An auxiliary tool for iot vulnerability hunter

Overview

firmeye - IoT固件漏洞挖掘工具

firmeye 是一个 IDA 插件,基于敏感函数参数回溯来辅助漏洞挖掘。我们知道,在固件漏洞挖掘中,从敏感/危险函数出发,寻找其参数来源,是一种很有效的漏洞挖掘方法,但程序中调用敏感函数的地方非常多,人工分析耗时费力,通过该插件,可以帮助排除大部分的安全调用,从而提高效率。

  • 漏洞类型支持:缓冲区溢出、命令执行、格式化字符串
  • 架构支持:ARM

分享:slides

安装

该插件运行环境要求 IDA Pro 7.5,Python3。

  1. 下载本项目:https://github.com/firmianay/firmeye.git
  2. 安装依赖:pip install -r requirements.txt
  3. firmeyefirmeye.py 复制到 IDA Pro 插件目录下,例如 C:\Program Files\IDA Pro 7.5\plugins
  4. 打开 IDA Pro 并加载待分析固件程序。
  5. Ctrl+F1 查看插件使用帮助。热键:
    • Ctrl+Shift+s:主菜单
    • Ctrl+Shift+d:启动/禁用调试钩子
    • Ctrl+Shift+c:扫描代码模式(TODO)
    • Ctrl+Shift+x:逆向辅助工具
    • Ctrl+Shift+q:功能测试

使用方法

静态分析功能

敏感函数被分为 5 类:printf、strcpy、memcpy、scanf、system。分别对应各自的漏洞类型和检测规则。

动态调试功能

对静态分析得到的可疑地址下断点,并在调试时动态处理断点事件,获得参数、返回值等上下文信息。

命令行工具

利用 idahunt 可以让插件自动化批量运行,使用方法如下:

$ python3 idahunt.py --inputdir C:\xxxx --analyse --filter "names.py -a 32 -v"                      # 生成IDB
$ python3 idahunt.py --inputdir C:\xxxx --cleanup                                                   # 清理临时文件
$ python3 idahunt.py --inputdir C:\xxxx --filter "names.py -a 32 -v" --scripts "firmeye_cli.py"     # 运行脚本

改进方向

该插件目前还非常不完善,下面是一些改进方向,欢迎讨论和 PR。

  • 完善参数回溯逻辑,支持更复杂的指令语义识别
  • 支持函数间分析
  • 完善漏洞判断逻辑,降低误报率
  • 加入动态污点分析作为辅助
  • 支持更多体系架构,如 x86、MIPS 等
Owner
Firmy Yang
Information Security Student & CTF Player & member of @XDSEC, @xdlinux
Firmy Yang
Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers

Rouge Spammers with a mission to disrupt the peace of the valley ? Fear not we will STOMP the Spammers New Update : adding 'on-review' tag on an issue

A N U S H 13 Sep 19, 2021
AMC- Automatic Media Access Control [MAC] Address Spoofing Tool

AMC (Automatic Media Access Control [MAC] Address Spoofing tool), helps you to protect your real network hardware identity. Each entered time interval your hardware address was changed automatically.

Dipen Chavan 14 Dec 23, 2022
Security tool to test different bypass of forbidden

notForbidden Security tool to test different bypass of forbidden Usage python3 notForbidden.py URL Features Bypass with different methods (POST, OPT

6 Sep 08, 2022
Malware for Discord, designed to steal passwords, tokens, and inject discord folders for long-term use.

Vital What is Vital? Vital is malware primarily used to collect and extract information from the Discord desktop client. While it has other features (

HellSec 59 Dec 01, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 09, 2022
Signatures and IoCs from public Volexity blog posts.

threat-intel This repository contains IoCs related to Volexity public threat intelligence blog posts. They are organised by year, and within each year

Volexity 130 Dec 29, 2022
Domain abuse scanner covering domainsquatting and phishing keywords.

🦷 monodon 🐋 Domain abuse scanner covering domainsquatting and phishing keywords. Setup Monodon is a Python 3.7+ programm. To setup on a Linux machin

2 Mar 15, 2022
Port scanning tool that uses Python3. Created by Noble Wilson

Hello There! My name is Noble Wilson and I am an aspiring IT/InfoSec coder practicing for my future. ________________________________________________

1 Nov 23, 2021
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 231 Nov 12, 2022
RCE Exploit for Gitlab < 13.9.4

GitLab-Wiki-RCE RCE Exploit for Gitlab 13.9.4 RCE via unsafe inline Kramdown options when rendering certain Wiki pages Allows any user with push acc

Enox 52 Nov 09, 2022
List of S3 Hacks

s3-leaks List of AWS S3 Leaks Feel free to send in a PR if you know of other leaks Date Description Notes Aug2020 S3 bucket mess up exposed 182GB of s

Nag 291 Dec 28, 2022
logmap: Log4j2 jndi injection fuzz tool

logmap - Log4j2 jndi injection fuzz tool Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path Use http

之乎者也 67 Oct 25, 2022
Simple yara rule manager

Yara Manager A simple program to manage your yara ruleset in a (sqlite) database. Todos Search rules and descriptions Cluster rules in rulesets Enforc

Nils Kuhnert 65 Nov 17, 2022
log4j burp scanner

log4jscanner log4j burp插件 特点如下: 0x01 基于Cookie字段、XFF头字段、UA头字段发送payload 0x02 基于域名的唯一性,将host带入dnslog中 插件主要识别五种形式: 1.get请求,a=1&b=2&c=3 2.post请求,a=1&b=2&c=

1 Jun 30, 2022
Hadoop Yan ResourceManager unauthorized RCE

Vuln Impact There was an unauthorized access vulnerability in Hadoop yarn ResourceManager. This vulnerability existed in Hadoop yarn, the core compone

Al1ex 25 Nov 24, 2022
The Modern Hash Identification System

🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 3000+ other hashes ☄ Comes with a neat web app 🔥

1.2k Dec 28, 2022
Lightweight and beneficial Dependency Injection plugin for apscheduler

Implementation of dependency injection for apscheduler Prerequisites: apscheduler-di solves the problem since apscheduler doesn't support Dependency I

Glib 11 Dec 07, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to ex

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
FOSSLight Scanner performs open source analysis after downloading the source by passing a link that can be cloned by wget or git.

FOSSLight Scanner Analyze at once for Open Source Compliance. FOSSLight Scanner performs open source analysis after downloading the source by passing

FOSSLight 8 Nov 03, 2022
Automatically fetch, measure, and merge subscription links on the network, use Github Action

Free Node Merge Introduction Modified from alanbobs999/TopFreeProxies It measures the speed of free nodes on the network and import the stable and hig

52 Jul 16, 2022