An auxiliary tool for iot vulnerability hunter

Overview

firmeye - IoT固件漏洞挖掘工具

firmeye 是一个 IDA 插件,基于敏感函数参数回溯来辅助漏洞挖掘。我们知道,在固件漏洞挖掘中,从敏感/危险函数出发,寻找其参数来源,是一种很有效的漏洞挖掘方法,但程序中调用敏感函数的地方非常多,人工分析耗时费力,通过该插件,可以帮助排除大部分的安全调用,从而提高效率。

  • 漏洞类型支持:缓冲区溢出、命令执行、格式化字符串
  • 架构支持:ARM

分享:slides

安装

该插件运行环境要求 IDA Pro 7.5,Python3。

  1. 下载本项目:https://github.com/firmianay/firmeye.git
  2. 安装依赖:pip install -r requirements.txt
  3. firmeyefirmeye.py 复制到 IDA Pro 插件目录下,例如 C:\Program Files\IDA Pro 7.5\plugins
  4. 打开 IDA Pro 并加载待分析固件程序。
  5. Ctrl+F1 查看插件使用帮助。热键:
    • Ctrl+Shift+s:主菜单
    • Ctrl+Shift+d:启动/禁用调试钩子
    • Ctrl+Shift+c:扫描代码模式(TODO)
    • Ctrl+Shift+x:逆向辅助工具
    • Ctrl+Shift+q:功能测试

使用方法

静态分析功能

敏感函数被分为 5 类:printf、strcpy、memcpy、scanf、system。分别对应各自的漏洞类型和检测规则。

动态调试功能

对静态分析得到的可疑地址下断点,并在调试时动态处理断点事件,获得参数、返回值等上下文信息。

命令行工具

利用 idahunt 可以让插件自动化批量运行,使用方法如下:

$ python3 idahunt.py --inputdir C:\xxxx --analyse --filter "names.py -a 32 -v"                      # 生成IDB
$ python3 idahunt.py --inputdir C:\xxxx --cleanup                                                   # 清理临时文件
$ python3 idahunt.py --inputdir C:\xxxx --filter "names.py -a 32 -v" --scripts "firmeye_cli.py"     # 运行脚本

改进方向

该插件目前还非常不完善,下面是一些改进方向,欢迎讨论和 PR。

  • 完善参数回溯逻辑,支持更复杂的指令语义识别
  • 支持函数间分析
  • 完善漏洞判断逻辑,降低误报率
  • 加入动态污点分析作为辅助
  • 支持更多体系架构,如 x86、MIPS 等
You might also like...
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

Raphael is a vulnerability scanning tool based on Python3.
Raphael is a vulnerability scanning tool based on Python3.

Raphael Raphael是一款基于Python3开发的插件式漏洞扫描工具。 Raphael is a vulnerability scanning too

Click-Jack - Automatic tool to find Clickjacking Vulnerability in various Web applications
Click-Jack - Automatic tool to find Clickjacking Vulnerability in various Web applications

CLICK-Jack It is a automatic tool to find Clickjacking Vulnerability in various

Automated tool to find & created Exploit Poc for Clickjacking Vulnerability
Automated tool to find & created Exploit Poc for Clickjacking Vulnerability

ClickJackPoc This tool will help you automate finding Clickjacking Vulnerability by just passing a file containing list of Targets . Once the Target i

😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.
😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.

😭 WSOB (CVE-2022-29464) 😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464. CVE-2022-29464 details:

Open source vulnerability DB and triage service.
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Owner
Firmy Yang
Information Security Student & CTF Player & member of @XDSEC, @xdlinux
Firmy Yang
Aiminsun 165 Dec 21, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

NVISO 116 Dec 29, 2022
An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic lights, Refridgerators, Smart TVs etc.

An OSINT tool that searches for devices directly connected to the internet (IoT) with a user specified query. It returns results for Webcams, Traffic

Richard Mwewa 48 Nov 20, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
Use FOFA automatic vulnerability scanning tool

AutoSRC Use FOFA automatic vulnerability scanning tool Usage python3 autosrc.py -e <FOFA EMAIL> -k <TOKEN> Screenshots License MIT Dev 6613GitHub6613

PwnWiki 48 Oct 25, 2022
A fast tool to scan prototype pollution vulnerability

proto A fast tool to scan prototype pollution vulnerability Syntax python3 proto.py -l alive.txt Requirements Selenium Google Chrome Webdriver Note :

Muhammed Mahdi 4 Aug 31, 2021
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 12 Dec 2, 2022
It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

Mr. Cl0wn - H4ck1ng C0d3r 56 Dec 27, 2022
Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability

AdminerRead Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability Installation git clone https://github.com/p0dalirius/AdminerRea

Podalirius 58 Dec 5, 2022