How can I convert Vulnerable_Pickle to JSON formatted data? I tried basic conversion techniques and received error messages saying AsyncResult not serializable. Thanks in advance.

Running "Discover_And_Dump.py" from Quickstart section of the readme results in "radare not found" messages on the celery side.
Discover_And_Dump.py examples/iwconfig -D iwconfig_results

However, I've installed ghidra according to instructions and I expected slap to use it instead of radare.
Is it supposed to use ghidra instead of radare automatically? (Or am I misunderstanding the instructions?)
What could be wrong with my setup? (I seem to have followed the instructions correctly.)

It would be very helpful if you could tag releases. This would enable distributions to use a source tarball instead of Git checkouts.

Thanks

When I finished discovering bugs via Vuln_Discover_Celery.py and executed Load_And_View_Results.py Vulnerable_Pickle, I got

/usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/EGG-INFO/scripts/Load_And_View_Results.py:111: ElasticsearchDeprecationWarning: [types removal] Specifying types in document index requests is deprecated, use the typeless endpoints instead (/{index}/_doc/{id}, /{index}/_doc, or /{index}/_create/{id}).
  es.index(index=func_index, doc_type='external', body=func)
  4%|#######2                                                                                                                                                                                                  | 1/28 [00:00<00:03,  7.70it/s]
Traceback (most recent call last):
  File "/usr/local/bin/Load_And_View_Results.py", line 4, in <module>
    __import__('pkg_resources').run_script('Firmware-Slap==1.0', 'Load_And_View_Results.py')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 658, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1438, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/EGG-INFO/scripts/Load_And_View_Results.py", line 139, in <module>
    main()
  File "/usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/EGG-INFO/scripts/Load_And_View_Results.py", line 57, in main
    send_data(es, func)
  File "/usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/EGG-INFO/scripts/Load_And_View_Results.py", line 111, in send_data
    es.index(index=func_index, doc_type='external', body=func)
  File "/usr/local/lib/python3.6/dist-packages/elasticsearch/client/utils.py", line 92, in _wrapped
    return func(*args, params=params, headers=headers, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/elasticsearch/client/__init__.py", line 409, in index
    body=body,
  File "/usr/local/lib/python3.6/dist-packages/elasticsearch/transport.py", line 362, in perform_request
    timeout=timeout,
  File "/usr/local/lib/python3.6/dist-packages/elasticsearch/connection/http_urllib3.py", line 252, in perform_request
    self._raise_error(response.status, raw_data)
  File "/usr/local/lib/python3.6/dist-packages/elasticsearch/connection/base.py", line 282, in _raise_error
    status_code, error_message, additional_info
elasticsearch.exceptions.RequestError: RequestError(400, 'mapper_parsing_exception', "failed to parse field [bpvars.ref.offset] of type [long] in document with id 'INBNoXIB0W9jodOYAQ34'. Preview of field's value: '18446744073709551576'")

Does it mean Vulnerable_Pickle file cannot be sent? Or the type bpvars.ref.offset is not supported by ES?

Load_And_View_Results.py starts an elasticsearch-kibana Docker container and fails with a ConnectionError/ProtocolError/RemoteDisconnected exception if Elasticsearch is not reachable within 10 seconds:

Upon start up it may take more than 10 seconds for the elasticsearch-kibana container to make Elasticsearch reachable to applications in the host.

Instead of sleeping for fixed 10 seconds I suggest Load_And_View_Results.py be modified to wait until Elasticsearch.ping() returns True.

Is it possible to specify multiple LD_PATH / library locations (-L) for Discover_and_Dump.py ? If not, could you give me a brief rundown on where you would put that functionality so I can create a pull request to add this feature? Thank you!

When running the examples from the readme
Discover_And_Dump.py examples/iwconfig -D iwconfig_results
and
Vuln_Discover_Celery.py examples/upload.cgi -L Almond_Root/lib/
both tasks will get to ~98% before celery starts throwing errors, then the tasks fail.

ls of the folder:

(venv) mike@ubuntu:~/Desktop/Firmware_Slap$ ls
Almond_Root  examples                ghidra_9.0.4_PUBLIC_20190516.zip  iwconfig_results.pickle  README.md     venv
bin          firmware_slap           iwconfig_results.all.json         LICENSE                  requirements  Vulnerable_Pickle
build        Firmware_Slap.egg-info  iwconfig_results.all.pickle       MANIFEST.in              setup.py
dist         ghidra                  iwconfig_results.json             radare2                  setup.sh

Celery is started:

(venv) mike@ubuntu:~/Desktop/Firmware_Slap$ celery -A firmware_slap.celery_tasks worker --loglevel=info

Then,

(venv) mike@ubuntu:~/Desktop/Firmware_Slap$ Discover_And_Dump.py examples/iwconfig -D iwconfig_results
[+] Recovering Function Prototypes
analyzeHeadless /tmp/tmpcpz7vq6g project_iwconfig
	-max-cpu 1
	-import /home/mike/Desktop/Firmware_Slap/examples/iwconfig
	-scriptPath /home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts
	-preScript /home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/SetDecompilerOptions.py
	-postScript /home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/DumpFunctions.py "/tmp/tmpcpz7vq6g/iwconfig"
/tmp/tmpcpz7vq6g/iwconfig
[+] Analyzing 61 functions
[~] Finding all the vulnerabilities:  98%|█████████████████████████████████████████████████████████████▉ | 60/61 [00:54<00:14, 14.20s/it]```

Celery output:

-snip-
[2019-08-14 16:07:49,492: INFO/ForkPoolWorker-12] Task firmware_slap.celery_tasks.async_trace_func[5074dc82-7eca-4497-939e-16ccb81dbb57] succeeded in 6.150161330000174s: {}
[2019-08-14 16:08:33,230: WARNING/ForkPoolWorker-11] <Project /home/mike/Desktop/Firmware_Slap/examples/iwconfig>
[2019-08-14 16:08:33,230: WARNING/ForkPoolWorker-11] <SimulationManager with 17 deadended>
[2019-08-14 16:08:33,231: INFO/ForkPoolWorker-11] Task firmware_slap.celery_tasks.async_trace_func[e2d36397-f7a7-424e-aab0-1b0b5cdfc4f3] succeeded in 49.661394414999904s: {}
[2019-08-14 16:08:40,630: ERROR/MainProcess] Task handler raised error: TimeLimitExceeded(60,)
Traceback (most recent call last):
  File "/home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/billiard-3.6.1.0-py3.6.egg/billiard/pool.py", line 684, in on_hard_timeout
    raise TimeLimitExceeded(job._timeout)
billiard.exceptions.TimeLimitExceeded: TimeLimitExceeded(60,)
[2019-08-14 16:08:40,630: ERROR/MainProcess] Hard time limit (60s) exceeded for firmware_slap.celery_tasks.async_trace_func[2e688b9a-562b-4989-8798-0ed66c9c2859]
[2019-08-14 16:08:40,756: ERROR/MainProcess] Process 'ForkPoolWorker-2' pid:99169 exited with 'signal 9 (SIGKILL)'

For Vuln_Discover_Celery

(venv) mike@ubuntu:~/Desktop/Firmware_Slap$ Vuln_Discover_Celery.py examples/upload.cgi -L Almond_Root/lib/`

Celery output:

-snip-
[2019-08-14 16:03:28,460: WARNING/ForkPoolWorker-2] <SimulationManager with 1 unconstrained>
[2019-08-14 16:03:28,461: INFO/ForkPoolWorker-2] Task firmware_slap.celery_tasks.async_trace_func[d2c9db56-dc6a-48cf-838b-72f96d5ed4e1] succeeded in 2.6161688400002276s: {}
[2019-08-14 16:03:28,813: WARNING/ForkPoolWorker-4] <Project /home/mike/Desktop/Firmware_Slap/examples/upload.cgi>
[2019-08-14 16:03:28,813: WARNING/ForkPoolWorker-4] <SimulationManager with all stashes empty (1 errored)>
[2019-08-14 16:03:28,814: INFO/ForkPoolWorker-4] Task firmware_slap.celery_tasks.async_trace_func[639428ab-9492-47d1-8653-f87b54c774ce] succeeded in 0.6927038250000805s: {}
[2019-08-14 16:03:28,880: WARNING/ForkPoolWorker-6] <Project /home/mike/Desktop/Firmware_Slap/examples/upload.cgi>
[2019-08-14 16:03:28,880: WARNING/ForkPoolWorker-6] <SimulationManager with all stashes empty (1 errored)>
[2019-08-14 16:03:28,881: INFO/ForkPoolWorker-6] Task firmware_slap.celery_tasks.async_trace_func[b04f753e-2ead-4ed4-a81c-b4c5f4051b39] succeeded in 0.8522460119997959s: {}
[2019-08-14 16:04:47,808: ERROR/MainProcess] Task handler raised error: TimeLimitExceeded(120,)
Traceback (most recent call last):
  File "/home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/billiard-3.6.1.0-py3.6.egg/billiard/pool.py", line 684, in on_hard_timeout
    raise TimeLimitExceeded(job._timeout)
billiard.exceptions.TimeLimitExceeded: TimeLimitExceeded(120,)
[2019-08-14 16:04:47,810: ERROR/MainProcess] Hard time limit (120s) exceeded for firmware_slap.celery_tasks.async_trace_func[1a46c96f-c42f-43c5-923c-36e417edaa05]
[2019-08-14 16:04:47,922: ERROR/MainProcess] Process 'ForkPoolWorker-5' pid:99172 exited with 'signal 9 (SIGKILL)'
[2019-08-14 16:04:48,608: ERROR/MainProcess] Task handler raised error: TimeLimitExceeded(120,)
Traceback (most recent call last):
  File "/home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/billiard-3.6.1.0-py3.6.egg/billiard/pool.py", line 684, in on_hard_timeout
    raise TimeLimitExceeded(job._timeout)
billiard.exceptions.TimeLimitExceeded: TimeLimitExceeded(120,)
[2019-08-14 16:04:48,609: ERROR/MainProcess] Hard time limit (120s) exceeded for firmware_slap.celery_tasks.async_trace_func[659fe927-4d81-4e81-90ec-568bda8236c2]
[2019-08-14 16:04:48,712: ERROR/MainProcess] Task handler raised error: TimeLimitExceeded(120,)
Traceback (most recent call last):
  File "/home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/billiard-3.6.1.0-py3.6.egg/billiard/pool.py", line 684, in on_hard_timeout
    raise TimeLimitExceeded(job._timeout)
billiard.exceptions.TimeLimitExceeded: TimeLimitExceeded(120,)
[2019-08-14 16:04:48,713: ERROR/MainProcess] Hard time limit (120s) exceeded for firmware_slap.celery_tasks.async_trace_func[6ff27e53-f124-4d67-aa6a-d4b1e8602df7]
[2019-08-14 16:04:48,816: ERROR/MainProcess] Process 'ForkPoolWorker-8' pid:99175 exited with 'signal 9 (SIGKILL)'
[2019-08-14 16:04:48,966: ERROR/MainProcess] Process 'ForkPoolWorker-7' pid:99174 exited with 'signal 9 (SIGKILL)'
[2019-08-14 16:04:51,809: ERROR/MainProcess] Task handler raised error: TimeLimitExceeded(120,)
Traceback (most recent call last):
  File "/home/mike/Desktop/Firmware_Slap/venv/lib/python3.6/site-packages/billiard-3.6.1.0-py3.6.egg/billiard/pool.py", line 684, in on_hard_timeout
    raise TimeLimitExceeded(job._timeout)
billiard.exceptions.TimeLimitExceeded: TimeLimitExceeded(120,)
[2019-08-14 16:04:51,809: ERROR/MainProcess] Hard time limit (120s) exceeded for firmware_slap.celery_tasks.async_trace_func[f5012676-4d0d-451b-b543-28281e03add7]
[2019-08-14 16:04:51,930: ERROR/MainProcess] Process 'ForkPoolWorker-3' pid:99170 exited with 'signal 9 (SIGKILL)'

I've installed this both on my Ubuntu desktop and in a clean install Ubuntu VM (both 18.04.1) and had the same issue on both.

We've tried adjusting the timeout everywhere we can find from 120 to something larger, but it doesn't seem to make a difference.

Consider adding a note in the section about installing Ghidra to ensure that Ghidra works. In our experience it fails to gather functions if a JDK is not installed with a fairly non-informational error message

Failed to get function information for file Firmware_Slap/examples/upload.cgi

May also consider something in the setup.sh could run some basic check to ensure Ghidra is functional.

I figured this out once I tried to run ghidra.

$ ghidraDebug 
Java runtime not found.  Please refer to the Ghidra Installation Guide's Troubleshooting section.

Installing default-jdk on my ubuntu box then got past the function information.

I'm getting this stack trace while running:

python Vuln_Cluster_Celery.py -V load.pickle -L lib_mix/ folder/

Traceback (most recent call last):
  File "Vuln_Cluster_Celery.py", line 210, in <module>
    main()
  File "Vuln_Cluster_Celery.py", line 116, in main
    print_function(bugs[0])
  File "Vuln_Cluster_Celery.py", line 187, in print_function
    colored("\tMemory load addr {}".format(mem_val['DATA_ADDRS'][0]),
KeyError: 'DATA_ADDRS'

It seems that DATA_ADDRS doesn't exist. Don't know exactly what may be causing this.

In this line you should import without the as fh in the end

The pretty visualization template for kibana needs to be added.

When I try to run the Pwn_Firmware_CGI.py script on the provided firmware, I see the following error
Traceback (most recent call last):
File "bin/Pwn_Firmware_CGI.py", line 3, in <module>
from firmware_slap.function_analyzer import *
ImportError: No module named firmware_slap.function_analyzer

After running the example from usage, I'm not getting the described results. It seems like it's exiting prematurely after a 98% mark. Or the results are placed somewhere I can't guess. I'm not dropped into a python REPL.

Any ideas why it happens?
I didn't create a python virtualenv, because this VM is only used for slap anyway. Is it critical?

alienav@av-firmware-slap:~/Firmware_Slap$ Vuln_Discover_Celery.py _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L _AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/lib/
[+] Getting argument functions
analyzeHeadless /tmp/tmpvgrhxoa3 project_upload_bootloader.cgi
        -max-cpu 1
        -import /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
        -scriptPath /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts
        -preScript /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/SetDecompilerOptions.py
        -postScript /usr/local/lib/python3.6/dist-packages/Firmware_Slap-1.0-py3.6.egg/firmware_slap/ghidra_scripts/DumpFunctions.py "/tmp/tmpvgrhxoa3/upload_bootloader.cgi"
/tmp/tmpvgrhxoa3/upload_bootloader.cgi
[+] Analyzing 44 functions
[~] Finding all the vulnerabilities:  11%|██████████████████▊                                                                                                                                                  | 5/44 [00:09<01:04,  1.66s/it]
Found Command Injection in write_flash_kernel_version in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  16%|██████████████████████████▎                                                                                                                                          | 7/44 [02:18<23:52, 38.72s/it]
Found Command Injection in mtd_write_firmware in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  18%|██████████████████████████████                                                                                                                                       | 8/44 [02:28<18:04, 30.12s/it]
Found Command Injection in mtd_write_bootloader in /home/alienav/Firmware_Slap/_AL3-R024-64MB.extracted/_40.extracted/_7262CC.extracted/cpio-root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi
[~] Finding all the vulnerabilities:  98%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████▎   | 43/44 [08:16<00:01,  1.52s/it]
alienav@av-firmware-slap:~/Firmware_Slap$

Hi,

when running the example with the provided cgi example:

(fwslap) bitnomad@ubuntuserv2020:~/Tools/Firmware_Slap$ python bin/Vuln_Discover_Celery.py examples/upload.cgi -L examples/Almond_Root/lib/

I get this output:

[+] Getting argument functions
[+] Analyzing 14 functions
[~] Finding all the vulnerabilities: 93%|████████████████████████████████▌ | 13/14 [09:26<00:43, 43.55s/it]

It doesn't find the injection vulnerbaility. There is an error I can see in the celery log:

[2020-09-23 18:39:57,990: INFO/MainProcess] Received task: firmware_slap.celery_tasks.async_trace_func[530d180a-3aab-4b42-a179-26f31b0b2c47]
[2020-09-23 18:40:05,244: ERROR/ForkPoolWorker-3] Task firmware_slap.celery_tasks.async_trace_func[05e27192-2f3c-4199-acd7-0d30210d8614] raised unexpected: TypeError('Must provide size to load')
Traceback (most recent call last):
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/celery/app/trace.py", line 412, in trace_task
R = retval = fun(*args, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/celery/app/trace.py", line 704, in protected_call
return self.run(*args, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/celery_tasks.py", line 27, in async_trace_func
proj, simgr = do_trace(start_addr,
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/function_analyzer.py", line 274, in do_trace
simgr.explore(step_func=check_mem_corrupt)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 239, in explore
self.run(stash=stash, n=n, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 261, in run
self.step(stash=stash, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/misc/hookset.py", line 75, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/exploration_techniques/explorer.py", line 96, in step
return simgr.step(stash=stash, extra_stop_points=base_extra_stop_points | self._extra_stop_points, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/misc/hookset.py", line 80, in call
return self.func(*args, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 346, in step
successors = self.step_state(state, successor_func=successor_func, **run_args)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 383, in step_state
successors = self.successors(state, successor_func=successor_func, **run_args)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_manager.py", line 422, in successors
return self._project.factory.successors(state, **run_args)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/factory.py", line 60, in successors
return self.default_engine.process(*args, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/vex/light/slicing.py", line 19, in process
return super().process(*args, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/engine.py", line 149, in process
self.process_successors(self.successors, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/failure.py", line 21, in process_successors
return super().process_successors(successors, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/syscall.py", line 18, in process_successors
return super().process_successors(successors, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/hook.py", line 61, in process_successors
return self.process_procedure(state, successors, procedure, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/engines/procedure.py", line 37, in process_procedure
inst = procedure.execute(state, successors, ret_to=ret_to)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/sim_procedure.py", line 226, in execute
r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/command_injection.py", line 111, in run
self.check_exploitable(cmd)
File "/home/bitnomad/Tools/Firmware_Slap/firmware_slap/command_injection.py", line 11, in check_exploitable
value = self.state.memory.load(cmd)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/unwrapper_mixin.py", line 14, in load
return super().load(_raw_ast(addr),
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/name_resolution_mixin.py", line 57, in load
return super().load(addr, size=size, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/bvv_conversion_mixin.py", line 28, in load
return super().load(addr, size=size, fallback=fallback_bv, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/clouseau_mixin.py", line 53, in load
return super().load(addr,
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/actions_mixin.py", line 13, in load
r = super().load(addr, size=size, condition=condition, fallback=fallback, action=action, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/underconstrained_mixin.py", line 17, in load
return super().load(addr, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/size_resolution_mixin.py", line 69, in load
return super().load(addr, size=size, **kwargs)
File "/home/bitnomad/Tools/Firmware_Slap/fwslap/lib/python3.8/site-packages/angr/storage/memory_mixins/size_resolution_mixin.py", line 20, in load
raise TypeError("Must provide size to load")
TypeError: Must provide size to load

It seems like angr is requiering a size to load. I didn't find a file where I could set a value.

Hello,
Does Firmware Slap support MIPS? I ask because I ran a few MIPS binaries through and received no results when I know for a fact there are various vulnerable functions in the firmware binary. Is there anything special I would need to do or develop to make MIPS works?

I do see this after every function trace worker thread:

<SimulationManager with all stashes empty (1 errored)>

I'm not sure if that is relevant or not.

Thanks for your help!

when running Pwn_Firmware_CGI.py, the firmware file is successfully extracted, root file system is discovered, and then I receive the following error:

python3 bin/Pwn_Firmware_CGI.py firmware.zip
/tmp/tmp6jej1eta
[+] Extracting firmware.zip
binwalk -Mre firmware.zip
Extracting Firmware into /tmp/tmp6jej1eta
[+] root file system discovered at /tmp/tmp6jej1eta/firmware.zip.extracted/firmware.bin.extracted/squashfs-root
/tmp/tmp6jej1eta/firmware.zip.extracted/firmware.bin.extracted/squashfs-root
[+] Reading Files
0%| | 0/39 [00:00<?, ?it/s]
Traceback (most recent call last):
File "bin/Pwn_Firmware_CGI.py", line 356, in
main()
File "bin/Pwn_Firmware_CGI.py", line 43, in main
file_vulnerabilities = process_file_or_folder(args.FILE, dirpath)
File "bin/Pwn_Firmware_CGI.py", line 110, in process_file_or_folder
ld_path = get_libraries(root_fs, work_dir)
File "bin/Pwn_Firmware_CGI.py", line 93, in get_libraries
executables, libraries = fhc.get_executable_files(firmware_folder)
File "/root/tools/Firmware_Slap/env/lib/python3.7/site-packages/Firmware_Slap-1.0-py3.7.egg/firmware_slap/firmware_clustering.py", line 51, in get_executable_files
if file_hash not in hashes:
UnboundLocalError: local variable 'file_hash' referenced before assignment

I tried globally declaring the variable in the for loop and declaring it again locally in the if statement, but still get the same error.

Looks like you're using subprocess.call with std in/out reirected to pipes to run the ghidra headless in ghidra_handler.py.
This will block the child process from completing if the pipe fills up(check out the warning here tmprawd8d3e/). Faced the issue myself. Please consider replacing this with either subprocess.Popen or redirecting the std in/out to subprocess.DEVNULL

when i run Discover and dump against a firmware binary, i receive the following error in the celery process:

KeyError: 'firmware_slap.celery_tasks.async_trace_func'
[2019-08-13 13:56:43,760: ERROR/MainProcess] Received unregistered task of type 'firmware_slap.celery_tasks.async_trace_func'.
The message has been ignored and discarded.

Did you remember to import the module containing this task?
Or maybe you're using relative imports?

Please see
http://docs.celeryq.org/en/latest/internals/protocol.html
for more information.

Any ideas on why this might be happening? Thanks for your help!

Still working on turning the knobs and dials to understand how this is working. Most of the binaries I want to analyze are not *.cgi files, they don't have any extensions, so the Pwn_Firmware_CGI.py doesn't work. But, I may try adjusting the cgi extension check and just checking everything... that might cause it to check too many files.

As I was looking through the code, I also noticed:

https://github.com/ChrisTheCoolHut/Firmware_Slap/blob/master/bin/Pwn_Firmware_CGI.py#L214

        ld_path="/home/chris/Tools/firmware_slap/Almond_Root/lib"

That should probably be a relative path? I'd create another PR but I'm not confident what it should be.

Is there currently a way to retrieve the vulnerability output that is displayed on STDOUT during a Discover_and_Dump session? I would assume all the information is in the json output, but there is a lot of data there. Any suggestions you might have would be greatly appreciated, and as always, I'll be happy to send a PR with documentation updates with any information provided. Thanks again!

Hello @ChrisTheCoolHut

@toobus and I are attempting to run Slap on a rather large ELF binary (~5MB in size), and we're experiencing an issue where the celery task doesn't complete and the whole Discover_and_Dump.py process just hangs. Is there any tunable parameter we can adjust to help Slap deal with such a large binary?

For reference, I am running ghidra's analyzeHeadless against the binary and its using something like 72GB of RAM to process, which probably means its swapping out to disk on @toobus workstation.

Any thoughts you have on the matter would be greatly appreciated. Thanks!

flake8 testing of https://github.com/ChrisTheCoolHut/Firmware_Slap on Python 3.7.1

$ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics

./firmware_slap/es_helper.py:31:25: F821 undefined name 'indeX_name'
        import_item(es, indeX_name, node)
                        ^
./firmware_slap/function_analyzer.py:69:39: F632 use ==/!= to compare str, bytes, and int literals
            if result is not None and type(
                                      ^
./firmware_slap/function_analyzer.py:70:46: F632 use ==/!= to compare str, bytes, and int literals
                    result) is not "str" and result is not "timeout":
                                             ^
./firmware_slap/function_analyzer.py:116:19: F632 use ==/!= to compare str, bytes, and int literals
            while string_val[-1] is not 0 and curr_len < max_str_len:
                  ^
./firmware_slap/function_analyzer.py:137:23: F632 use ==/!= to compare str, bytes, and int literals
                while end_val_solved[-1] is not 0 and curr_len < max_byte_len:
                      ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:35:16: F821 undefined name 'java'
        except java.lang.UnsupportedOperationException as e:
               ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:120:15: F821 undefined name 'ghidra'
    flatapi = ghidra.program.flatapi.FlatProgramAPI(getCurrentProgram(), getMonitor())
              ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:120:53: F821 undefined name 'getCurrentProgram'
    flatapi = ghidra.program.flatapi.FlatProgramAPI(getCurrentProgram(), getMonitor())
                                                    ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:120:74: F821 undefined name 'getMonitor'
    flatapi = ghidra.program.flatapi.FlatProgramAPI(getCurrentProgram(), getMonitor())
                                                                         ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:121:14: F821 undefined name 'ghidra'
    decapi = ghidra.app.decompiler.flatapi.FlatDecompilerAPI(flatapi)
             ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:126:16: F821 undefined name 'getFirstFunction'
    function = getFirstFunction()
               ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:130:28: F821 undefined name 'getFunctionAfter'
                function = getFunctionAfter(function)
                           ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:135:28: F821 undefined name 'getFunctionAfter'
                function = getFunctionAfter(function)
                           ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:146:70: F821 undefined name 'getMonitor'
        func_dict['CallingFunctions'] = function.getCallingFunctions(getMonitor())
                                                                     ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:150:58: F821 undefined name 'getMonitor'
        DecRes = decInt.decompileFunction(function, 120, getMonitor())
                                                         ^
./firmware_slap/ghidra_scripts/DumpFunctions.py:181:20: F821 undefined name 'getFunctionAfter'
        function = getFunctionAfter(function)
                   ^
./firmware_slap/ghidra_scripts/SetDecompilerOptions.py:2:1: F821 undefined name 'setAnalysisOption'
setAnalysisOption(currentProgram, "Decompiler Parameter ID", "true")
^
./firmware_slap/ghidra_scripts/SetDecompilerOptions.py:2:19: F821 undefined name 'currentProgram'
setAnalysisOption(currentProgram, "Decompiler Parameter ID", "true")
                  ^
./bin/Vuln_And_Cluster.py:54:8: F632 use ==/!= to compare str, bytes, and int literals
    if args.Vuln_Pickle is "":
       ^
./bin/Vuln_And_Cluster.py:147:39: F632 use ==/!= to compare str, bytes, and int literals
            if result is not None and type(
                                      ^
./bin/Vuln_And_Cluster.py:148:46: F632 use ==/!= to compare str, bytes, and int literals
                    result) is not "str" and result is not "timeout":
                                             ^
./bin/Sample_Vuln_Discover.py:82:39: F632 use ==/!= to compare str, bytes, and int literals
            if result is not None and type(
                                      ^
./bin/Sample_Vuln_Discover.py:83:46: F632 use ==/!= to compare str, bytes, and int literals
                    result) is not "str" and result is not "timeout":
                                             ^
9     F632 use ==/!= to compare str, bytes, and int literals
14    F821 undefined name 'indeX_name'
23

On the flake8 test selection, this PR does not focus on "style violations" (the majority of flake8 error codes that psf/black can autocorrect). Instead these tests are focused on runtime safety and correctness:

• E9 tests are about Python syntax errors usually raised because flake8 can not build an Abstract Syntax Tree (AST). Often these issues are a sign of unused code or code that has not been ported to Python 3. These would be compile-time errors in a compiled language but in a dynamic language like Python they result in the script halting/crashing on the user.
• F63 tests are usually about the confusion between identity and equality in Python. Use ==/!= to compare str, bytes, and int literals is the classic case. These are areas where a == b is True but a is b is False (or vice versa).
• F7 tests logic errors and syntax errors in type hints
• F82 tests are almost always undefined names which are usually a sign of a typo, missing imports, or code that has not been ported to Python 3. These also would be compile-time errors in a compiled language but in Python a NameError is raised which will halt/crash the script on the user.

When running this command:
celery -A firmware_slap.celery_tasks worker --loglevel=info

I get the following error:

`Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/app/utils.py", line 369, in find_app
sym = symbol_by_name(app, imp=imp)
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/bin/base.py", line 527, in symbol_by_name
return imports.symbol_by_name(name, imp=imp)
File "/usr/local/lib/python3.6/dist-packages/kombu-4.6.3-py3.6.egg/kombu/utils/imports.py", line 62, in symbol_by_name
return getattr(module, cls_name) if cls_name else module
AttributeError: module 'firmware_slap' has no attribute 'celery_tasks'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/celery", line 11, in
load_entry_point('celery==4.4.0rc2', 'console_scripts', 'celery')()
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/main.py", line 16, in main
_main()
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/bin/celery.py", line 322, in main
cmd.execute_from_commandline(argv)
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/bin/celery.py", line 496, in execute_from_commandline
super(CeleryCommand, self).execute_from_commandline(argv)))
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/bin/base.py", line 288, in execute_from_commandline
argv = self.setup_app_from_commandline(argv)
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/bin/base.py", line 502, in setup_app_from_commandline
self.app = self.find_app(app)
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/bin/base.py", line 524, in find_app
return find_app(app, symbol_by_name=self.symbol_by_name)
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/app/utils.py", line 372, in find_app
sym = imp(app)
File "/usr/local/lib/python3.6/dist-packages/celery-4.4.0rc2-py3.6.egg/celery/utils/imports.py", line 111, in import_from_cwd
return imp(module, package=package)
File "/usr/lib/python3.6/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 994, in _gcd_import
File "", line 971, in _find_and_load
File "", line 955, in _find_and_load_unlocked
File "", line 665, in _load_unlocked
File "", line 678, in exec_module
File "", line 219, in _call_with_frames_removed
File "/home/user/Firmware_Slap/firmware_slap/celery_tasks.py", line 7, in
from firmware_slap.function_analyzer import *
File "/home/user/Firmware_Slap/firmware_slap/function_analyzer.py", line 1, in
import angr
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/init.py", line 30, in
from .sim_procedure import SimProcedure
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/sim_procedure.py", line 498, in
from angr.sim_type import SimTypePointer
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/sim_type.py", line 1287, in
from .state_plugins.view import SimMemView
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/state_plugins/init.py", line 10, in
from .javavm_memory import *
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/state_plugins/javavm_memory.py", line 7, in
from ..engines.soot.values import (SimSootValue_ArrayRef,
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/engines/init.py", line 4, in
from .vex import SimEngineVEX
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/engines/vex/init.py", line 1, in
from .engine import SimEngineVEX
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/engines/vex/engine.py", line 17, in
from ...utils.constants import DEFAULT_STATEMENT
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/utils/init.py", line 4, in
from . import enums_conv
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/utils/enums_conv.py", line 6, in
from ..protos.primitives_pb2 import Edge
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/protos/init.py", line 2, in
from . import primitives_pb2
File "/usr/local/lib/python3.6/dist-packages/angr-8.19.7.25-py3.6-linux-x86_64.egg/angr/protos/primitives_pb2.py", line 23, in
serialized_pb=_b('\n\x17protos/primitives.proto\x12\x0b\x61ngr.protos"\xf6\x04\n\rCodeReference\x12:\n\x0btarget_type\x18\x01 \x01(\x0e\x32%.angr.protos.CodeReference.TargetType\x12<\n\x0coperand_type\x18\x02 \x01(\x0e\x32&.angr.protos.CodeReference.OperandType\x12\x35\n\x08location\x18\x03 \x01(\x0e\x32#.angr.protos.CodeReference.Location\x12\n\n\x02\x65\x61\x18\x04 \x01(\x03\x12\x0c\n\x04mask\x18\x05 \x01(\x03\x12\x0c\n\x04name\x18\x06 \x01(\t\x12\x0f\n\x07\x64\x61ta_ea\x18\x07 \x01(\x03\x12\x10\n\x08\x62lock_ea\x18\x08 \x01(\x03\x12\x10\n\x08stmt_idx\x18\t \x01(\x05\x12\x13\n\x0boperand_idx\x18\n \x01(\x05\x12:\n\x08ref_type\x18\x0b \x01(\x0e\x32(.angr.protos.CodeReference.ReferenceType",\n\nTargetType\x12\x0e\n\nCodeTarget\x10\x00\x12\x0e\n\nDataTarget\x10\x01"~\n\x0bOperandType\x12\x14\n\x10ImmediateOperand\x10\x00\x12\x11\n\rMemoryOperand\x10\x01\x12\x1d\n\x19MemoryDisplacementOperand\x10\x02\x12\x16\n\x12\x43ontrolFlowOperand\x10\x03\x12\x0f\n\x0bOffsetTable\x10\x04"&\n\x08Location\x12\x0c\n\x08Internal\x10\x00\x12\x0c\n\x08\x45xternal\x10\x01"0\n\rReferenceType\x12\n\n\x06offset\x10\x00\x12\x08\n\x04read\x10\x01\x12\t\n\x05write\x10\x02"k\n\x0bInstruction\x12\n\n\x02\x65\x61\x18\x01 \x01(\x03\x12\r\n\x05\x62ytes\x18\x02 \x01(\x0c\x12)\n\x05xrefs\x18\x03 \x01(\x0b\x32\x1a.angr.protos.CodeReference\x12\x16\n\x0elocal_noreturn\x18\x04 \x01(\x08"\n\x05\x42lock\x12\n\n\x02\x65\x61\x18\x01 \x01(\x03\x12.\n\x0cinstructions\x18\x02 \x01(\x0b\x32\x18.angr.protos.Instruction\x12\x0c\n\x04size\x18\x04 \x01(\x05\x12\r\n\x05\x62ytes\x18\x05 \x01(\x0c\"\x95\x02\n\x10\x45xternalFunction\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\n\n\x02\x65\x61\x18\x02 \x01(\x03\x12;\n\x02\x63\x63\x18\x03 \x01(\x0e\x32/.angr.protos.ExternalFunction.CallingConvention\x12\x12\n\nhas_return\x18\x04 \x01(\x08\x12\x11\n\tno_return\x18\x05 \x01(\x08\x12\x16\n\x0e\x61rgument_count\x18\x06 \x01(\x05\x12\x0f\n\x07is_weak\x18\x07 \x01(\x08\x12\x11\n\tprototype\x18\x08 \x01(\t\"G\n\x11\x43\x61llingConvention\x12\x11\n\rCallerCleanup\x10\x00\x12\x11\n\rCalleeCleanup\x10\x01\x12\x0c\n\x08\x46\x61stCall\x10\x02\"d\n\x10\x45xternalVariable\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\n\n\x02\x65\x61\x18\x02 \x01(\x03\x12\x0c\n\x04size\x18\x03 \x01(\x05\x12\x0f\n\x07is_weak\x18\x04 \x01(\x08\x12\x17\n\x0fis_thread_local\x18\x05 \x01(\x08\"\xd6\x03\n\x04\x45\x64ge\x12\x0e\n\x06src_ea\x18\x01 \x01(\x03\x12\x0e\n\x06\x64st_ea\x18\x02 \x01(\x03\x12,\n\x08jumpkind\x18\x03 \x01(\x0e\x32\x1a.angr.protos.Edge.JumpKind\x12\x12\n\nis_outside\x18\x04 \x01(\x08\x12\x10\n\x08ins_addr\x18\x05 \x01(\x03\x12\x10\n\x08stmt_idx\x18\x06 \x01(\x03\x12)\n\x04\x64\x61ta\x18\x07 \x03(\x0b\x32\x1b.angr.protos.Edge.DataEntry\x1a+\n\tDataEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\"\xef\x01\n\x08JumpKind\x12\x13\n\x0fUnknownJumpkind\x10\x00\x12\n\n\x06\x42oring\x10\x01\x12\x08\n\x04\x43\x61ll\x10\x02\x12\n\n\x06Return\x10\x03\x12\x0e\n\nFakeReturn\x10\x04\x12\x0b\n\x07Syscall\x10\x05\x12\x0f\n\x0bSys_syscall\x10\x06\x12\x0e\n\nSys_int128\x10\x07\x12\x0c\n\x08NoDecode\x10\x08\x12\n\n\x06\x45mWarn\x10\t\x12\x11\n\rSigFPE_IntDiv\x10\n\x12\x0b\n\x07SigTRAP\x10\x0b\x12\x0b\n\x07SigSEGV\x10\x0c\x12\x0b\n\x07MapFail\x10\r\x12\x0b\n\x07NoRedir\x10\x0e\x12\r\n\tClientReq\x10\x0f\".\n\nBlockGraph\x12 \n\x05\x65\x64ges\x18\x01 \x03(\x0b\x32\x11.angr.protos.Edgeb\x06proto3') TypeError: __new__() got an unexpected keyword argument 'serialized_options'
Could you please help me out?
Thanks!