Merge pull request e-m-b-a#235 from m-1-k-3/master

Fix firmware path and EMBA start command

emba.sh

@@ -687,6 +687,12 @@ main()
       exit 1
     else
       print_output "[*] EMBA initializes docker container.\\n" "no_log"
+
+      # store some details that we do not have in the docker container:
+      echo "$FIRMWARE_PATH" >> "$TMP_DIR"/fw_name.log
+      echo "$LOG_DIR" >> "$TMP_DIR"/emba_log_dir.log
+      echo "$EMBA_COMMAND" >> "$TMP_DIR"/emba_command.log
+
       if [[ "$STRICT_MODE" -eq 1 ]]; then
         set +e
       fi

helpers/helpers_emba_dependency_check.sh

@@ -257,12 +257,15 @@ dependency_check()
     # bc
     check_dep_tool "bc"
 
+    # tree
+    check_dep_tool "tree"
+
+    # unzip
+    check_dep_tool "unzip"
+
     # mkimage (uboot)
     check_dep_tool "uboot mkimage" "mkimage"
 
-    # radare2
-    check_dep_tool "radare2" "r2"
-
     # binwalk
     check_dep_tool "binwalk extractor" "binwalk"
     if command -v binwalk > /dev/null ; then
@@ -276,15 +279,6 @@ dependency_check()
       fi
     fi
 
-    # checksec
-    check_dep_file "checksec script" "$EXT_DIR""/checksec"
-
-    # sshdcc
-    check_dep_file "sshdcc script" "$EXT_DIR""/sshdcc"
-
-    # sudo-parser.pl
-    check_dep_file "sudo-parser script" "$EXT_DIR""/sudo-parser.pl"
-
     # pixd
     check_dep_file "pixd visualizer" "$EXT_DIR""/pixde"
 
@@ -294,9 +288,21 @@ dependency_check()
     # progpilot for php code checks
     check_dep_file "progpilot php ini checker" "$EXT_DIR""/progpilot"
 
-    # CVE and CVSS databases
-    check_dep_file "CVE database" "$EXT_DIR""/allitems.csv"
-    check_dep_file "CVSS database" "$EXT_DIR""/allitemscvss.csv"
+    # Check if fact extractor is on the system - disable, if not
+    export FACT_EXTRACTOR=1 
+
+    print_output "    fact-extractor start script - \\c" "no_log"
+    if [[ -f "$EXT_DIR""/fact_extractor/fact_extractor/fact_extract.py" ]] ; then
+      echo -e "$GREEN""ok""$NC"
+    else
+      echo -e "$RED""not ok""$NC"
+      echo -e "$RED""    Missing fact-extractor start script - check your installation""$NC"
+      FACT_EXTRACTOR=0
+      DEP_ERROR=1
+    fi
+
+    # patool extractor - https://wummel.github.io/patool/
+    check_dep_tool "patool"
 
     # Freetz-NG
     check_dep_file "Freetz-NG fwmod" "$EXT_DIR""/freetz-ng/fwmod"
@@ -307,63 +313,48 @@ dependency_check()
     # Android payload.bin extractor
     check_dep_file "Android payload.bin extractor" "$EXT_DIR""/payload_dumper/payload_dumper.py"
 
-    # CVE-search
-    # TODO change to portcheck and write one for external hosts
-    check_dep_file "cve-search script" "$EXT_DIR""/cve-search/bin/search.py"
-    # we have already checked it outside the docker - do not need it again
-    if [[ "$IN_DOCKER" -eq 0 ]]; then
-      check_cve_search
-    fi
-    if [[ "$IN_DOCKER" -eq 0 ]]; then
-      # really basic check, if cve-search database is running - no check, if populated and also no check, if EMBA in docker
-      check_dep_tool "mongo database" "mongod"
-      # check_cve_search
-    fi
-    check_dep_file "Routersploit EDB database" "$CONFIG_DIR""/routersploit_exploit-db.txt"
-    check_dep_file "Routersploit CVE database" "$CONFIG_DIR""/routersploit_cve-db.txt"
-    check_dep_file "Metasploit CVE database" "$CONFIG_DIR""/msf_cve-db.txt"
+    check_dep_file "QNAP decryptor" "$EXT_DIR""/PC1"
 
-    # firmadyne / FirmAE
-    if [[ $FULL_EMULATION -eq 1 ]]; then
-      # check only some of the needed files
-      check_dep_file "console.mipsel" "$EXT_DIR""/firmae/binaries/console.mipsel"
-      check_dep_file "vmlinux.mipseb" "$EXT_DIR""/firmae/binaries/vmlinux.mipseb.4"
-      check_dep_file "fixImage.sh" "$EXT_DIR""/firmae/scripts/fixImage.sh"
-      check_dep_file "preInit.sh" "$EXT_DIR""/firmae/scripts/preInit.sh"
-      check_dep_tool "Qemu system emulator ARM" "qemu-system-arm"
-      check_dep_tool "Qemu system emulator MIPS" "qemu-system-mips"
-      check_dep_tool "Qemu system emulator MIPSel" "qemu-system-mipsel"
+    check_dep_tool "ubireader image extractor" "ubireader_extract_images"
+    check_dep_tool "ubireader file extractor" "ubireader_extract_files"
 
-      # routersploit for full system emulation
-      check_dep_file "Routersploit installation" "$EXT_DIR""/routersploit/rsf.py"
+    # CVE and CVSS databases
+    check_dep_file "CVE database" "$EXT_DIR""/allitems.csv"
+    check_dep_file "CVSS database" "$EXT_DIR""/allitemscvss.csv"
+
+    if function_exists F20_vul_aggregator; then
+      # CVE-search
+      # TODO change to portcheck and write one for external hosts
+      check_dep_file "cve-search script" "$EXT_DIR""/cve-search/bin/search.py"
+      # we have already checked it outside the docker - do not need it again
+      if [[ "$IN_DOCKER" -eq 0 ]]; then
+        check_cve_search
+      fi
+      if [[ "$IN_DOCKER" -eq 0 ]]; then
+        # really basic check, if cve-search database is running - no check, if populated and also no check, if EMBA in docker
+        check_dep_tool "mongo database" "mongod"
+        # check_cve_search
+      fi
+      # CVE searchsploit
+      check_dep_tool "CVE Searchsploit" "cve_searchsploit"
+
+      check_dep_file "Routersploit EDB database" "$CONFIG_DIR""/routersploit_exploit-db.txt"
+      check_dep_file "Routersploit CVE database" "$CONFIG_DIR""/routersploit_cve-db.txt"
+      check_dep_file "Metasploit CVE database" "$CONFIG_DIR""/msf_cve-db.txt"
     fi
 
-    # CVE searchsploit
-    check_dep_tool "CVE Searchsploit" "cve_searchsploit"
+    # checksec
+    check_dep_file "checksec script" "$EXT_DIR""/checksec"
 
-    # Check if fact extractor is on the system - disable, if not
-    export FACT_EXTRACTOR=1 
+    # sshdcc
+    check_dep_file "sshdcc script" "$EXT_DIR""/sshdcc"
 
-    print_output "    fact-extractor start script - \\c" "no_log"
-    if [[ -f "$EXT_DIR""/fact_extractor/fact_extractor/fact_extract.py" ]] ; then
-      echo -e "$GREEN""ok""$NC"
-    else
-      echo -e "$RED""not ok""$NC"
-      echo -e "$RED""    Missing fact-extractor start script - check your installation""$NC"
-      FACT_EXTRACTOR=0
-      DEP_ERROR=1
-    fi
+    # sudo-parser.pl
+    check_dep_file "sudo-parser script" "$EXT_DIR""/sudo-parser.pl"
+
+    # sh3llcheck - I know it's a typo, but this particular tool nags about it
+    check_dep_tool "shellcheck script" "shellcheck"
 
-    print_output "    cwe-checker environment - \\c" "no_log"
-    if [[ -f "$EXT_DIR""/cwe_checker/bin/cwe_checker" ]] ; then
-      echo -e "$GREEN""ok""$NC"
-    else
-      echo -e "$RED""not ok""$NC"
-      echo -e "$RED""    Missing cwe-checker start script - check your installation""$NC"
-      FACT_EXTRACTOR=0
-      DEP_ERROR=1
-    fi
-
     # fdtdump (device tree compiler)
     export DTBDUMP
     DTBDUMP_M="$(check_dep_tool "fdtdump" "fdtdump")"
@@ -377,44 +368,64 @@ dependency_check()
     # linux-exploit-suggester.sh script
     check_dep_file "linux-exploit-suggester.sh script" "$EXT_DIR""/linux-exploit-suggester.sh"
 
-    # objdump
-    OBJDUMP="$EXT_DIR""/objdump"
-    check_dep_file "objdump disassembler" "$OBJDUMP"
+    if function_exists S13_weak_func_check; then
+      # objdump
+      OBJDUMP="$EXT_DIR""/objdump"
+      check_dep_file "objdump disassembler" "$OBJDUMP"
+    fi
+
+    if function_exists S14_weak_func_radare_check; then
+      # radare2
+      check_dep_tool "radare2" "r2"
+    fi
 
     # php - currently not used
     # check_dep_tool "php"
 
     # pylint - currently not used
     # check_dep_tool "pylint"
 
-    check_dep_tool "ubireader image extractor" "ubireader_extract_images"
-    check_dep_tool "ubireader file extractor" "ubireader_extract_files"
-
     # bandit python security tester
     check_dep_tool "bandit - python vulnerability scanner" "bandit"
 
     # qemu
     check_dep_tool "qemu-[ARCH]-static" "qemu-mips-static"
 
-    # sh3llcheck - I know it's a typo, but this particular tool nags about it
-    check_dep_tool "shellcheck script" "shellcheck"
-
-    # tree
-    check_dep_tool "tree"
-
-    # unzip
-    check_dep_tool "unzip"
-
     # yara
     check_dep_tool "yara"
 
-    # patool extractor - https://wummel.github.io/patool/
-    check_dep_tool "patool"
+    if function_exists S108_stacs_password_search; then
+      # stacs - https://github.com/stacscan/stacs
+      check_dep_tool "STACS hash detection" "stacs"
+    fi
 
-    # stacs - https://github.com/stacscan/stacs
-    check_dep_tool "STACS hash detection" "stacs"
+    # firmadyne / FirmAE
+    if [[ $FULL_EMULATION -eq 1 ]]; then
+      # check only some of the needed files
+      check_dep_file "console.mipsel" "$EXT_DIR""/firmae/binaries/console.mipsel"
+      check_dep_file "vmlinux.mipseb" "$EXT_DIR""/firmae/binaries/vmlinux.mipseb.4"
+      check_dep_file "fixImage.sh" "$EXT_DIR""/firmae/scripts/fixImage.sh"
+      check_dep_file "preInit.sh" "$EXT_DIR""/firmae/scripts/preInit.sh"
+      check_dep_tool "Qemu system emulator ARM" "qemu-system-arm"
+      check_dep_tool "Qemu system emulator MIPS" "qemu-system-mips"
+      check_dep_tool "Qemu system emulator MIPSel" "qemu-system-mipsel"
 
-    check_dep_file "QNAP decryptor" "$EXT_DIR""/PC1"
+      # routersploit for full system emulation
+      check_dep_file "Routersploit installation" "$EXT_DIR""/routersploit/rsf.py"
+    fi
+
+    if function_exists S120_cwe_checker; then
+      print_output "    cwe-checker environment - \\c" "no_log"
+      if [[ -f "$EXT_DIR""/cwe_checker/bin/cwe_checker" ]] ; then
+        echo -e "$GREEN""ok""$NC"
+      else
+        echo -e "$RED""not ok""$NC"
+        echo -e "$RED""    Missing cwe-checker start script - check your installation""$NC"
+        export CWE_CHECKER=0
+        DEP_ERROR=1
+      fi
+    fi
+
   fi
 
   if [[ $DEP_ERROR -gt 0 ]] || [[ $DEP_EXIT -gt 0 ]]; then
@@ -433,7 +444,6 @@ dependency_check()
   if [[ $ONLY_DEP -eq 1 ]] ; then
     exit 0
   fi
-
 }
 
 architecture_dep_check() {

modules/F50_base_aggregator.sh

@@ -79,10 +79,20 @@ output_overview() {
     echo "FW_notes;\"$FW_NOTES\"" >> "$CSV_LOG_FILE"
   fi  
 
-  print_output "[+] Tested firmware:""$ORANGE"" ""$FIRMWARE_PATH""$NC"
-  echo "FW_path;\"$FIRMWARE_PATH\"" >> "$CSV_LOG_FILE"
-  print_output "[+] Emba start command:""$ORANGE"" ""$EMBA_COMMAND""$NC"
-  echo "emba_command;\"$EMBA_COMMAND\"" >> "$CSV_LOG_FILE"
+  if [[ "$IN_DOCKER" -eq 1 ]] && [[ -f "$TMP_DIR"/fw_name.log ]] && [[ -f "$TMP_DIR"/emba_command.log ]]; then
+    # we need to rewrite this firmware path to the original path
+    FW_PATH_ORIG="$(cat "$TMP_DIR"/fw_name.log)"
+    EMBA_COMMAND_ORIG="$(cat "$TMP_DIR"/emba_command.log)"
+    print_output "[+] Tested firmware:""$ORANGE"" ""$FW_PATH_ORIG""$NC"
+    echo "FW_path;\"$FW_PATH_ORIG\"" >> "$CSV_LOG_FILE"
+    print_output "[+] Emba start command:""$ORANGE"" ""$EMBA_COMMAND_ORIG""$NC"
+    echo "emba_command;\"$EMBA_COMMAND_ORIG\"" >> "$CSV_LOG_FILE"
+  else
+    print_output "[+] Tested firmware:""$ORANGE"" ""$FIRMWARE_PATH""$NC"
+    echo "FW_path;\"$FIRMWARE_PATH\"" >> "$CSV_LOG_FILE"
+    print_output "[+] Emba start command:""$ORANGE"" ""$EMBA_COMMAND""$NC"
+    echo "emba_command;\"$EMBA_COMMAND\"" >> "$CSV_LOG_FILE"
+  fi
 
   if [[ -n "$ARCH" ]]; then
     if [[ -n "$D_END" ]]; then
@@ -535,7 +545,7 @@ output_cve_exploits() {
         write_link "f20#minimalreportofexploitsandcves"
       fi
       if [[ "$REMOTE_EXPLOIT_CNT" -gt 0 || "$LOCAL_EXPLOIT_CNT" -gt 0 || "$DOS_EXPLOIT_CNT" -gt 0 || "$GITHUB_EXPLOIT_CNT" -gt 0 || "$KNOWN_EXPLOITED_COUNTER" -gt 0 ]]; then
-        print_output "$(indent "$(green "Remote exploits: $MAGENTA$BOLD$REMOTE_EXPLOIT_CNT$NC$GREEN / Local exploits: $MAGENTA$BOLD$LOCAL_EXPLOIT_CNT$NC$GREEN / DoS exploits: $MAGENTA$BOLD$DOS_EXPLOIT_CNT$NC$GREEN / Github PoCs: $MAGENTA$BOLD$GITHUB_EXPLOIT_CNT$NC$GREEN / Known exploited exploits: $MAGENTA$BOLD$KNOWN_EXPLOITED_COUNTER$NC")")"
+        print_output "$(indent "$(green "Remote exploits: $MAGENTA$BOLD$REMOTE_EXPLOIT_CNT$NC$GREEN / Local exploits: $MAGENTA$BOLD$LOCAL_EXPLOIT_CNT$NC$GREEN / DoS exploits: $MAGENTA$BOLD$DOS_EXPLOIT_CNT$NC$GREEN / Github PoCs: $MAGENTA$BOLD$GITHUB_EXPLOIT_CNT$NC$GREEN / Known exploited vulnerabilities: $MAGENTA$BOLD$KNOWN_EXPLOITED_COUNTER$NC")")"
         write_csv_log "remote_exploits" "$REMOTE_EXPLOIT_CNT"
         write_csv_log "local_exploits" "$LOCAL_EXPLOIT_CNT"
         write_csv_log "dos_exploits" "$DOS_EXPLOIT_CNT"