Initial commit

.gitignore

@@ -0,0 +1,7 @@
+*.o
+*.armel
+*.mipseb
+*.mipsel
+binaries/
+images/
+scratch/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "analyses/routersploit"]
+ path = analyses/routersploit
+ url = https://github.com/threat9/routersploit

LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 - 2016, Daming Dominic Chen
+Copyright (c) 2017 - 2020, Mingeun Kim, Dongkwan Kim, Eunsoo Kim
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,90 @@
+# FirmAE
+
+FirmAE is a fully-automated framework that performs emulation and vulnerability analysis. FirmAE significantly increases the emulation success rate (From [Firmadyne](https://github.com/firmadyne/firmadyne)'s 16.28% to 79.36%) with five arbitration techniques. We tested FirmAE on 1,124 wireless-router and IP-camera firmware images from top eight vendors.
+
+We also developed a dynamic analysis tool for 0-day discovery, which infers web service information based on the filesystem and kernel logs of target firmware.
+By running our tool on the succesfully emulation firmware images, we discovered 12 new 0-days which affect 23 devices.
+
+# Installation
+
+Note that we tested FirmAE on Ubuntu 18.04.
+
+1. Clone `FirmAE`
+```
+$ git clone --recursive https://github.com/pr0v3rbs/FirmAE
+```
+
+2. Run `download.sh` script.
+```
+$ ./download.sh
+```
+
+3. Run `install.sh` script.
+```
+$ ./install.sh
+```
+
+4. Run `init.sh` script.
+```
+$ ./init.sh
+```
+
+# Usage
+
+1. Prepare a firmware.
+
+```
+$ wget ftp://ftp.dlink.eu/Products/dir/dir-868l/driver_software/DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip
+```
+
+2. Check emulation
+```
+$ sudo ./run.sh -c <brand> <firmware>
+```
+
+3. Run analysis
+```
+$ sudo ./run.sh -a <brand> <firmware>
+```
+
+## Parallel mode
+
+First, prepare a docker image.
+```
+$ sudo ./docker-init.sh
+```
+
+Then, run one of the below commands. ```-ec``` checks only the emulation, and ```-ea``` checks the emulation and analyzes vulnerabilities.
+```
+$ sudo ./docker-helper.py -ec <brand> <firmware>
+$ sudo ./docker-helper.py -ea <brand> <firmware>
+```
+
+# CVEs
+
+- ASUS: [CVE-2019-20082](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-20082)
+- Belkin: [Belkin01](https://github.com/pr0v3rbs/CVE/tree/master/Belkin01)
+- D-Link: [CVE-2018-20114](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-20114), [CVE-2018-19986](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19986---hnap1setroutersettings), [CVE-2018-19987](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19987---hnap1setaccesspointmode), [CVE-2018-19988](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19988---hnap1setclientinfodemo), [CVE-2018-19989](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19989---hnap1setqossettings), [CVE-2018-19990](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990#cve-2018-19990---hnap1setwifiverifyalpha), [CVE-2019-6258](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258), [CVE-2019-20084](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-20084)
+- TRENDNet: [CVE-2019-11399](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-11399), [CVE-2019-11400](https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-11400)
+
+# Authors
+This research project has been conducted by [SysSec Lab](https://syssec.kr) at KAIST.
+* [Mingeun Kim](https://pr0v3rbs.blogspot.kr/)
+* [Dongkwan Kim](https://0xdkay.me/)
+* [Eunsoo Kim](https://hahah.kim)
+* [Suryeon Kim](#)
+* [Yeongjin Jang](https://www.unexploitable.systems/)
+* [Yongdae Kim](https://syssec.kaist.ac.kr/~yongdaek/)
+
+# Citation
+We would appreciate if you consider citing [our paper](https://syssec.kaist.ac.kr/pub/2020/kim_acsac2020.pdf) when using FirmAE.
+```bibtex
+@inproceedings{kim:2020:firmae,
+ author = {Mingeun Kim and Dongkwan Kim and Eunsoo Kim and Suryeon Kim and Yeongjin Jang and Yongdae Kim},
+ title = {{FirmAE}: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis},
+ booktitle = {Annual Computer Security Applications Conference (ACSAC)},
+ year = 2020,
+ month = dec,
+ address = {Online}
+}
+```

analyses/README.md

@@ -0,0 +1,9 @@
+This directory contains analyses for the FirmAE system. The public release
+of our system includes the following analyses.
+
+* FirmAE
+ * `initilzer.py`: Setup default state a target devices' web page.
+ * `fuzzer`: Dynamic analyses tool which can find command injection and buffer
+overflow.
+ * `routersploit`: Customized routersploit tool.
+

analyses/analyses_all.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+if [ $# -ne 4 ]; then
+ echo $0: Usage: ./analyses_all.sh [iid] [brand] [target address] [sql ip]
+ exit 1
+fi
+
+set -e
+set -u
+
+IID=${1}
+BRAND=${2}
+TARGET=${3}
+PSQL_IP=${4}
+LOG_DIR="analyses_log/$BRAND/$IID"
+EXPLOIT_DIR="$LOG_DIR/exploits"
+
+mkdir -p analyses_log
+mkdir -p $LOG_DIR
+mkdir -p $EXPLOIT_DIR
+
+sleep 10
+
+echo '[*] FirmAE web server initializer'
+{ time ./initializer.py $BRAND $TARGET > $LOG_DIR/initializer_log ; } 2> $LOG_DIR/initializer_time
+{ time nmap -O -sV $TARGET -oX $LOG_DIR/nmap_log.txt ; } 2> $LOG_DIR/nmap_time
+echo '[*] fuzzer'
+{ time ./fuzzer/fuzzer.py ci $BRAND $IID $TARGET > $LOG_DIR/fuzzer_log_ci ; } 2> $LOG_DIR/fuzzer_ci_time
+{ time ./fuzzer/fuzzer.py bof $BRAND $IID $TARGET > $LOG_DIR/fuzzer_log_bof ; } 2> $LOG_DIR/fuzzer_bof_time
+echo '[*] rsf'
+cd routersploit && timeout --preserve-status --signal SIGINT 300 ./rsf.py $TARGET > ../$LOG_DIR/rsf && cd -
+echo '[*] analyzer finished'

analyses/fuzzer/README.md

@@ -0,0 +1,28 @@
+This directory contains analyses for the FirmAE system.
+
+* `fuzzer.py`: This is a main script for testing command injection and buffer overflow vulnerability.
+* `hnap_pair`: Default key-value pair information for a HNAP request.
+* `login.py`: This script helps to login the webpages on the emulated firmware.
+
+Fuzzer works with two steps to find command injection and one step for buffer overflow.
+ 1. Parse parameters in xml, php, html pages for the web pages in target system filesystem.
+ 2. Command injection
+ - Spray signatures such as `d34d1`, `d34d2`, ...
+ - Find signatures with a execve system call in the kernel log of target emulation.
+ - Send vulnerable command injection combination for the found vulnerable parameters on web page.
+3. Buffer overflow
+ - Spray large buffer with a signature such as `aaaaaaa1...aaaaaaa1`, ..., `aaaaaa10...aaaaaa10`, ...
+
+Found vulnerability
+* Command injection in a Belkin product reported through bugcrowd
+* CVE-2018-19986
+* CVE-2018-19987
+* CVE-2018-19988
+* CVE-2018-19989
+* CVE-2018-19990
+* CVE-2018-20114 D-Link soap.cgi command injection
+* CVE-2019-11399 TRENDNet command injection
+* CVE-2019-11400 TRENDNet buffer overflow
+* CVE-2019-6258 D-Link buffer overflow
+* CVE-2019-20082 ASUS buffer overflow
+* CVE-2019-20084