] || [ ${OPTION} = "--check" ]; then
echo "check"
elif [ ${OPTION} = "-a" ] || [ ${OPTION} = "--analyze" ]; then
echo "analyze"
elif [ ${OPTION} = "-r" ] || [ ${OPTION} = "--run" ]; then
echo "run"
elif [ ${OPTION} = "-d" ] || [ ${OPTION} = "--debug" ]; then
echo "debug"
elif [ ${OPTION} = "-b" ] || [ ${OPTION} = "--boot" ]; then
echo "boot"
else
echo "none"
fi
}
function get_brand()
{
INFILE=${1}
BRAND=${2}
if [ ${BRAND} = "auto" ]; then
echo `./scripts/util.py get_brand ${INFILE} ${PSQL_IP}`
else
echo ${2}
fi
}
OPTION=`get_option ${1}`
if [ ${OPTION} == "none" ]; then
print_usage ${0}
exit 1
fi
if (! id | egrep -sqi "root"); then
echo -e "[\033[31m-\033[0m] This script must run with 'root' privilege"
exit 1
fi
BRAND=${2}
WORK_DIR=""
IID=-1
function run_emulation()
{
echo "[*] ${1} emulation start!!!"
INFILE=${1}
BRAND=`get_brand ${INFILE} ${BRAND}`
FILENAME=`basename ${INFILE%.*}`
PING_RESULT=false
WEB_RESULT=false
IP=''
if [ "${BRAND}" = "auto" ]; then
echo -e "[\033[31m-\033[0m] Invalid brand ${INFILE}"
return
fi
if [ -n "${FIRMAE_DOCKER-}" ]; then
if ( ! ./scripts/util.py check_connection _ $PSQL_IP ); then
echo -e "[\033[31m-\033[0m] docker container failed to connect to the hosts' postgresql!"
return
fi
fi
# Omit the argument '-b' when $BRAND is empty.
[ -n "$BRAND" ] && brand_arg="-b $BRAND" || brand_arg=""
# ================================
# extract filesystem from firmware
# ================================
t_start="$(date -u +%s.%N)"
# If the brand is not specified in the argument, it will be inferred
# automatically from the path of the image file.
timeout --preserve-status --signal SIGINT 300 \
./sources/extractor/extractor.py $brand_arg -sql $PSQL_IP -np \
-nk $INFILE images 2>&1 >/dev/null
IID=`./scripts/util.py get_iid $INFILE $PSQL_IP`
if [ ! "${IID}" ]; then
echo -e "[\033[31m-\033[0m] extractor.py failed!"
return
fi
# ================================
# extract kernel from firmware
# ================================
# If the brand is not specified in the argument, it will be inferred
# automatically from the path of the image file.
timeout --preserve-status --signal SIGINT 300 \
./sources/extractor/extractor.py $brand_arg -sql $PSQL_IP -np \
-nf $INFILE images 2>&1 >/dev/null
WORK_DIR=`get_scratch ${IID}`
mkdir -p ${WORK_DIR}
chmod a+rwx "${WORK_DIR}"
chown -R "${USER}" "${WORK_DIR}"
chgrp -R "${USER}" "${WORK_DIR}"
echo $FILENAME > ${WORK_DIR}/name
echo $BRAND > ${WORK_DIR}/brand
sync
if [ ${OPTION} = "check" ] && [ -e ${WORK_DIR}/result ]; then
if (egrep -sqi "true" ${WORK_DIR}/result); then
RESULT=`cat ${WORK_DIR}/result`
return
fi
rm ${WORK_DIR}/result
fi
if [ ! -e ./images/$IID.tar.gz ]; then
echo -e "[\033[31m-\033[0m] Extracting root filesystem failed!"
echo "extraction fail" > ${WORK_DIR}/result
return
fi
echo "[*] extract done!!!"
t_end="$(date -u +%s.%N)"
time_extract="$(bc <<<"$t_end-$t_start")"
echo $time_extract > ${WORK_DIR}/time_extract
# ================================
# check architecture
# ================================
t_start="$(date -u +%s.%N)"
ARCH=`./scripts/getArch.py ./images/$IID.tar.gz $PSQL_IP`
echo "${ARCH}" > "${WORK_DIR}/architecture"
if [ -e ./images/${IID}.kernel ]; then
./scripts/inferKernel.py ${IID}
fi
if [ ! "${ARCH}" ]; then
echo -e "[\033[31m-\033[0m] Get architecture failed!"
echo "get architecture fail" > ${WORK_DIR}/result
return
fi
if ( check_arch ${ARCH} == 0 ); then
echo -e "[\033[31m-\033[0m] Unknown architecture! - ${ARCH}"
echo "not valid architecture : ${ARCH}" > ${WORK_DIR}/result
return
fi
echo "[*] get architecture done!!!"
t_end="$(date -u +%s.%N)"
time_arch="$(bc <<<"$t_end-$t_start")"
echo $time_arch > ${WORK_DIR}/time_arch
if (! egrep -sqi "true" ${WORK_DIR}/web); then
# ================================
# make qemu image
# ================================
t_start="$(date -u +%s.%N)"
./scripts/tar2db.py -i $IID -f ./images/$IID.tar.gz -h $PSQL_IP \
2>&1 > ${WORK_DIR}/tar2db.log
t_end="$(date -u +%s.%N)"
time_tar="$(bc <<<"$t_end-$t_start")"
echo $time_tar > ${WORK_DIR}/time_tar
t_start="$(date -u +%s.%N)"
./scripts/makeImage.sh $IID $ARCH $FILENAME \
2>&1 > ${WORK_DIR}/makeImage.log
t_end="$(date -u +%s.%N)"
time_image="$(bc <<<"$t_end-$t_start")"
echo $time_image > ${WORK_DIR}/time_image
# ================================
# infer network interface
# ================================
t_start="$(date -u +%s.%N)"
echo "[*] infer network start!!!"
# TIMEOUT is set in "firmae.config". This TIMEOUT is used for initial
# log collection.
TIMEOUT=$TIMEOUT FIRMAE_NET=${FIRMAE_NET} \
./scripts/makeNetwork.py -i $IID -q -o -a ${ARCH} \
&> ${WORK_DIR}/makeNetwork.log
ln -s ./run.sh ${WORK_DIR}/run_debug.sh | true
ln -s ./run.sh ${WORK_DIR}/run_analyze.sh | true
ln -s ./run.sh ${WORK_DIR}/run_boot.sh | true
t_end="$(date -u +%s.%N)"
time_network="$(bc <<<"$t_end-$t_start")"
echo $time_network > ${WORK_DIR}/time_network
else
echo "[*] ${INFILE} already succeed emulation!!!"
fi
if (egrep -sqi "true" ${WORK_DIR}/ping); then
PING_RESULT=true
IP=`cat ${WORK_DIR}/ip`
fi
if (egrep -sqi "true" ${WORK_DIR}/web); then
WEB_RESULT=true
fi
echo -e "\n[IID] ${IID}\n[\033[33mMODE\033[0m] ${OPTION}"
if ($PING_RESULT); then
echo -e "[\033[32m+\033[0m] Network reachable on ${IP}!"
fi
if ($WEB_RESULT); then
echo -e "[\033[32m+\033[0m] Web service on ${IP}"
echo true > ${WORK_DIR}/result
else
echo false > ${WORK_DIR}/result
fi
if [ ${OPTION} = "analyze" ]; then
# ================================
# analyze firmware (check vulnerability)
# ================================
t_start="$(date -u +%s.%N)"
if ($WEB_RESULT); then
echo "[*] Waiting web service..."
${WORK_DIR}/run_analyze.sh &
IP=`cat ${WORK_DIR}/ip`
check_network ${IP} false
echo -e "[\033[32m+\033[0m] start pentest!"
cd analyses
./analyses_all.sh $IID $BRAND $IP $PSQL_IP
cd -
sync
kill $(ps aux | grep `get_qemu ${ARCH}` | awk '{print $2}') 2> /dev/null
sleep 2
else
echo -e "[\033[31m-\033[0m] Web unreachable"
fi
t_end="$(date -u +%s.%N)"
time_analyze="$(bc <<<"$t_end-$t_start")"
echo $time_analyze > ${WORK_DIR}/time_analyze
elif [ ${OPTION} = "debug" ]; then
# ================================
# run debug mode.
# ================================
if ($PING_RESULT); then
echo -e "[\033[32m+\033[0m] Run debug!"
IP=`cat ${WORK_DIR}/ip`
./scratch/$IID/run_debug.sh &
check_network ${IP} true
sleep 10
./debug.py ${IID}
sync
kill $(ps aux | grep `get_qemu ${ARCH}` | awk '{print $2}') 2> /dev/null | true
sleep 2
else
echo -e "[\033[31m-\033[0m] Network unreachable"
fi
elif [ ${OPTION} = "run" ]; then
# ================================
# just run mode
# ================================
check_network ${IP} false &
${WORK_DIR}/run.sh
elif [ ${OPTION} = "boot" ]; then
# ================================
# boot debug mode
# ================================
BOOT_KERNEL_PATH=`get_boot_kernel ${ARCH} true`
BOOT_KERNEL=./binaries/`basename ${BOOT_KERNEL_PATH}`
echo -e "[\033[32m+\033[0m] Connect with gdb-multiarch -q ${BOOT_KERNEL} -ex='target remote:1234'"
${WORK_DIR}/run_boot.sh
fi
echo "[*] cleanup"
echo "======================================"
}
FIRMWARE=${3}
if [ ${OPTION} = "debug" ] && [ -d ${FIRMWARE} ]; then
echo -e "[\033[31m-\033[0m] select firmware file on debug mode!"
exit 1
fi
if [ ! -d ${FIRMWARE} ]; then
run_emulation ${FIRMWARE}
else
FIRMWARES=`find ${3} -type f`
for FIRMWARE in ${FIRMWARES}; do
if [ ! -d "${FIRMWARE}" ]; then
run_emulation ${FIRMWARE}
fi
done
fi