From 91f8c5ea1c23ecaeb84c9c7952cba34c416e36b0 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 10 May 2023 15:46:10 +0200 Subject: [PATCH 1/6] cleanup --- helpers/helpers_emba_defaults.sh | 4 ++-- modules/L25_web_checks.sh | 22 ++++++++++++++++------ modules/S15_radare_decompile_checks.sh | 2 +- modules/S85_ssh_check.sh | 2 +- 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/helpers/helpers_emba_defaults.sh b/helpers/helpers_emba_defaults.sh index eb43c3caa..a5a4b918b 100755 --- a/helpers/helpers_emba_defaults.sh +++ b/helpers/helpers_emba_defaults.sh @@ -18,8 +18,8 @@ set_defaults() { # if this is a release version set RELEASE to 1, add a banner to config/banner and name the banner with the version details - export RELEASE=0 - export EMBA_VERSION="1.2.x" + export RELEASE=1 + export EMBA_VERSION="1.2.3" export CLEANED=0 # used for the final cleaner function for not running it multiple times export STRICT_MODE=0 diff --git a/modules/L25_web_checks.sh b/modules/L25_web_checks.sh index c7e6fe862..22079285d 100755 --- a/modules/L25_web_checks.sh +++ b/modules/L25_web_checks.sh @@ -215,6 +215,7 @@ web_access_crawler() { local WEB_DIR_L2="" local WEB_DIR_L3="" local CURL_OPTS=( -sS -D ) + local CRAWLED_ARR=() if [[ "$SSL_" -eq 1 ]]; then PROTO="https" @@ -226,9 +227,11 @@ web_access_crawler() { sub_module_title "Starting web server crawling for $ORANGE$IP_:$PORT$NC" print_ln + local HOME_=$(pwd) for R_PATH in "${ROOT_PATH[@]}" ; do # we need files and links (for cgi files) - mapfile -t FILE_ARR_EXT < <(find "$R_PATH" -type f -o -type l || true) + cd "${R_PATH}" || exit 1 + mapfile -t FILE_ARR_EXT < <(find "." -type f -o -type l || true) for WEB_PATH in "${FILE_ARR_EXT[@]}"; do if ! ping -c 1 "$IP_" &> /dev/null; then @@ -237,30 +240,37 @@ web_access_crawler() { fi print_dot WEB_FILE="$(basename "$WEB_PATH")" - echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/$WEB_FILE$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" - timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true + if [[ -n "${WEB_FILE}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_FILE} "* ]]; then + echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/$WEB_FILE$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" + timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true + CRAWLED_ARR+=( "${WEB_FILE}" ) + fi WEB_DIR_L1="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1 | rev)" - if [[ -n "${WEB_DIR_L1}" ]]; then + if [[ -n "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L1}/${WEB_FILE} "* ]]; then WEB_DIR_L1="${WEB_DIR_L1#\.}" WEB_DIR_L1="${WEB_DIR_L1#\/}" echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L1}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true + CRAWLED_ARR+=( "${WEB_DIR_L1}/${WEB_FILE}" ) fi WEB_DIR_L2="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-2 | rev)" - if [[ -n "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L2}" != "${WEB_DIR_L1}" ]]; then + if [[ -n "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L2}" != "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L2}/${WEB_FILE} "* ]]; then WEB_DIR_L2="${WEB_DIR_L2#\.}" WEB_DIR_L2="${WEB_DIR_L2#\/}" echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L2}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true + CRAWLED_ARR+=( "${WEB_DIR_L2}/${WEB_FILE}" ) fi WEB_DIR_L3="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-3 | rev)" - if [[ -n "${WEB_DIR_L3}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L1}" ]]; then + if [[ -n "${WEB_DIR_L3}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L3}/${WEB_FILE} "* ]]; then WEB_DIR_L3="${WEB_DIR_L3#\.}" WEB_DIR_L3="${WEB_DIR_L3#\/}" echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L3}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true + CRAWLED_ARR+=( "${WEB_DIR_L3}/${WEB_FILE}" ) fi done + cd "${HOME_}" || exit 1 done if [[ -f "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" ]]; then diff --git a/modules/S15_radare_decompile_checks.sh b/modules/S15_radare_decompile_checks.sh index 15d3d9dcf..abf4581d0 100755 --- a/modules/S15_radare_decompile_checks.sh +++ b/modules/S15_radare_decompile_checks.sh @@ -100,7 +100,7 @@ radare_decompilation(){ radare_decomp_log_bin_hardening "$NAME" "$FUNCTION" # with axt we are looking for function usages and store this in $FUNCTION_usage # pdd is for decompilation - with @@ we are working through all the identified functions - r2 -e io.cache=true -e scr.color=false -q -A -c \ + timeout --preserve-status --signal SIGINT 600 r2 -e io.cache=true -e scr.color=false -q -A -c \ 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | sort -u > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}"'_usage`' "$BINARY" \ 2> /dev/null >> "$FUNC_LOG" || true diff --git a/modules/S85_ssh_check.sh b/modules/S85_ssh_check.sh index 2e10b1dcf..7991d3fed 100755 --- a/modules/S85_ssh_check.sh +++ b/modules/S85_ssh_check.sh @@ -59,7 +59,7 @@ search_ssh_files() local PRINTER=0 if [[ "$(basename "$LINE")" == "sshd_config" ]]; then print_output "[*] Testing sshd configuration file with sshdcc" - readarray SSHD_ISSUES < <("$EXT_DIR"/sshdcc -ns -nc -f "$LINE") + readarray SSHD_ISSUES < <("$EXT_DIR"/sshdcc -ns -nc -f "$LINE" || true) for S_ISSUE in "${SSHD_ISSUES[@]}"; do if [[ "$S_ISSUE" == *RESULTS* || "$PRINTER" -eq 1 ]]; then # print finding title as EMBA finding: From 5e2e15bb02ea598f66f05302e869794c25f7a6fe Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 10 May 2023 15:57:06 +0200 Subject: [PATCH 2/6] shellcheck my friend --- modules/L25_web_checks.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/L25_web_checks.sh b/modules/L25_web_checks.sh index 22079285d..5107784e8 100755 --- a/modules/L25_web_checks.sh +++ b/modules/L25_web_checks.sh @@ -227,7 +227,8 @@ web_access_crawler() { sub_module_title "Starting web server crawling for $ORANGE$IP_:$PORT$NC" print_ln - local HOME_=$(pwd) + local HOME_="" + HOME_=$(pwd) for R_PATH in "${ROOT_PATH[@]}" ; do # we need files and links (for cgi files) cd "${R_PATH}" || exit 1 @@ -246,25 +247,25 @@ web_access_crawler() { CRAWLED_ARR+=( "${WEB_FILE}" ) fi WEB_DIR_L1="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1 | rev)" + WEB_DIR_L1="${WEB_DIR_L1#\.}" + WEB_DIR_L1="${WEB_DIR_L1#\/}" if [[ -n "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L1}/${WEB_FILE} "* ]]; then - WEB_DIR_L1="${WEB_DIR_L1#\.}" - WEB_DIR_L1="${WEB_DIR_L1#\/}" echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L1}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true CRAWLED_ARR+=( "${WEB_DIR_L1}/${WEB_FILE}" ) fi WEB_DIR_L2="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-2 | rev)" + WEB_DIR_L2="${WEB_DIR_L2#\.}" + WEB_DIR_L2="${WEB_DIR_L2#\/}" if [[ -n "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L2}" != "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L2}/${WEB_FILE} "* ]]; then - WEB_DIR_L2="${WEB_DIR_L2#\.}" - WEB_DIR_L2="${WEB_DIR_L2#\/}" echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L2}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true CRAWLED_ARR+=( "${WEB_DIR_L2}/${WEB_FILE}" ) fi WEB_DIR_L3="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-3 | rev)" + WEB_DIR_L3="${WEB_DIR_L3#\.}" + WEB_DIR_L3="${WEB_DIR_L3#\/}" if [[ -n "${WEB_DIR_L3}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L3}/${WEB_FILE} "* ]]; then - WEB_DIR_L3="${WEB_DIR_L3#\.}" - WEB_DIR_L3="${WEB_DIR_L3#\/}" echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L3}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true CRAWLED_ARR+=( "${WEB_DIR_L3}/${WEB_FILE}" ) From aa3ee815628384e260beea98ae651b1bf3b3ea8a Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 10 May 2023 16:00:18 +0200 Subject: [PATCH 3/6] running_modules quick fix --- helpers/running_modules.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/running_modules.sh b/helpers/running_modules.sh index 2c3edfbbd..7d3ed8fe9 100755 --- a/helpers/running_modules.sh +++ b/helpers/running_modules.sh @@ -38,7 +38,7 @@ fi mapfile -t STARTED_EMBA_PROCESSES < <(grep starting "${EMBA_LOG_FILE}" | awk '{print $9}'|| true) for EMBA_STARTED_PROC in "${STARTED_EMBA_PROCESSES[@]}"; do - if ! grep -q "${EMBA_STARTED_PROC}"" finished" "${EMBA_LOG_FILE}"; then + if ! grep -i -q "${EMBA_STARTED_PROC}"" finished" "${EMBA_LOG_FILE}"; then echo -e "[*] EMBA module ${GREEN}${EMBA_STARTED_PROC}${NC} currently running" fi done From db9b6805c535b388c23cf917f05c69b590256849 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 10 May 2023 20:25:52 +0200 Subject: [PATCH 4/6] limit r2 analysis --- modules/S15_radare_decompile_checks.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/S15_radare_decompile_checks.sh b/modules/S15_radare_decompile_checks.sh index abf4581d0..aa0f1e391 100755 --- a/modules/S15_radare_decompile_checks.sh +++ b/modules/S15_radare_decompile_checks.sh @@ -93,15 +93,16 @@ radare_decompilation(){ return fi - NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true) for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do FUNC_LOG="$LOG_PATH_MODULE""/decompilation_vul_func_""$FUNCTION""-""$NAME"".txt" radare_decomp_log_bin_hardening "$NAME" "$FUNCTION" # with axt we are looking for function usages and store this in $FUNCTION_usage # pdd is for decompilation - with @@ we are working through all the identified functions + # We analyse only 1000 functions per binary timeout --preserve-status --signal SIGINT 600 r2 -e io.cache=true -e scr.color=false -q -A -c \ - 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | sort -u > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}"'_usage`' "$BINARY" \ + 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | grep -v "nofunc" | sort -u | tail -n 1000 > \ + '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}"'_usage`' "$BINARY" \ 2> /dev/null >> "$FUNC_LOG" || true if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 0 ]] ; then From 16e323e817b3edc54d6b04fa3991d62efaaf5f01 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 11 May 2023 14:01:07 +0200 Subject: [PATCH 5/6] make it work again --- modules/S15_radare_decompile_checks.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/S15_radare_decompile_checks.sh b/modules/S15_radare_decompile_checks.sh index aa0f1e391..292f56103 100755 --- a/modules/S15_radare_decompile_checks.sh +++ b/modules/S15_radare_decompile_checks.sh @@ -100,22 +100,22 @@ radare_decompilation(){ # with axt we are looking for function usages and store this in $FUNCTION_usage # pdd is for decompilation - with @@ we are working through all the identified functions # We analyse only 1000 functions per binary - timeout --preserve-status --signal SIGINT 600 r2 -e io.cache=true -e scr.color=false -q -A -c \ - 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | grep -v "nofunc" | sort -u | tail -n 1000 > \ - '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}"'_usage`' "$BINARY" \ - 2> /dev/null >> "$FUNC_LOG" || true + r2 -e io.cache=true -e scr.color=false -q -A -c \ + 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | grep -v "nofunc" | sort -u | tail -n 100 > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}"'_usage`' "$BINARY" 2> /dev/null >> "$FUNC_LOG" || true - if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 0 ]] ; then + if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 3 ]] ; then radare_decomp_color_output "$FUNCTION" # Todo: check this with other architectures - COUNT_FUNC="$(grep -c "sym.*""$FUNCTION" "$FUNC_LOG" 2> /dev/null || true)" + COUNT_FUNC="$(grep -c "$FUNCTION" "$FUNC_LOG" 2> /dev/null || true)" if [[ "$FUNCTION" == "strcpy" ]] ; then - COUNT_STRLEN=$(grep -c "sym.*strlen" "$FUNC_LOG" 2> /dev/null || true) + COUNT_STRLEN=$(grep -c "strlen" "$FUNC_LOG" 2> /dev/null || true) STRCPY_CNT=$((STRCPY_CNT+COUNT_FUNC)) fi radare_log_func_footer "$NAME" "$FUNCTION" radare_decomp_output_function_details "$BINARY_" "$FUNCTION" + else + rm "$FUNC_LOG" || true fi done echo "$STRCPY_CNT" >> "$TMP_DIR"/S15_STRCPY_CNT.tmp @@ -139,6 +139,7 @@ radare_decomp_log_bin_hardening() { fi write_log "$NC" "$FUNC_LOG" +# not working - check this: # if [[ -d "$LOG_DIR"/s14_weak_func_radare_check/ ]] && [[ "$(find "$LOG_DIR"/s14_weak_func_radare_check/ -name "vul_func_*""$FUNCTION""-""$NAME"".txt" | wc -l | awk '{print $1}')" -gt 0 ]]; then # write_log "[*] Function $ORANGE$FUNCTION$NC tear down of $ORANGE$NAME$NC / Switch to Radare2 disasm$NC" "$FUNC_LOG" # write_link "$(find "$LOG_DIR"/s14_weak_func_radare_check/ -name "vul_func_*""$FUNCTION""-""$NAME"".txt")" "$FUNC_LOG" From 447fb9459d5e3299f1ee4d070f63c7d3fdc1abf6 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 11 May 2023 14:02:45 +0200 Subject: [PATCH 6/6] 200 --- modules/S15_radare_decompile_checks.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/S15_radare_decompile_checks.sh b/modules/S15_radare_decompile_checks.sh index 292f56103..adc37994f 100755 --- a/modules/S15_radare_decompile_checks.sh +++ b/modules/S15_radare_decompile_checks.sh @@ -99,9 +99,9 @@ radare_decompilation(){ radare_decomp_log_bin_hardening "$NAME" "$FUNCTION" # with axt we are looking for function usages and store this in $FUNCTION_usage # pdd is for decompilation - with @@ we are working through all the identified functions - # We analyse only 1000 functions per binary + # We analyse only 200 functions per binary r2 -e io.cache=true -e scr.color=false -q -A -c \ - 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | grep -v "nofunc" | sort -u | tail -n 100 > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}"'_usage`' "$BINARY" 2> /dev/null >> "$FUNC_LOG" || true + 'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | grep -v "nofunc" | sort -u | tail -n 200 > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}"'_usage`' "$BINARY" 2> /dev/null >> "$FUNC_LOG" || true if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 3 ]] ; then radare_decomp_color_output "$FUNCTION"