Merge pull request #621 from m-1-k-3/hnap

Version 1.2.3

helpers/helpers_emba_defaults.sh

@@ -18,8 +18,8 @@
 
 set_defaults() {
   # if this is a release version set RELEASE to 1, add a banner to config/banner and name the banner with the version details
-  export RELEASE=0
-  export EMBA_VERSION="1.2.x"
+  export RELEASE=1
+  export EMBA_VERSION="1.2.3"
 
   export CLEANED=0              # used for the final cleaner function for not running it multiple times
   export STRICT_MODE=0

helpers/running_modules.sh

@@ -38,7 +38,7 @@ fi
 mapfile -t STARTED_EMBA_PROCESSES < <(grep starting "${EMBA_LOG_FILE}" | awk '{print $9}'|| true)
 
 for EMBA_STARTED_PROC in "${STARTED_EMBA_PROCESSES[@]}"; do
-  if ! grep -q "${EMBA_STARTED_PROC}"" finished" "${EMBA_LOG_FILE}"; then
+  if ! grep -i -q "${EMBA_STARTED_PROC}"" finished" "${EMBA_LOG_FILE}"; then
     echo -e "[*] EMBA module ${GREEN}${EMBA_STARTED_PROC}${NC} currently running"
   fi
 done

modules/L25_web_checks.sh

@@ -215,6 +215,7 @@ web_access_crawler() {
   local WEB_DIR_L2=""
   local WEB_DIR_L3=""
   local CURL_OPTS=( -sS -D )
+  local CRAWLED_ARR=()
 
   if [[ "$SSL_" -eq 1 ]]; then
     PROTO="https"
@@ -226,9 +227,12 @@ web_access_crawler() {
   sub_module_title "Starting web server crawling for $ORANGE$IP_:$PORT$NC"
   print_ln
 
+  local HOME_=""
+  HOME_=$(pwd)
   for R_PATH in "${ROOT_PATH[@]}" ; do
     # we need files and links (for cgi files)
-    mapfile -t FILE_ARR_EXT < <(find "$R_PATH" -type f -o -type l || true)
+    cd "${R_PATH}" || exit 1
+    mapfile -t FILE_ARR_EXT < <(find "." -type f -o -type l || true)
 
     for WEB_PATH in "${FILE_ARR_EXT[@]}"; do
       if ! ping -c 1 "$IP_" &> /dev/null; then
@@ -237,30 +241,37 @@ web_access_crawler() {
       fi
       print_dot
       WEB_FILE="$(basename "$WEB_PATH")"
-      echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/$WEB_FILE$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
-      timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+      if [[ -n "${WEB_FILE}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_FILE} "* ]]; then
+        echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/$WEB_FILE$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
+        timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+        CRAWLED_ARR+=( "${WEB_FILE}" )
+      fi
       WEB_DIR_L1="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1 | rev)"
-      if [[ -n "${WEB_DIR_L1}" ]]; then
-        WEB_DIR_L1="${WEB_DIR_L1#\.}"
-        WEB_DIR_L1="${WEB_DIR_L1#\/}"
+      WEB_DIR_L1="${WEB_DIR_L1#\.}"
+      WEB_DIR_L1="${WEB_DIR_L1#\/}"
+      if [[ -n "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L1}/${WEB_FILE} "* ]]; then
         echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L1}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
         timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+        CRAWLED_ARR+=( "${WEB_DIR_L1}/${WEB_FILE}" )
       fi
       WEB_DIR_L2="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-2 | rev)"
-      if [[ -n "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L2}" != "${WEB_DIR_L1}" ]]; then
-        WEB_DIR_L2="${WEB_DIR_L2#\.}"
-        WEB_DIR_L2="${WEB_DIR_L2#\/}"
+      WEB_DIR_L2="${WEB_DIR_L2#\.}"
+      WEB_DIR_L2="${WEB_DIR_L2#\/}"
+      if [[ -n "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L2}" != "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L2}/${WEB_FILE} "* ]]; then
         echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L2}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
         timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+        CRAWLED_ARR+=( "${WEB_DIR_L2}/${WEB_FILE}" )
       fi
       WEB_DIR_L3="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-3 | rev)"
-      if [[ -n "${WEB_DIR_L3}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L1}" ]]; then
-        WEB_DIR_L3="${WEB_DIR_L3#\.}"
-        WEB_DIR_L3="${WEB_DIR_L3#\/}"
+      WEB_DIR_L3="${WEB_DIR_L3#\.}"
+      WEB_DIR_L3="${WEB_DIR_L3#\/}"
+      if [[ -n "${WEB_DIR_L3}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L2}" ]] && [[ "${WEB_DIR_L3}" != "${WEB_DIR_L1}" ]] && ! [[ "${CRAWLED_ARR[*]}" == *" ${WEB_DIR_L3}/${WEB_FILE} "* ]]; then
         echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L3}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
         timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+        CRAWLED_ARR+=( "${WEB_DIR_L3}/${WEB_FILE}" )
       fi
     done
+    cd "${HOME_}" || exit 1
   done
 
   if [[ -f "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" ]]; then

modules/S15_radare_decompile_checks.sh

@@ -93,28 +93,29 @@ radare_decompilation(){
     return
   fi
 
-
   NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true)
   for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do
     FUNC_LOG="$LOG_PATH_MODULE""/decompilation_vul_func_""$FUNCTION""-""$NAME"".txt"
     radare_decomp_log_bin_hardening "$NAME" "$FUNCTION"
     # with axt we are looking for function usages and store this in $FUNCTION_usage
     # pdd is for decompilation - with @@ we are working through all the identified functions
+    # We analyse only 200 functions per binary
     r2 -e io.cache=true -e scr.color=false -q -A -c \
-      'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | sort -u > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}"'_usage`' "$BINARY" \
-      2> /dev/null >> "$FUNC_LOG" || true
+      'axt `is~'"${FUNCTION}"'[2]`~[0] | tail -n +2 | grep -v "nofunc" | sort -u | tail -n 200 > '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}""_usage"'; pdd --assembly @@ `cat '"${LOG_PATH_MODULE}""/""${FUNCTION}""_""${NAME}"'_usage`' "$BINARY" 2> /dev/null >> "$FUNC_LOG" || true
 
-    if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 0 ]] ; then
+    if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 3 ]] ; then
       radare_decomp_color_output "$FUNCTION"
 
       # Todo: check this with other architectures
-      COUNT_FUNC="$(grep -c "sym.*""$FUNCTION" "$FUNC_LOG"  2> /dev/null || true)"
+      COUNT_FUNC="$(grep -c "$FUNCTION" "$FUNC_LOG"  2> /dev/null || true)"
       if [[ "$FUNCTION" == "strcpy" ]] ; then
-        COUNT_STRLEN=$(grep -c "sym.*strlen" "$FUNC_LOG"  2> /dev/null || true)
+        COUNT_STRLEN=$(grep -c "strlen" "$FUNC_LOG"  2> /dev/null || true)
         STRCPY_CNT=$((STRCPY_CNT+COUNT_FUNC))
       fi
       radare_log_func_footer "$NAME" "$FUNCTION"
       radare_decomp_output_function_details "$BINARY_" "$FUNCTION"
+    else
+      rm "$FUNC_LOG" || true
     fi
   done
   echo "$STRCPY_CNT" >> "$TMP_DIR"/S15_STRCPY_CNT.tmp
@@ -138,6 +139,7 @@ radare_decomp_log_bin_hardening() {
   fi
 
   write_log "$NC" "$FUNC_LOG"
+# not working - check this:
 #  if [[ -d "$LOG_DIR"/s14_weak_func_radare_check/ ]] && [[ "$(find "$LOG_DIR"/s14_weak_func_radare_check/ -name "vul_func_*""$FUNCTION""-""$NAME"".txt" | wc -l | awk '{print $1}')" -gt 0 ]]; then
 #    write_log "[*] Function $ORANGE$FUNCTION$NC tear down of $ORANGE$NAME$NC / Switch to Radare2 disasm$NC" "$FUNC_LOG"
 #    write_link "$(find "$LOG_DIR"/s14_weak_func_radare_check/ -name "vul_func_*""$FUNCTION""-""$NAME"".txt")" "$FUNC_LOG"

modules/S85_ssh_check.sh

@@ -59,7 +59,7 @@ search_ssh_files()
           local PRINTER=0
           if [[ "$(basename "$LINE")" == "sshd_config"  ]]; then
             print_output "[*] Testing sshd configuration file with sshdcc"
-            readarray SSHD_ISSUES < <("$EXT_DIR"/sshdcc -ns -nc -f "$LINE")
+            readarray SSHD_ISSUES < <("$EXT_DIR"/sshdcc -ns -nc -f "$LINE" || true)
             for S_ISSUE in "${SSHD_ISSUES[@]}"; do
               if [[ "$S_ISSUE" == *RESULTS* || "$PRINTER" -eq 1 ]]; then
                 # print finding title as EMBA finding: