From b1d7dc0178145f3b02928c6da23f0fe930c9eec1 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 3 Jan 2023 15:46:18 +0100 Subject: [PATCH 1/2] checker for spaces after comment sign --- check_project.sh | 26 ++++- helpers/helpers_emba_dependency_check.sh | 4 +- helpers/helpers_emba_helpers.sh | 12 +-- helpers/helpers_emba_prepare.sh | 6 +- helpers/helpers_emba_print.sh | 4 +- helpers/snyk_crawler.sh | 14 +-- installer/I02_UEFI_fwhunt.sh | 6 +- installer/ID1_ubuntu_os.sh | 2 +- installer/IF20_cve_search.sh | 10 +- installer/IL15_emulated_checks_init.sh | 14 +-- installer/IP00_extractors.sh | 2 +- installer/IP99_binwalk_default.sh | 4 +- modules/F20_vul_aggregator.sh | 6 +- modules/F50_base_aggregator.sh | 10 +- modules/L10_system_emulation.sh | 51 +++++----- modules/L15_emulated_checks_nmap.sh | 6 +- modules/P18_qnap_decryptor.sh | 4 +- modules/S02_UEFI_FwHunt.sh | 2 - modules/S03_firmware_bin_base_analyzer.sh | 10 +- modules/S05_firmware_details.sh | 2 +- modules/S08_package_mgmt_extractor.sh | 6 +- modules/S09_firmware_base_version_check.sh | 4 +- modules/S115_usermode_emulator.sh | 20 ++-- modules/S116_qemu_version_detection.sh | 2 +- modules/S13_weak_func_check.sh | 4 +- modules/S14_weak_func_radare_check.sh | 6 +- modules/S15_bootloader_check.sh | 10 +- modules/S20_shell_check.sh | 2 +- modules/S21_python_check.sh | 2 +- modules/S22_php_check.sh | 4 +- modules/S45_pass_file_check.sh | 4 +- modules/S65_config_file_check.sh | 2 +- modules/S80_cronjob_check.sh | 6 +- modules/S85_ssh_check.sh | 2 +- modules/S99_grepit.sh | 108 ++++++++++----------- 35 files changed, 200 insertions(+), 177 deletions(-) diff --git a/check_project.sh b/check_project.sh index 8c34896fe..9a047e5d0 100755 --- a/check_project.sh +++ b/check_project.sh @@ -46,6 +46,7 @@ MODULES_TO_CHECK_ARR_TAB=() MODULES_TO_CHECK_ARR_SEMGREP=() MODULES_TO_CHECK_ARR_DOCKER=() MODULES_TO_CHECK_ARR_PERM=() +MODULES_TO_CHECK_ARR_COMMENT=() import_config_scripts() { mapfile -t HELPERS < <(find "$CONF_DIR" -iname "*.sh" 2>/dev/null) @@ -153,6 +154,19 @@ check() { fi done + echo -e "\\n""$GREEN""Check all source for correct comment usage:""$NC""\\n" + for SOURCE in "${SOURCES[@]}"; do + echo -e "\\n""$GREEN""Run ${ORANGE}comment check$GREEN on $ORANGE$SOURCE""$NC""\\n" + if [[ $(grep -E -R "^( )+?#" "$SOURCE" | grep -v "#\ \|bash\|/bin/sh\|shellcheck" | grep -v -E -c "#$") -eq 0 ]]; then + echo -e "$GREEN""$BOLD""==> SUCCESS""$NC""\\n" + else + grep -E -R -n "^( )+?#" "$SOURCE" | grep -v "#\ \|bash\|shellcheck" | grep -v -E "#$" + echo -e "\\n""$ORANGE""$BOLD""==> FIX ERRORS""$NC""\\n" + MODULES_TO_CHECK_ARR_COMMENT+=("$SOURCE") + fi + done + + echo -e "\\n""$GREEN""Run shellcheck and semgrep:""$NC""\\n" for SOURCE in "${SOURCES[@]}"; do echo -e "\\n""$GREEN""Run ${ORANGE}shellcheck$GREEN on $ORANGE$SOURCE""$NC""\\n" @@ -199,6 +213,15 @@ summary() { echo -e "$ORANGE""WARNING: Fix the errors before pushing to the EMBA repository!" fi + if [[ "${#MODULES_TO_CHECK_ARR_COMMENT[@]}" -gt 0 ]]; then + echo -e "\\n\\n""$GREEN$BOLD""SUMMARY:$NC\\n" + echo -e "Modules to check (space after # sign): ${#MODULES_TO_CHECK_ARR_COMMENT[@]}\\n" + for MODULE in "${MODULES_TO_CHECK_ARR_COMMENT[@]}"; do + echo -e "$ORANGE$BOLD==> FIX MODULE: ""$MODULE""$NC" + done + echo -e "$ORANGE""WARNING: Fix the errors before pushing to the EMBA repository!" + fi + if [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]]; then echo -e "\\n\\n""$GREEN$BOLD""SUMMARY:$NC\\n" echo -e "Modules to check (shellcheck): ${#MODULES_TO_CHECK_ARR[@]}\\n" @@ -258,6 +281,7 @@ dockerchecker summary if [[ "${#MODULES_TO_CHECK_ARR_TAB[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR[@]}" -gt 0 ]] || \ - [[ "${#MODULES_TO_CHECK_ARR_SEMGREP[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_DOCKER[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_PERM[@]}" -gt 0 ]]; then + [[ "${#MODULES_TO_CHECK_ARR_SEMGREP[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_DOCKER[@]}" -gt 0 ]] || [[ "${#MODULES_TO_CHECK_ARR_PERM[@]}" -gt 0 ]] || \ + [[ "${#MODULES_TO_CHECK_ARR_COMMENT[@]}" -gt 0 ]]; then exit 1 fi diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index 9ea3e19c3..17f8f3448 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -637,10 +637,10 @@ architecture_dep_check() { elif [[ "$ARCH" == "x86" ]] ; then ARCH_STR="i386" elif [[ "$ARCH" == "x64" ]] ; then - #ARCH_STR="i386:x86-64" + # ARCH_STR="i386:x86-64" ARCH_STR="x86-64" elif [[ "$ARCH" == "PPC" ]] ; then - #ARCH_STR="powerpc:common" + # ARCH_STR="powerpc:common" ARCH_STR="powerpc" elif [[ "$ARCH" == "PPC64" ]] ; then ARCH_STR="powerpc64" diff --git a/helpers/helpers_emba_helpers.sh b/helpers/helpers_emba_helpers.sh index ddf7d724d..39f123560 100755 --- a/helpers/helpers_emba_helpers.sh +++ b/helpers/helpers_emba_helpers.sh @@ -30,15 +30,15 @@ run_web_reporter_mod_name() { wait_for_pid() { local WAIT_PIDS=("$@") local PID - #print_output "[*] wait pid protection: ${#WAIT_PIDS[@]}" + # print_output "[*] wait pid protection: ${#WAIT_PIDS[@]}" for PID in "${WAIT_PIDS[@]}"; do - #print_output "[*] wait pid protection: $PID" + # print_output "[*] wait pid protection: $PID" print_dot if ! [[ -e /proc/"$PID" ]]; then continue fi while [[ -e /proc/"$PID" ]]; do - #print_output "[*] wait pid protection - running pid: $PID" + # print_output "[*] wait pid protection - running pid: $PID" print_dot # if S115 is running we have to kill old qemu processes if [[ -f "$LOG_DIR"/"$MAIN_LOG_FILE" ]] && [[ $(grep -c S115_ "$LOG_DIR"/"$MAIN_LOG_FILE") -eq 1 && -n "$QRUNTIME" ]]; then @@ -146,9 +146,9 @@ cleaner() { fi # what a quick fix - need to come back to this! - #if [[ "$NOTIFICATION_PID" != "NA" ]]; then + # if [[ "$NOTIFICATION_PID" != "NA" ]]; then # kill "$NOTIFICATION_PID" 2>/dev/null || true - #fi + # fi if [[ -f "$TMP_DIR"/orig_logdir ]]; then LOG_DIR_HOST=$(cat "$TMP_DIR"/orig_logdir) pkill -f "inotifywait.*$LOG_DIR_HOST" 2>/dev/null || true @@ -190,7 +190,7 @@ emba_updater() { git pull cd "$BASE_PATH" || exit else - #git clone https://github.com/trickest/cve.git "$EXT_DIR"/trickest-cve + # git clone https://github.com/trickest/cve.git "$EXT_DIR"/trickest-cve git clone https://github.com/EMBA-support-repos/trickest-cve.git "$EXT_DIR"/trickest-cve fi diff --git a/helpers/helpers_emba_prepare.sh b/helpers/helpers_emba_prepare.sh index fe266324f..7bb3ce657 100755 --- a/helpers/helpers_emba_prepare.sh +++ b/helpers/helpers_emba_prepare.sh @@ -381,7 +381,7 @@ prepare_file_arr() # xdev will do the trick for us: # remove ./proc/* executables (for live testing) - #rm_proc_binary "${FILE_ARR[@]}" + # rm_proc_binary "${FILE_ARR[@]}" } prepare_binary_arr() @@ -392,7 +392,7 @@ prepare_binary_arr() # lets try to get an unique binary array # Necessary for providing BINARIES array (usable in every module) export BINARIES=() - #readarray -t BINARIES < <( find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -type f -executable -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 ) + # readarray -t BINARIES < <( find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -type f -executable -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 ) # In some firmwares we miss the exec permissions in the complete firmware. In such a case we try to find ELF files and unique it readarray -t BINARIES_TMP < <(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -type f -exec file {} \; 2>/dev/null | grep ELF | cut -d: -f1 || true) @@ -410,7 +410,7 @@ prepare_binary_arr() fi # remove ./proc/* executables (for live testing) - #rm_proc_binary "${BINARIES[@]}" + # rm_proc_binary "${BINARIES[@]}" } prepare_file_arr_limited() { diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index 185278b7f..c44b77199 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -45,7 +45,7 @@ welcome() module_log_init() { - #local LOG_FILE_NAME + # local LOG_FILE_NAME LOG_FILE_NAME="${1:-}" local FILE_NAME MODULE_NUMBER="$(echo "$LOG_FILE_NAME" | cut -d "_" -f1 | cut -c2- )" @@ -591,7 +591,7 @@ module_start_log() { print_output "[*] $(date) - $MODULE_MAIN_NAME starting" "main" export LOG_PATH_MODULE if [[ "${LOG_DIR: -1}" == "/" ]]; then - #strip final slash from log dir + # strip final slash from log dir LOG_DIR="${LOG_DIR:: -1}" fi LOG_PATH_MODULE=$(abs_path "$LOG_DIR""/""$(echo "$MODULE_MAIN_NAME" | tr '[:upper:]' '[:lower:]')") diff --git a/helpers/snyk_crawler.sh b/helpers/snyk_crawler.sh index f4641a065..ed29acbed 100755 --- a/helpers/snyk_crawler.sh +++ b/helpers/snyk_crawler.sh @@ -68,7 +68,7 @@ echo "" echo -e "[*] The following advisories have PoC code included:" PoC_CNT=0 # removed exploit-db as we already have it in EMBA -#echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;exploit-db;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv +# echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;exploit-db;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv while IFS= read -r -d '' ADV; do @@ -99,13 +99,13 @@ while IFS= read -r -d '' ADV; do fi # removed exploit-db as we already have it in EMBA # exploit-db references: - #PoC_EDB=$(grep -a -c -E "https://www.exploit-db.com/exploits/[0-9]+" "$ADV") - #((PoC+="$PoC_EDB")) - #if [[ "$PoC_EDB" -gt 0 ]]; then + # PoC_EDB=$(grep -a -c -E "https://www.exploit-db.com/exploits/[0-9]+" "$ADV") + # ((PoC+="$PoC_EDB")) + # if [[ "$PoC_EDB" -gt 0 ]]; then # PoC_EDB="yes" - #else + # else # PoC_EDB="no" - #fi + # fi # curl http exploits: PoC_CURL=$(grep -a -c "curl http" "$ADV") ((PoC+="$PoC_CURL")) @@ -129,7 +129,7 @@ while IFS= read -r -d '' ADV; do for CVE in "${CVEs[@]}"; do echo -e "[+] Found PoC for $ORANGE$CVE$NC in advisory $ORANGE$ADV_NAME$NC (unknown PoC: $ORANGE$PoC_PoC$NC / Github: $ORANGE$PoC_GH$NC / exploit-db: $ORANGE$PoC_EDB$NC / Curl: $ORANGE$PoC_CURL$NC / XML: $ORANGE$PoC_XML$NC)" # removed exploit-db as we already have it in EMBA - #echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_EDB;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv + # echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_EDB;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv ((PoC_CNT+=1)) done diff --git a/installer/I02_UEFI_fwhunt.sh b/installer/I02_UEFI_fwhunt.sh index 06f8233cd..67cfa0d8e 100755 --- a/installer/I02_UEFI_fwhunt.sh +++ b/installer/I02_UEFI_fwhunt.sh @@ -76,9 +76,9 @@ I02_UEFI_fwhunt() { cd external/fwhunt-scan || ( echo "Could not install EMBA component fwhunt-scan" && exit 1 ) git clone https://github.com/EMBA-support-repos/FwHunt.git rules echo "Installed $(find rules/ -iname "BRLY-*" | wc -l) fwhunt rules" - #ldconfig - #export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib64/ - #python3 setup.py install + # ldconfig + # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib64/ + # python3 setup.py install pip3 install fwhunt-scan cd "$HOME_PATH" || ( echo "Could not install EMBA component fwhunt-scan" && exit 1 ) ;; diff --git a/installer/ID1_ubuntu_os.sh b/installer/ID1_ubuntu_os.sh index ed7d7d961..5e4b865e1 100755 --- a/installer/ID1_ubuntu_os.sh +++ b/installer/ID1_ubuntu_os.sh @@ -38,7 +38,7 @@ ID1_ubuntu_os() { if ! dpkg -l libssl1.1 &>/dev/null; then # libssl1.1 missing echo -e "\\n""$BOLD""Installing libssl1.1 for mongodb!""$NC" - #echo "deb http://security.ubuntu.com/ubuntu impish-security main" | tee /etc/apt/sources.list.d/impish-security.list + # echo "deb http://security.ubuntu.com/ubuntu impish-security main" | tee /etc/apt/sources.list.d/impish-security.list wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.1.1-1ubuntu2.1~18.04.20_amd64.deb -O external/libssl-dev_1.1.1-1ubuntu2.1~18.04.20_amd64.deb wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb -O external/libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb dpkg -i external/libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb diff --git a/installer/IF20_cve_search.sh b/installer/IF20_cve_search.sh index 1dfc21c16..f910da2b3 100755 --- a/installer/IF20_cve_search.sh +++ b/installer/IF20_cve_search.sh @@ -49,22 +49,22 @@ IF20_cve_search() { done < requirements.system # we do not need to install the Flask web environment - we do it manually - #while read -r TOOL_NAME; do + # while read -r TOOL_NAME; do # PIP_NAME=$(echo "$TOOL_NAME" | cut -d= -f1) # TOOL_VERSION=$(echo "$TOOL_NAME" | cut -d= -f3) # print_pip_info "$PIP_NAME" "$TOOL_VERSION" - #done < requirements.txt + # done < requirements.txt - #xargs sudo apt-get install -y < requirements.system + # xargs sudo apt-get install -y < requirements.system while read -r TOOL_NAME; do apt-get install -y "$TOOL_NAME" --no-install-recommends done < requirements.system # this is a temp solution - Currently needed to fulfill broken deps: - #python3 -m pip install -Iv crackmapexec==5.1.7.dev0 + # python3 -m pip install -Iv crackmapexec==5.1.7.dev0 # we do not need to install the Flask web environment - we do it manually - #python3 -m pip install -r requirements.txt + # python3 -m pip install -r requirements.txt pip3 install requests==2.28.1 pip3 install Whoosh==2.7.4 pip3 install tqdm==4.64.0 diff --git a/installer/IL15_emulated_checks_init.sh b/installer/IL15_emulated_checks_init.sh index 6ea8e8a0d..a1edb2a46 100755 --- a/installer/IL15_emulated_checks_init.sh +++ b/installer/IL15_emulated_checks_init.sh @@ -41,13 +41,13 @@ IL15_emulated_checks_init() { # needed for cutycapt print_tool_info "xvfb" 1 - #print_tool_info "libqt5webkit5" 1 - #print_tool_info "xfonts-100dpi" 1 - #print_tool_info "xfonts-75dpi" 1 - #print_tool_info "xfonts-cyrillic" 1 - #print_tool_info "xorg" 1 - #print_tool_info "dbus-x11" 1 - #print_tool_info "g++" 1 + # print_tool_info "libqt5webkit5" 1 + # print_tool_info "xfonts-100dpi" 1 + # print_tool_info "xfonts-75dpi" 1 + # print_tool_info "xfonts-cyrillic" 1 + # print_tool_info "xorg" 1 + # print_tool_info "dbus-x11" 1 + # print_tool_info "g++" 1 # needed for cutycapt if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then diff --git a/installer/IP00_extractors.sh b/installer/IP00_extractors.sh index 40d9150c2..bc2649a81 100755 --- a/installer/IP00_extractors.sh +++ b/installer/IP00_extractors.sh @@ -26,7 +26,7 @@ IP00_extractors(){ print_pip_info "bsdiff4" print_git_info "payload_dumper" "EMBA-support-repos/payload_dumper" "Android OTA payload.bin extractor" # ubireader: - #print_tool_info "python3-lzo" 1 + # print_tool_info "python3-lzo" 1 print_tool_info "liblzo2-dev" 1 print_pip_info "python-lzo" # vmdk extractor: diff --git a/installer/IP99_binwalk_default.sh b/installer/IP99_binwalk_default.sh index 1ff651bf3..f46927cc5 100755 --- a/installer/IP99_binwalk_default.sh +++ b/installer/IP99_binwalk_default.sh @@ -63,7 +63,7 @@ IP99_binwalk_default() { print_tool_info "python3-pyqt5.qtopengl" 1 print_tool_info "python3-numpy" 1 print_tool_info "python3-scipy" 1 - #print_tool_info "python3-lzo" 1 + # print_tool_info "python3-lzo" 1 print_pip_info "python-lzo" # python-setuptools is needed for ubireader installation print_tool_info "python-setuptools" 1 @@ -111,7 +111,7 @@ IP99_binwalk_default() { pip3 install "python-lzo>=1.14" if ! [[ -d external/binwalk ]]; then - #git clone https://github.com/ReFirmLabs/binwalk.git external/binwalk + # git clone https://github.com/ReFirmLabs/binwalk.git external/binwalk git clone https://github.com/EMBA-support-repos/binwalk.git external/binwalk fi diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 568eb525e..63697d937 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -211,7 +211,7 @@ aggregate_versions() { # we ensure that we search for the correct kernel version by adding a : at the end of the search string VERSION=${VERSION/%/:} VERSIONS_KERNEL+=( "$VERSION" ) - #print_output "[+] Added modfied Kernel Version details (${ORANGE}kernel$GREEN): ""$ORANGE$VERSION$NC" + # print_output "[+] Added modfied Kernel Version details (${ORANGE}kernel$GREEN): ""$ORANGE$VERSION$NC" done for CVE_ENTRY in "${CVE_S02_DETAILS[@]}"; do @@ -649,13 +649,13 @@ cve_extractor() { # On the other hand, do not forget that we are also using the s25 results if we can find the # same CVE here via version detection. - #if [[ "$BINARY" == *kernel* ]]; then + # if [[ "$BINARY" == *kernel* ]]; then # if [[ -f "$S25_LOG" ]]; then # for KERNEL_CVE_EXPLOIT in "${KERNEL_CVE_EXPLOITS[@]}"; do # KCVE_VALUE=$(echo "$KERNEL_CVE_EXPLOIT" | cut -d\; -f3) # done # fi - #fi + # fi if [[ -f "$LOG_PATH_MODULE"/"$AGG_LOG_FILE" ]]; then for CVE_OUTPUT in "${CVEs_OUTPUT[@]}"; do diff --git a/modules/F50_base_aggregator.sh b/modules/F50_base_aggregator.sh index eb97bbc0a..82d19256b 100755 --- a/modules/F50_base_aggregator.sh +++ b/modules/F50_base_aggregator.sh @@ -49,7 +49,7 @@ F50_base_aggregator() { S109_LOG="s109_jtr_local_pw_cracking.txt" S110_LOG="s110_yara_check.txt" S120_LOG="s120_cwe_checker.txt" - #L10_LOG="l10_system_emulator.txt" + # L10_LOG="l10_system_emulator.txt" L15_LOG="l15_emulated_checks_init.txt" L20_LOG="l20_snmp_checks.txt" L25_LOG="l25_web_checks.txt" @@ -458,7 +458,7 @@ output_binaries() { readarray -t RESULTS_STRCPY < <( find "$LOG_DIR"/s1[34]*/ -xdev -iname "vul_func_*_strcpy-*.txt" 2> /dev/null | sed "s/.*vul_func_//" | sort -g -r | head -10 | sed "s/_strcpy-/ strcpy /" | sed "s/\.txt//" 2> /dev/null || true) readarray -t RESULTS_SYSTEM < <( find "$LOG_DIR"/s1[34]*/ -xdev -iname "vul_func_*_system-*.txt" 2> /dev/null | sed "s/.*vul_func_//" | sort -g -r | head -10 | sed "s/_system-/ system /" | sed "s/\.txt//" 2> /dev/null || true) - #strcpy: + # strcpy: if [[ "${#RESULTS_STRCPY[@]}" -gt 0 ]]; then print_ln print_output "[+] STRCPY - top 10 results:" @@ -475,7 +475,7 @@ output_binaries() { print_output "$NC" fi - #system: + # system: if [[ "${#RESULTS_SYSTEM[@]}" -gt 0 ]]; then print_ln print_output "[+] SYSTEM - top 10 results:" @@ -848,7 +848,7 @@ get_data() { MODE=$(grep -e "Booted yes;\|ICMP ok;\|TCP-0 ok;\|TCP ok" "$SYS_EMU_RESULTS" | cut -d\; -f8 | sed 's/Network mode: //g'| tr -d '[:blank:]' | cut -d\( -f1 | sort -u | tr '\n' '-' | sed 's/-$//g' || true) fi if [[ -f "$LOG_DIR"/"$L15_LOG" ]]; then - #NMAP_UP=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$L15_LOG" | cut -d: -f2 || true) + # NMAP_UP=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$L15_LOG" | cut -d: -f2 || true) SNMP_UP=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$L20_LOG" | cut -d: -f2 || true) WEB_UP=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$L25_LOG" | cut -d: -f2 || true) ROUTERSPLOIT_VULN=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$L30_LOG" | cut -d: -f2 || true) @@ -881,7 +881,7 @@ get_data() { KNOWN_EXPLOITED_COUNTER=$(cat "$TMP_DIR"/KNOWN_EXPLOITED_COUNTER.tmp) fi if [[ -f "$F20_EXPLOITS_LOG" ]]; then - #EXPLOIT_COUNTER="$(grep -c -E "Exploit\ .*" "$F20_EXPLOITS_LOG" || true)" + # EXPLOIT_COUNTER="$(grep -c -E "Exploit\ .*" "$F20_EXPLOITS_LOG" || true)" EXPLOIT_COUNTER="$(grep -E "Exploit\ .*" "$F20_EXPLOITS_LOG" | grep -cv "Exploit summary" || true)" MSF_MODULE_CNT="$(grep -c -E "Exploit\ .*MSF" "$F20_EXPLOITS_LOG" || true)" REMOTE_EXPLOIT_CNT="$(grep -c -E "Exploit\ .*\ \(R\)" "$F20_EXPLOITS_LOG" || true)" diff --git a/modules/L10_system_emulation.sh b/modules/L10_system_emulation.sh index 1fa582a3c..93f77db4d 100755 --- a/modules/L10_system_emulation.sh +++ b/modules/L10_system_emulation.sh @@ -371,7 +371,7 @@ main_emulation() { # we deal with something which is not a script: if file "$MNT_POINT""$INIT_FILE" | grep -q "symbolic link\|ELF"; then # e.g. netgear R6200 - #KINIT="init=/firmadyne/preInit.sh" + # KINIT="init=/firmadyne/preInit.sh" KINIT="${KINIT:2}" # write the init ELF file or sym link to the firmadyne preInit script: INIT_OUT="$MNT_POINT""/firmadyne/preInit.sh" @@ -509,7 +509,7 @@ main_emulation() { print_ln # #IPS_INT_VLAN is always at least 1 for the default configuration - #elif [[ "$F_STARTUP" -eq 0 && "$NETWORK_MODE" == "None" && "${#IPS_INT_VLAN[@]}" -lt 2 ]] || \ + # elif [[ "$F_STARTUP" -eq 0 && "$NETWORK_MODE" == "None" && "${#IPS_INT_VLAN[@]}" -lt 2 ]] || \ # [[ "$F_STARTUP" -eq 0 && "$NETWORK_MODE" == "default" && "${#IPS_INT_VLAN[@]}" -lt 2 ]]; then elif [[ "$F_STARTUP" -eq 0 && "$NETWORK_MODE" == "None" ]] || [[ "$F_STARTUP" -eq 0 && "$NETWORK_MODE" == "default" ]]; then mv "$LOG_PATH_MODULE"/qemu.initial.serial.log "$LOG_PATH_MODULE"/qemu.initial.serial_"$IMAGE_NAME"_"$INIT_FNAME"_base_init.log @@ -696,7 +696,6 @@ main_emulation() { print_output "[*] Processing init file $ORANGE$INIT_FILE$NC ($INDEX/${#INIT_FILES[@]}) finished" print_bar "" sleep 1 - #reset ((INDEX+=1)) done @@ -822,7 +821,7 @@ cleanup_emulator(){ rm /tmp/qemu."$IMAGE_NAME".S1 || true rm /tmp/do_not_create_run.sh || true - #losetup + # losetup losetup -D } @@ -893,7 +892,7 @@ identify_networking_emulation() { elif [[ "$ARCH_END" == "mips64v1eb" ]]; then KERNEL_="vmlinux" QEMU_BIN="qemu-system-mips64" - #CPU="-cpu MIPS64R2-generic" + # CPU="-cpu MIPS64R2-generic" MACHINE="malta" QEMU_DISK="-drive if=ide,format=raw,file=$IMAGE" QEMU_ROOTFS="/dev/sda1" @@ -901,7 +900,7 @@ identify_networking_emulation() { elif [[ "$ARCH_END" == "mips64v1el" ]]; then KERNEL_="vmlinux" QEMU_BIN="qemu-system-mips64el" - #CPU="-cpu MIPS64R2-generic" + # CPU="-cpu MIPS64R2-generic" MACHINE="malta" QEMU_DISK="-drive if=ide,format=raw,file=$IMAGE" QEMU_ROOTFS="/dev/sda1" @@ -921,8 +920,8 @@ identify_networking_emulation() { QEMU_DISK="-drive if=none,file=$IMAGE,format=raw,id=rootfs -device virtio-blk-device,drive=rootfs" QEMU_ROOTFS="/dev/vda1" QEMU_NETWORK="-device virtio-net-device,netdev=net0 -netdev user,id=net0" - #QEMU_NETWORK="-device virtio-net-device,netdev=net1 -netdev socket,listen=:2000,id=net1 -device virtio-net-device,netdev=net2 -netdev socket,listen=:2001,id=net2 -device virtio-net-device,netdev=net3 -netdev socket,listen=:2002,id=net3 -device virtio-net-device,netdev=net4 -netdev socket,listen=:2003,id=net4" - #QEMU_PARAMS="-audiodev driver=none,id=none" + # QEMU_NETWORK="-device virtio-net-device,netdev=net1 -netdev socket,listen=:2000,id=net1 -device virtio-net-device,netdev=net2 -netdev socket,listen=:2001,id=net2 -device virtio-net-device,netdev=net3 -netdev socket,listen=:2002,id=net3 -device virtio-net-device,netdev=net4 -netdev socket,listen=:2003,id=net4" + # QEMU_PARAMS="-audiodev driver=none,id=none" elif [[ "$ARCH_END" == "arm64el"* ]]; then KERNEL_="Image" QEMU_BIN="qemu-system-aarch64" @@ -1158,7 +1157,7 @@ get_networking_details_emulation() { # do we have vlans? if [[ -v VLAN_INFOS[@] ]]; then iterate_vlans "$ETH_INT" "${VLAN_INFOS[@]}" - #elif echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then + # elif echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then elif echo "$BRIDGE_INT" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then # we have a vlan entry in our BRIDGE_INT entry br:br0 dev:eth1.1: # VLAN_ID="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | grep -o "dev:.*" | cut -d. -f2 | tr -dc '[:print:]')" @@ -1244,10 +1243,10 @@ get_networking_details_emulation() { NETWORK_DEVICE="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | grep -o "br:.*" | cut -d\ -f1 | cut -d: -f2 | tr -dc '[:print:]' || true)" IP_ADDRESS_="192.168.0.1" NETWORK_MODE="bridge" - #if echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then + # if echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then if echo "$BRIDGE_INT" | awk '{print $2}' | cut -d: -f2 | grep -q -E "[0-9]\.[0-9]"; then # we have a vlan entry: - #VLAN_ID="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | grep -o "dev:.*" | cut -d. -f2 | tr -dc '[:print:]' || true)" + # VLAN_ID="$(echo "$BRIDGE_INT" | sed "s/^.*\]:\ //" | grep -o "dev:.*" | cut -d. -f2 | tr -dc '[:print:]' || true)" VLAN_ID="$(echo "$BRIDGE_INT" | grep -o "dev:.*" | cut -d. -f2 | tr -dc '[:print:]' || true)" else VLAN_ID="NONE" @@ -1271,9 +1270,9 @@ get_networking_details_emulation() { # fallback - default network configuration: # we always add this as the last resort - with this at least ICMP should be possible in most cases if [[ ! " ${IPS_INT_VLAN[*]} " =~ "default" ]]; then - #print_output "[*] No IP address - use default address: ${ORANGE}192.168.0.1${NC}." - #print_output "[*] No VLAN." - #print_output "[*] No Network interface - use ${ORANGE}eth0${NC} network." + # print_output "[*] No IP address - use default address: ${ORANGE}192.168.0.1${NC}." + # print_output "[*] No VLAN." + # print_output "[*] No Network interface - use ${ORANGE}eth0${NC} network." IP_ADDRESS_="192.168.0.1" NETWORK_MODE="default" if [[ "${FW_VENDOR:-}" == "AVM" ]]; then @@ -1419,7 +1418,7 @@ setup_network_emulation() { } write_network_config_to_filesystem() { - #mount filesystem again for network config: + # mount filesystem again for network config: print_output "[*] Identify Qemu Image device for $ORANGE$LOG_PATH_MODULE/$IMAGE_NAME$NC" DEVICE="$(add_partition_emulation "$LOG_PATH_MODULE/$IMAGE_NAME")" if [[ "$DEVICE" == "NA" ]]; then @@ -1442,7 +1441,7 @@ write_network_config_to_filesystem() { set_network_config "$IP_ADDRESS_" "$NETWORK_MODE" "$NETWORK_DEVICE" "$ETH_INT" - #umount filesystem: + # umount filesystem: umount_qemu_image "$DEVICE" fi } @@ -1451,7 +1450,7 @@ nvram_check() { local IMAGE_NAME="${1:-}" local MAX_THREADS_NVRAM=$((4*"$(grep -c ^processor /proc/cpuinfo || true)")) - #mount filesystem again for network config: + # mount filesystem again for network config: print_output "[*] Identify Qemu Image device for $ORANGE$LOG_PATH_MODULE/$IMAGE_NAME$NC" DEVICE="$(add_partition_emulation "$LOG_PATH_MODULE/$IMAGE_NAME")" if [[ "$DEVICE" == "NA" ]]; then @@ -1491,8 +1490,8 @@ nvram_check() { if [[ -f "$LOG_PATH_MODULE"/nvram/nvram_files_final ]]; then if [[ "$(wc -l "$LOG_PATH_MODULE"/nvram/nvram_files_final | awk '{print $1}')" -gt 0 ]]; then - #print_output "[*] Identified the following NVRAM files:" - #tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/nvram/nvram_files_final + # print_output "[*] Identified the following NVRAM files:" + # tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/nvram/nvram_files_final sort -u -r -h -k2 "$LOG_PATH_MODULE"/nvram/nvram_files_final | sort -u -k1,1 | sort -r -h -k2 | head -10 > "$MNT_POINT"/firmadyne/nvram_files # store a copy in the log dir @@ -1505,7 +1504,7 @@ nvram_check() { fi fi - #umount filesystem: + # umount filesystem: umount_qemu_image "$DEVICE" } @@ -1524,18 +1523,18 @@ nvram_searcher_emulation() { echo "$NVRAM_ENTRY" >> "$LOG_PATH_MODULE"/nvram/nvram_keys.tmp NVRAM_KEY=$(echo "$NVRAM_ENTRY" | tr -dc '[:print:]' | tr -s '[:blank:]') if [[ "$NVRAM_KEY" =~ [a-zA-Z0-9_] && "${#NVRAM_KEY}" -gt 3 ]]; then - #print_output "[*] NVRAM access detected: $ORANGE$NVRAM_KEY$NC" + # print_output "[*] NVRAM access detected: $ORANGE$NVRAM_KEY$NC" if grep -q "$NVRAM_KEY" "$NVRAM_FILE" 2>/dev/null; then - #print_output "[*] Possible NVRAM access via key $ORANGE$NVRAM_KEY$NC found in NVRAM file $ORANGE$NVRAM_FILE$NC." + # print_output "[*] Possible NVRAM access via key $ORANGE$NVRAM_KEY$NC found in NVRAM file $ORANGE$NVRAM_FILE$NC." COUNT=$((COUNT + 1)) fi echo "$NVRAM_KEY" >> "$LOG_PATH_MODULE"/nvram/nvram_keys.log fi done if [[ "$COUNT" -gt 0 ]]; then - #NVRAM_FILE=$(echo "$NVRAM_FILE" | sed 's/^\.//') + # NVRAM_FILE=$(echo "$NVRAM_FILE" | sed 's/^\.//') NVRAM_FILE="${NVRAM_FILE/\.}" - #print_output "[*] $NVRAM_FILE $COUNT ASCII_text" + # print_output "[*] $NVRAM_FILE $COUNT ASCII_text" echo "$NVRAM_FILE $COUNT ASCII_text" >> "$LOG_PATH_MODULE"/nvram/nvram_files_final fi fi @@ -1553,7 +1552,7 @@ run_emulated_system() { get_kernel_version if [[ -n "${KERNEL_V:-}" ]]; then print_output "[*] Kernel $KERNEL_V.x detected -> Using Kernel v4.x" - #KERNEL_V=".$KERNEL_V" + # KERNEL_V=".$KERNEL_V" KERNEL_V=".4" fi @@ -1647,7 +1646,7 @@ run_emulated_system() { for NET_ID in {0..3}; do QEMU_NETWORK="$QEMU_NETWORK -device e1000,netdev=net$NET_ID" if [[ "$NET_ID" == "$NET_NUM" ]];then - #if MATCH in IPS_INT -> connect this interface to host + # if MATCH in IPS_INT -> connect this interface to host print_output "[*] Connect interface: $ORANGE$NET_ID$NC to host" QEMU_NETWORK="$QEMU_NETWORK -netdev tap,id=net$NET_ID,ifname=${TAPDEV_0},script=no" else diff --git a/modules/L15_emulated_checks_nmap.sh b/modules/L15_emulated_checks_nmap.sh index 65814bfc0..b5b01c8a6 100755 --- a/modules/L15_emulated_checks_nmap.sh +++ b/modules/L15_emulated_checks_nmap.sh @@ -93,7 +93,7 @@ check_live_nmap_basic() { NMAP_CPES=$(echo "$NMAP_CPES" | grep -o "cpe:.*" || true) # rewrite the string into an array: # NMAP_CPES_ARR=( $(echo "$NMAP_CPES" | tr "," "\n") ) - #IFS=', ' read -r -a NMAP_CPES_ARR <<< "$NMAP_CPES" + # IFS=', ' read -r -a NMAP_CPES_ARR <<< "$NMAP_CPES" readarray -d ', ' -t NMAP_CPES_ARR < <(printf "%s" "$NMAP_CPES") for NMAP_CPE in "${NMAP_CPES_ARR[@]}"; do if [[ "$NMAP_CPE" == *"windows"* ]]; then @@ -123,7 +123,7 @@ check_live_nmap_basic() { if [[ -f "$CSV_DIR"/s09_firmware_base_version_check.csv ]]; then # Let's check if we have already found details about this service in our other modules (S09, S115/S116) - #mapfile -t S09_L15_CHECK < <(grep "$SERVICE_NAME" "$CSV_DIR"/s09_firmware_base_version_check.csv || true) + # mapfile -t S09_L15_CHECK < <(grep "$SERVICE_NAME" "$CSV_DIR"/s09_firmware_base_version_check.csv || true) mapfile -t S09_L15_CHECK < <(awk -v IGNORECASE=1 -F\; '$2 $3 ~ /'"$SERVICE_NAME"'/' "$CSV_DIR"/s09_firmware_base_version_check.csv || true) if [[ "${#S09_L15_CHECK[@]}" -gt 0 ]]; then for S09_L15_MATCH in "${S09_L15_CHECK[@]}"; do @@ -134,7 +134,7 @@ check_live_nmap_basic() { fi if [[ -f "$CSV_DIR"/s116_qemu_version_detection.csv ]]; then - #mapfile -t S116_L15_CHECK < <(grep "$SERVICE_NAME" "$CSV_DIR"/s116_qemu_version_detection.csv || true) + # mapfile -t S116_L15_CHECK < <(grep "$SERVICE_NAME" "$CSV_DIR"/s116_qemu_version_detection.csv || true) mapfile -t S116_L15_CHECK < <(awk -v IGNORECASE=1 -F\; '$2 $3 ~ /'"$SERVICE_NAME"'/' "$CSV_DIR"/s116_qemu_version_detection.csv || true) if [[ "${#S116_L15_CHECK[@]}" -gt 0 ]]; then for S116_L15_MATCH in "${S116_L15_CHECK[@]}"; do diff --git a/modules/P18_qnap_decryptor.sh b/modules/P18_qnap_decryptor.sh index 5653a2568..e7f7aa8b8 100755 --- a/modules/P18_qnap_decryptor.sh +++ b/modules/P18_qnap_decryptor.sh @@ -198,7 +198,7 @@ qnap_extractor() { # attach ubi modprobe ubi ubiattach /dev/ubi_ctrl -m0 -O2048 - #ubinfo -a + # ubinfo -a print_output "[*] Mounting ubifs file system" # mount the ubifs to host @@ -342,7 +342,7 @@ qnap_extractor() { fi USR_LOCAL=$(find "$SYSROOT/opt/source" -name "*.tgz" 2>/dev/null) - #if [[ "${#USR_LOCAL[@]}" -gt 0 ]]; then + # if [[ "${#USR_LOCAL[@]}" -gt 0 ]]; then if [[ -v USR_LOCAL[@] ]]; then print_ln for f in "${USR_LOCAL[@]}"; do diff --git a/modules/S02_UEFI_FwHunt.sh b/modules/S02_UEFI_FwHunt.sh index f50aad8df..c13051577 100755 --- a/modules/S02_UEFI_FwHunt.sh +++ b/modules/S02_UEFI_FwHunt.sh @@ -17,8 +17,6 @@ # images: # fwhunt-scan https://github.com/binarly-io/fwhunt-scan # fwhunt rules https://github.com/binarly-io/FwHunt -# Pre-checker threading mode - if set to 1, these modules will run in threaded mode -#export PRE_THREAD_ENA=1 S02_UEFI_FwHunt() { diff --git a/modules/S03_firmware_bin_base_analyzer.sh b/modules/S03_firmware_bin_base_analyzer.sh index 72066e397..89833e796 100755 --- a/modules/S03_firmware_bin_base_analyzer.sh +++ b/modules/S03_firmware_bin_base_analyzer.sh @@ -13,10 +13,12 @@ # # Author(s): Michael Messner, Pascal Eckmann -# Description: A rough guess of the used operating system. Currently, it tries to identify VxWorks, eCos, Adonis, Siprotec, uC/OS and Linux. -# If no Linux operating system is found, then it also tries to identify the target architecture (currently with binwalk only). +# Description: A rough guess of the used operating system. Currently, it tries to +# identify VxWorks, eCos, Adonis, Siprotec, uC/OS and Linux. +# If no Linux operating system is found, then it also tries to identify +# the target architecture (currently with binwalk only). # Pre-checker threading mode - if set to 1, these modules will run in threaded mode -#export PRE_THREAD_ENA=1 +# export PRE_THREAD_ENA=1 S03_firmware_bin_base_analyzer() { @@ -177,7 +179,7 @@ os_detection_thread_per_os() { } binary_architecture_detection() { - #sub_module_title "Architecture detection for RTOS based systems" + # sub_module_title "Architecture detection for RTOS based systems" local FILE_TO_CHECK="${1:-}" if ! [[ -f "$FILE_TO_CHECK" ]]; then diff --git a/modules/S05_firmware_details.sh b/modules/S05_firmware_details.sh index e986b254b..df07eb0c7 100755 --- a/modules/S05_firmware_details.sh +++ b/modules/S05_firmware_details.sh @@ -30,7 +30,7 @@ S05_firmware_details() # Linux: DETECTED_DIR=$(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -type d 2>/dev/null | wc -l) else - #RTOS: + # RTOS: DETECTED_DIR=$(find "$OUTPUT_DIR" -xdev -type d 2>/dev/null | wc -l) fi diff --git a/modules/S08_package_mgmt_extractor.sh b/modules/S08_package_mgmt_extractor.sh index b844f44b7..8b05f32fe 100755 --- a/modules/S08_package_mgmt_extractor.sh +++ b/modules/S08_package_mgmt_extractor.sh @@ -27,7 +27,7 @@ S08_package_mgmt_extractor() debian_status_files_search openwrt_control_files_search # Future work: rpm, ... - #rpm_package_files_search + # rpm_package_files_search if [[ "${#DEBIAN_MGMT_STATUS[@]}" -gt 0 || "${#OPENWRT_MGMT_CONTROL[@]}" -gt 0 ]]; then NEG_LOG=1 @@ -64,10 +64,10 @@ debian_status_files_search() { VERSION=${PACKAGE_VERSION/*Version:\ /} # What is the state in an offline firmware image? Is it installed or not? # Futher investigation needed! - #if ! echo "$PACKAGE_VERSION" | grep -q "installed"; then + # if ! echo "$PACKAGE_VERSION" | grep -q "installed"; then # # a not installed package - skip it # continue - #fi + # fi clean_package_versions "$VERSION" print_output "[*] Debian package details: $ORANGE$PACKAGE_FILE$NC - $ORANGE$PACKAGE$NC - $ORANGE$VERSION$NC" write_csv_log "$PACKAGING_SYSTEM" "$PACKAGE_FILE" "$PACKAGE" "$VERSION" "$STRIPPED_VERSION" diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index 044e4813e..1b9ab1a6f 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -212,12 +212,12 @@ recover_wait_pids() { local PID="" # check for really running PIDs and re-create the array for PID in "${WAIT_PIDS_S09[@]}"; do - #print_output "[*] max pid protection: ${#WAIT_PIDS[@]}" + # print_output "[*] max pid protection: ${#WAIT_PIDS[@]}" if [[ -e /proc/"$PID" ]]; then TEMP_PIDS+=( "$PID" ) fi done - #print_output "[!] S09 - really running pids: ${#TEMP_PIDS[@]}" + # print_output "[!] S09 - really running pids: ${#TEMP_PIDS[@]}" # recreate the array with the current running PIDS WAIT_PIDS_S09=() diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh index cb0dbb705..64ce4e834 100755 --- a/modules/S115_usermode_emulator.sh +++ b/modules/S115_usermode_emulator.sh @@ -401,10 +401,10 @@ run_init_qemu() { local LOG_FILE_INIT="${3:-}" # Enable the following echo output for debugging - #echo "BIN: $BIN_" | tee -a "$LOG_FILE_INIT" - #echo "EMULATOR: $EMULATOR" | tee -a "$LOG_FILE_INIT" - #echo "R_PATH: $R_PATH" | tee -a "$LOG_FILE_INIT" - #echo "CPU_CONFIG: $CPU_CONFIG_" | tee -a "$LOG_FILE_INIT" + # echo "BIN: $BIN_" | tee -a "$LOG_FILE_INIT" + # echo "EMULATOR: $EMULATOR" | tee -a "$LOG_FILE_INIT" + # echo "R_PATH: $R_PATH" | tee -a "$LOG_FILE_INIT" + # echo "CPU_CONFIG: $CPU_CONFIG_" | tee -a "$LOG_FILE_INIT" if [[ "$STRICT_MODE" -eq 1 ]]; then set +e @@ -524,7 +524,7 @@ emulate_strace_run() { if [[ ! -d "$R_PATH""$PATH_MISSING" ]]; then write_log "[*] Creating directory $ORANGE$R_PATH$PATH_MISSING$NC" "$LOG_FILE_STRACER" mkdir -p "$R_PATH""$PATH_MISSING" 2> /dev/null || true - #continue + # continue fi if [[ -n "$FILENAME_FOUND" ]]; then write_log "[*] Copy file $ORANGE$FILENAME_FOUND$NC to $ORANGE$R_PATH$PATH_MISSING/$NC" "$LOG_FILE_STRACER" @@ -581,7 +581,7 @@ emulate_binary() { write_log "[*] Emulator used: $ORANGE$EMULATOR$NC" "$LOG_FILE_BIN" write_log "[*] Using root directory: $ORANGE$R_PATH$NC ($ORANGE$ROOT_CNT/${#ROOT_PATH[@]}$NC)" "$LOG_FILE_BIN" write_log "[*] Using CPU config: $ORANGE$CPU_CONFIG_$NC" "$LOG_FILE_BIN" - #write_log "[*] Root path used: $ORANGE$R_PATH$NC" "$LOG_FILE_BIN" + # write_log "[*] Root path used: $ORANGE$R_PATH$NC" "$LOG_FILE_BIN" write_log "[*] Emulating binary: $ORANGE${BIN_/\.}$NC" "$LOG_FILE_BIN" write_log "" "$LOG_FILE_BIN" @@ -647,7 +647,7 @@ check_disk_space_emu() { print_output "[!] Qemu processes are wasting disk space ... we try to kill it" "no_log" print_output "[*] Killing process ${ORANGE}$EMULATOR.*$KILLER.*${NC}" "no_log" pkill -f "$EMULATOR.*$KILLER.*" || true - #rm "$LOG_DIR"/qemu_emulator/*"$KILLER"* + # rm "$LOG_DIR"/qemu_emulator/*"$KILLER"* fi done } @@ -719,7 +719,7 @@ s115_cleanup() { local LOG_FILES=() local BIN="" - #rm "$LOG_PATH_MODULE""/stracer_*.txt" 2>/dev/null || true + # rm "$LOG_PATH_MODULE""/stracer_*.txt" 2>/dev/null || true # if no emulation at all was possible the $EMULATOR variable is not defined if [[ -n "$EMULATOR" ]]; then @@ -758,9 +758,9 @@ s115_cleanup() { LINES_OF_LOG=$(grep -a -v -e "^[[:space:]]*$" "$LOG_FILE_" | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" | \ grep -a -v "\[\*\] " | grep -a -v "Illegal instruction\|core dumped\|Invalid ELF image for this architecture" | \ grep -a -c -v "\-\-\-\-\-\-\-\-\-\-\-" || true) - #print_output "[*] LOG_FILE: $LOG_FILE_ - Lines: $LINES_OF_LOG" "no_log" + # print_output "[*] LOG_FILE: $LOG_FILE_ - Lines: $LINES_OF_LOG" "no_log" if ! [[ -s "$LOG_FILE_" ]] || [[ "$LINES_OF_LOG" -eq 0 ]]; then - #print_output "[*] Removing empty log file: $LOG_FILE_" "no_log" + # print_output "[*] Removing empty log file: $LOG_FILE_" "no_log" rm "$LOG_FILE_" 2> /dev/null || true continue fi diff --git a/modules/S116_qemu_version_detection.sh b/modules/S116_qemu_version_detection.sh index 130ff110c..25ab3739d 100755 --- a/modules/S116_qemu_version_detection.sh +++ b/modules/S116_qemu_version_detection.sh @@ -93,7 +93,7 @@ version_detection_thread() { readarray -t VERSIONS_DETECTED < <(grep -a -o -H -E "$VERSION_IDENTIFIER" "$LOG_PATH_MODULE_S115"/qemu_tmp*.txt | sort -u 2>/dev/null || true) # VERSIONS_DETECTED: # path_to_logfile:Version Identifier - #└─$ grep -a -o -H -E "Version: 1.8" /home/m1k3/firmware/emba_logs_manual/test_dir300/s115_usermode_emulator/qemu_tmp_radvd.txt 130 ⨯ + # └─$ grep -a -o -H -E "Version: 1.8" /home/m1k3/firmware/emba_logs_manual/test_dir300/s115_usermode_emulator/qemu_tmp_radvd.txt 130 ⨯ # /home/m1k3/firmware/emba_logs_manual/test_dir300/s115_usermode_emulator/qemu_tmp_radvd.txt:Version: 1.8 # /home/m1k3/firmware/emba_logs_manual/test_dir300/s115_usermode_emulator/qemu_tmp_radvd.txt:Version: 1.8 for VERSION_DETECTED in "${VERSIONS_DETECTED[@]}"; do diff --git a/modules/S13_weak_func_check.sh b/modules/S13_weak_func_check.sh index 92e5296f0..f6956d769 100755 --- a/modules/S13_weak_func_check.sh +++ b/modules/S13_weak_func_check.sh @@ -303,7 +303,7 @@ function_check_ARM64() { elif [[ "$FUNCTION" == "mmap" ]] ; then # Test source: https://www.golem.de/news/mmap-codeanalyse-mit-sechs-zeilen-bash-2006-148878-2.html # Test not implemented on ARM64 - #COUNT_MMAP_OK=$(grep -c "cm.*r.*,\ \#[01]" "$FUNC_LOG" 2> /dev/null) + # COUNT_MMAP_OK=$(grep -c "cm.*r.*,\ \#[01]" "$FUNC_LOG" 2> /dev/null) COUNT_MMAP_OK="NA" fi log_func_footer "$NAME" "$FUNCTION" @@ -540,7 +540,7 @@ output_function_details() local LOG_FILE_LOC LOG_FILE_LOC="$LOG_PATH_MODULE"/vul_func_"$FUNCTION"-"$NAME".txt - #check if this is common linux file: + # check if this is common linux file: local COMMON_FILES_FOUND local SEARCH_TERM if [[ -f "$BASE_LINUX_FILES" ]]; then diff --git a/modules/S14_weak_func_radare_check.sh b/modules/S14_weak_func_radare_check.sh index f282db50c..73c04bd80 100755 --- a/modules/S14_weak_func_radare_check.sh +++ b/modules/S14_weak_func_radare_check.sh @@ -207,7 +207,7 @@ radare_function_check_MIPS() { # Test source: https://www.golem.de/news/mmap-codeanalyse-mit-sechs-zeilen-bash-2006-148878-2.html # Check this. This test is very rough: # TODO: check this in radare2 - #COUNT_MMAP_OK=$(grep -c ",-1$" "$FUNC_LOG" 2> /dev/null) + # COUNT_MMAP_OK=$(grep -c ",-1$" "$FUNC_LOG" 2> /dev/null) COUNT_MMAP_OK="NA" fi radare_log_func_footer "$NAME" "$FUNCTION" @@ -247,7 +247,7 @@ radare_function_check_ARM64() { # Test source: https://www.golem.de/news/mmap-codeanalyse-mit-sechs-zeilen-bash-2006-148878-2.html # Test not implemented on ARM64 # TODO: check this in radare2 - #COUNT_MMAP_OK=$(grep -c "cm.*r.*,\ \#[01]" "$FUNC_LOG" 2> /dev/null) + # COUNT_MMAP_OK=$(grep -c "cm.*r.*,\ \#[01]" "$FUNC_LOG" 2> /dev/null) COUNT_MMAP_OK="NA" fi radare_log_func_footer "$NAME" "$FUNCTION" @@ -488,7 +488,7 @@ radare_output_function_details() local LOG_FILE_LOC LOG_FILE_LOC="$LOG_PATH_MODULE"/vul_func_"$FUNCTION"-"$NAME".txt - #check if this is common linux file: + # check if this is common linux file: local COMMON_FILES_FOUND local SEARCH_TERM if [[ -f "$BASE_LINUX_FILES" ]]; then diff --git a/modules/S15_bootloader_check.sh b/modules/S15_bootloader_check.sh index 99d75dec8..0c867abb9 100755 --- a/modules/S15_bootloader_check.sh +++ b/modules/S15_bootloader_check.sh @@ -169,11 +169,11 @@ check_bootloader() # FreeBSD or DragonFly CHECK=0 local BOOT1 BOOT2 BOOTL - #mapfile -t BOOT1 < <(mod_path "/boot/boot1") + # mapfile -t BOOT1 < <(mod_path "/boot/boot1") mapfile -t BOOT1 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/boot/boot1" || true) - #mapfile -t BOOT2 < <(mod_path "/boot/boot2") + # mapfile -t BOOT2 < <(mod_path "/boot/boot2") mapfile -t BOOT2 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/boot/boot2" || true) - #mapfile -t BOOTL < <(mod_path "/boot/loader") + # mapfile -t BOOTL < <(mod_path "/boot/loader") mapfile -t BOOTL < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/boot/loader" || true) for B1 in "${BOOT1[@]}" ; do @@ -252,9 +252,9 @@ check_bootloader() local OBSD_PATH1 OBSD_PATH2 local OBSD_FILE1="" local OBSD_FILE2="" - #mapfile -t OBSD_PATH1 < <(mod_path "/usr/mdec/biosboot") + # mapfile -t OBSD_PATH1 < <(mod_path "/usr/mdec/biosboot") mapfile -t OBSD_PATH1 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/usr/mdec/biosboot") - #mapfile -t OBSD_PATH2 < <(mod_path "/boot") + # mapfile -t OBSD_PATH2 < <(mod_path "/boot") mapfile -t OBSD_PATH2 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/boot") for OBSD_FILE1 in "${OBSD_PATH1[@]}" ; do for OBSD_FILE2 in "${OBSD_PATH2[@]}" ; do diff --git a/modules/S20_shell_check.sh b/modules/S20_shell_check.sh index 22b7f583b..9744816f1 100755 --- a/modules/S20_shell_check.sh +++ b/modules/S20_shell_check.sh @@ -143,7 +143,7 @@ s20_reporter() { local SHELL_LOG="${3:0}" if [[ "$VULNS" -ne 0 ]] ; then - #check if this is common linux file: + # check if this is common linux file: local COMMON_FILES_FOUND if [[ -f "$BASE_LINUX_FILES" ]]; then COMMON_FILES_FOUND="(""${RED}""common linux file: no""${GREEN}"")" diff --git a/modules/S21_python_check.sh b/modules/S21_python_check.sh index 701ecfeb7..9142f98c5 100755 --- a/modules/S21_python_check.sh +++ b/modules/S21_python_check.sh @@ -86,7 +86,7 @@ s21_script_bandit() { VULNS=$(grep -c ">> Issue: " "$PY_LOG" 2> /dev/null || true) if [[ "$VULNS" -ne 0 ]] ; then - #check if this is common linux file: + # check if this is common linux file: local COMMON_FILES_FOUND local CFF if [[ -f "$BASE_LINUX_FILES" ]]; then diff --git a/modules/S22_php_check.sh b/modules/S22_php_check.sh index 965e3357c..92164ac72 100755 --- a/modules/S22_php_check.sh +++ b/modules/S22_php_check.sh @@ -123,7 +123,7 @@ s22_vuln_check() { VULNS=$(grep -c "vuln_name" "$PHP_LOG" 2> /dev/null || true) if [[ "$VULNS" -gt 0 ]] ; then - #check if this is common linux file: + # check if this is common linux file: local COMMON_FILES_FOUND local CFF if [[ -f "$BASE_LINUX_FILES" ]]; then @@ -164,7 +164,7 @@ s22_check_php_ini(){ disable_strict_mode "$STRICT_MODE" for PHP_FILE in "${PHP_INI_FILE[@]}" ; do - #print_output "[*] iniscan check of ""$(print_path "$PHP_FILE")" + # print_output "[*] iniscan check of ""$(print_path "$PHP_FILE")" mapfile -t INISCAN_RESULT < <( "$PHP_INISCAN_PATH" scan --path="$PHP_FILE" || true) for LINE in "${INISCAN_RESULT[@]}" ; do local LIMIT_CHECK diff --git a/modules/S45_pass_file_check.sh b/modules/S45_pass_file_check.sh index 9a074490c..fccc38a2a 100755 --- a/modules/S45_pass_file_check.sh +++ b/modules/S45_pass_file_check.sh @@ -54,11 +54,11 @@ S45_pass_file_check() if [[ -f "$LINE" ]] && ! [[ -x "$LINE" ]] ; then local POSSIBLE_PASSWD # regex source: https://serverfault.com/questions/972572/regex-for-etc-passwd-content - #POSSIBLE_PASSWD=$(grep -hIE '^([^:]*:){6}[^:]*$' "$LINE" | grep -v ":x:" | grep -v ":\*:" | grep -v ":!:" 2> /dev/null) + # POSSIBLE_PASSWD=$(grep -hIE '^([^:]*:){6}[^:]*$' "$LINE" | grep -v ":x:" | grep -v ":\*:" | grep -v ":!:" 2> /dev/null) POSSIBLE_PASSWD=$(grep -hIE '^[a-zA-Z0-9]+:.:[0-9]+:[0-9]+([^:]*:){3}[^:]*$' "$LINE" | grep -v ":x:" | grep -v ":\*:" | grep -v ":!:" 2> /dev/null || true) local POSSIBLE_SHADOWS - #POSSIBLE_SHADOWS=$(grep -hIE '^([^:]*:){8}[^:]*$' "$LINE" | grep -v ":x:" | grep -v ":\*:" | grep -v ":!:" 2> /dev/null) + # POSSIBLE_SHADOWS=$(grep -hIE '^([^:]*:){8}[^:]*$' "$LINE" | grep -v ":x:" | grep -v ":\*:" | grep -v ":!:" 2> /dev/null) POSSIBLE_SHADOWS=$(grep -hIE '^[a-zA-Z0-9]+:\$[0-9a-z]\$.*:[0-9]+:[0-9]+:[0-9]+([^:]*:){4}[^:]*' "$LINE" | grep -v ":x:" | grep -v ":\*:" | grep -v ":!:" 2> /dev/null || true) local ROOT_ACCOUNTS diff --git a/modules/S65_config_file_check.sh b/modules/S65_config_file_check.sh index 3ecf5ec99..ac228972d 100755 --- a/modules/S65_config_file_check.sh +++ b/modules/S65_config_file_check.sh @@ -60,7 +60,7 @@ check_fstab() sub_module_title "Scan fstab" local LINE="" - #IFS=" " read -r -a FSTAB_ARR < <(printf '%s' "$(mod_path "/ETC_PATHS/fstab")") + # IFS=" " read -r -a FSTAB_ARR < <(printf '%s' "$(mod_path "/ETC_PATHS/fstab")") mapfile -t FSTAB_ARR < <(mod_path "/ETC_PATHS/fstab") if [[ ${#FSTAB_ARR[@]} -gt 0 ]] ; then diff --git a/modules/S80_cronjob_check.sh b/modules/S80_cronjob_check.sh index bff4532f1..c6e7f6020 100755 --- a/modules/S80_cronjob_check.sh +++ b/modules/S80_cronjob_check.sh @@ -31,7 +31,7 @@ S80_cronjob_check() if [[ -e "$CJ_FILE" ]] ; then local CRONJOBS # This check is based on source code from LinEnum: https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh - #CRONJOBS=$(ls -la "$CJ_FILE"* 2>/dev/null) + # CRONJOBS=$(ls -la "$CJ_FILE"* 2>/dev/null) CRONJOBS=$(find "$CJ_FILE"* -xdev -type f 2>/dev/null) if [[ "$CRONJOBS" ]] ; then print_output "[+] Cronjobs:" @@ -68,7 +68,7 @@ S80_cronjob_check() fi done - #mapfile -t CJ_FILE_PATH < <(mod_path "/var/spool/cron/crontabs") + # mapfile -t CJ_FILE_PATH < <(mod_path "/var/spool/cron/crontabs") mapfile -t CJ_FILE_PATH < <(find "$FIRMWARE_PATH" -xdev -type d -iwholename "/var/spool/cron/crontabs") for CT_VAR in "${CJ_FILE_PATH[@]}"; do local CRONTABVAR @@ -96,7 +96,7 @@ S80_cronjob_check() fi done - #mapfile -t CJ_FILE_PATH < <(mod_path "/var/spool/anacron") + # mapfile -t CJ_FILE_PATH < <(mod_path "/var/spool/anacron") mapfile -t CJ_FILE_PATH < <(find "$FIRMWARE_PATH" -xdev -type d -iwholename "/var/spool/anacron") for CT_VAR in "${CJ_FILE_PATH[@]}"; do local ANACRONTAB diff --git a/modules/S85_ssh_check.sh b/modules/S85_ssh_check.sh index cf9907b1e..c20bc662b 100755 --- a/modules/S85_ssh_check.sh +++ b/modules/S85_ssh_check.sh @@ -70,7 +70,7 @@ search_ssh_files() elif ! [[ "$S_ISSUE" == *RESULTS* || "$S_ISSUE" == *done* ]]; then print_output "[*] $S_ISSUE" # with indent the output looks weird: - #print_output "$(indent "$(orange "$S_ISSUE")")" + # print_output "$(indent "$(orange "$S_ISSUE")")" fi PRINTER=1 fi diff --git a/modules/S99_grepit.sh b/modules/S99_grepit.sh index 925d9292a..686f9e9a7 100755 --- a/modules/S99_grepit.sh +++ b/modules/S99_grepit.sh @@ -446,7 +446,7 @@ grepit_module_java() { 'setMaxInactiveInterval\(' \ "4_java_servlet_setMaxInactiveInterval.txt" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "Find out which Java Beans get persisted with javax.persistence" \ '@Entity' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -454,14 +454,14 @@ grepit_module_java() { "7_java_persistent_beans.txt" \ "-l" #Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "The source code shows the database table/column names... e.g. if you find a sql injection later on, this will help for the exploitation" \ '@Column(' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ '@Column\(' \ "6_java_persistent_columns_in_database.txt" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "The source code shows the database table/column names... e.g. if you find a sql injection later on, this will help for the exploitation" \ '@Table(' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -473,28 +473,28 @@ grepit_module_java() { 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ 'java\.net\.' \ "8_java_io_java_net.txt" \ - "-l" #Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files + "-l" # Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files grepit_search "Find out which Java classes do any kind of io" \ 'java.io.' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ 'java\.io\.' \ "8_java_io_java_io.txt" \ - "-l" #Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files + "-l" # Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files grepit_search "Find out which Java classes do any kind of io" \ 'javax.servlet' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ 'javax\.servlet' \ "8_java_io_javax_servlet.txt" \ - "-l" #Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files + "-l" # Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files grepit_search "Find out which Java classes do any kind of io" \ 'org.apache.http' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ 'org\.apache\.http' \ "8_java_io_apache_http.txt" \ - "-l" #Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files + "-l" # Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files grepit_search "Especially for high security applications. From http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx : \"It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.\" " \ 'String password' \ @@ -1542,7 +1542,7 @@ grepit_module_php() { "-i" } -#The HTML/JavaScript specific stuff +# The HTML/JavaScript specific stuff grepit_module_html() { print_output "[*] Starting Grepit HTML module" "no_log" @@ -1829,12 +1829,12 @@ grepit_module_js() { grepit_module_modsecurity() { print_output "[*] Starting Grepit Modsecurity module" "no_log" - #grepit_search "Block is not recommended to use because it is depending on default action, use deny (or allow)" \ - #'block' \ - #'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ - #'block' \ - #"6_modsecurity_block.txt" \ - #"-i" + # grepit_search "Block is not recommended to use because it is depending on default action, use deny (or allow)" \ + # 'block' \ + # 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ + # 'block' \ + # "6_modsecurity_block.txt" \ + # "-i" grepit_search "Rather complex modsecurity constructs that are worth having a look." \ 'ctl:auditEngine' \ @@ -1878,7 +1878,7 @@ grepit_module_modsecurity() { "5_modsecurity_SecContentInjection.txt" \ "-i" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "Modsecurity inspecting uploaded files." \ '@inspectFile' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -1949,7 +1949,7 @@ grepit_module_mobile_device() { grepit_module_android() { print_output "[*] Starting Grepit Android module" "no_log" - #For interesting inputs see: + # For interesting inputs see: # http://developer.android.com/training/articles/security-tips.html # http://source.android.com/devices/tech/security/ @@ -2297,14 +2297,14 @@ grepit_module_android() { grepit_module_ios() { print_output "[*] Starting Grepit Apple iOS module" "no_log" - #Rule triggers for Objective-C and SWIFT + # Rule triggers for Objective-C and SWIFT grepit_search "iOS fileURLWithPath opens a file, eg. for writing. Make sure attributes such as NSURLIsExcludedFromBackupKey described on https://developer.apple.com/library/content/qa/qa1719/_index.html are correctly set." \ 'fileURLWithPath' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ 'fileURLWithPath' \ "5_ios_file_access_fileURLWithPath.txt" - #Rule triggers for Objective-C and SWIFT + # Rule triggers for Objective-C and SWIFT grepit_search "iOS NSURL opens a URL for example a local file, eg. for writing. Make sure attributes such as NSURLIsExcludedFromBackupKey described on https://developer.apple.com/library/content/qa/qa1719/_index.html are correctly set." \ 'NSURL' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -2768,7 +2768,7 @@ grepit_module_ios() { 'sourceApplication:' \ "4_ios_sourceApplication.txt" - #Below here Info.plist stuff + # Below here Info.plist stuff grepit_search "NSAllowsArbitraryLoads set to 1 allows iOS applications to load resources over insecure non-TLS protocols and is specified in the Info.plist file. It doesn't mean the application is really doing it, however, it is recommended to disable non-TLS connections." \ 'NSAllowsArbitraryLoads' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -2947,10 +2947,10 @@ grepit_module_ios() { grepit_module_python() { print_output "[*] Starting Grepit Python module" "no_log" - #Python language specific stuff - #- whitespaces are allowed between function names and brackets: abs (-1.3) - #- Function names are case sensitive - #- Due to the many flexible way of calling a function, the regexes will only catch "the most natural" case + # Python language specific stuff + # - whitespaces are allowed between function names and brackets: abs (-1.3) + # - Function names are case sensitive + # - Due to the many flexible way of calling a function, the regexes will only catch "the most natural" case grepit_search "Input function in Python 2.X is dangerous (but not in python 3.X), as it read from stdin and then evals the input, see https://access.redhat.com/blogs/766093/posts/2592591" \ 'input()' \ @@ -2976,11 +2976,11 @@ grepit_module_python() { "\s{1,$WILDCARD_SHORT}is\s{1,$WILDCARD_SHORT}\d" \ "5_python_is_object_identity_operator_right.txt" - #grepit_search "The 'is' object identity operator should not be used for numbers, see https://access.redhat.com/blogs/766093/posts/2592591" \ - #'object.an_integer is other_object.other_integer' \ - #'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ - #"\sis\s" \ - #"5_python_is_object_identity_operator_general.txt" + # grepit_search "The 'is' object identity operator should not be used for numbers, see https://access.redhat.com/blogs/766093/posts/2592591" \ + # 'object.an_integer is other_object.other_integer' \ + # 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ + # "\sis\s" \ + # "5_python_is_object_identity_operator_general.txt" grepit_search "The float type can not be reliably compared for equality, see https://access.redhat.com/blogs/766093/posts/2592591" \ '2.2 * 3.0 == 3.3 * 2.2' \ @@ -3094,8 +3094,8 @@ grepit_module_python() { grepit_module_ruby() { print_output "[*] Starting Grepit Ruby module" "no_log" - #ruby is case sensitive in general - #If you have a ruby application, the static analyzer https://github.com/presidentbeef/brakeman seems pretty promising + # ruby is case sensitive in general + # If you have a ruby application, the static analyzer https://github.com/presidentbeef/brakeman seems pretty promising grepit_search "Basic authentication in ruby with http_basic_authenticate_with" \ 'http_basic_authenticate_with' \ @@ -3444,7 +3444,7 @@ grepit_module_crypto_creds() { "4_cryptocred_ciphers_kerberos.txt" \ "-i" - #take care with the next regex, ! has a special meaning in double quoted strings but not in single quoted + # take care with the next regex, ! has a special meaning in double quoted strings but not in single quoted grepit_search "Hash" \ 'hash_value' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -4217,8 +4217,8 @@ grepit_module_api_keys() { grepit_module_asm_native() { print_output "[*] Starting Grepit Assembly native module" "no_log" - #Whatever you can usually find in a disassembly - #This is a very experimental section... + # Whatever you can usually find in a disassembly + # This is a very experimental section... grepit_search "Checking if sleep is hooked via Windows API by checking CPU clock delta to detect sandboxes (sandboxes such as Windows Defender hook sleep calls) via GetTickCount" \ 'call cs:GetTickCount' \ @@ -4526,7 +4526,7 @@ grepit_module_general() { "5_general_kernel.txt" \ "-i" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "Email addresses" \ 'example-email_address-@example-domain.com' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -4609,7 +4609,7 @@ grepit_module_general() { "5_general_fake.txt" \ "-i" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "URIs with authentication information specified as ://username:password@example.org" \ 'http://username:password@example.com' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -4617,7 +4617,7 @@ grepit_module_general() { "1_general_uris_auth_info_narrow.txt" \ "-i" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "URIs with authentication information specified as username:password@example.org" \ 'username:password@example.com' \ 'android:duration="@integer/animator_heartbeat_scaling_duration" or addObject:NSLocalizedString(@' \ @@ -4828,13 +4828,13 @@ grepit_module_general() { "2_general_obfuscation.txt" \ "-i" - #take care with the following regex, backticks have to be escaped - #grepit_search "Everything between backticks, because in Perl and Shell scirpting (eg. cgi-scripts) these are system execs." \ - #'`basename file-var`' \ - #'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ - #"\`.{2,$WILDCARD_LONG}\`" \ - #"5_general_backticks.txt"\ - #"-i" + # take care with the following regex, backticks have to be escaped + # grepit_search "Everything between backticks, because in Perl and Shell scirpting (eg. cgi-scripts) these are system execs." \ + # '`basename file-var`' \ + # 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ + # "\`.{2,$WILDCARD_LONG}\`" \ + # "5_general_backticks.txt"\ + # "-i" grepit_search "Piping into the mail command is very dangerous, as it interpretes ~! as a command that should be executed, see https://research.securitum.com/fail2ban-remote-code-execution/" \ 'echo "test $userinput" | mail -s "subject" user@example.org' \ @@ -4927,26 +4927,26 @@ grepit_module_general() { "4_general_sql_sqlcipher.txt" \ "-i" - #TODO: These regexes can take waaaay too long sometimes, improve performance - #As the following regex had way too many false positives (thousands of english words match), we require the base64 to include - #at least one equal sign at the end. The old regex was: - #'(?:[A-Za-z0-9_-]{4})+(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)' + # TODO: These regexes can take waaaay too long sometimes, improve performance + # As the following regex had way too many false positives (thousands of english words match), we require the base64 to include + # at least one equal sign at the end. The old regex was: + # '(?:[A-Za-z0-9_-]{4})+(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)' grepit_search "Base64 encoded data (that is more than 6 bytes long). This regex won't detect a base64 encoded value over several lines and won't detect one that does not end with an equal sign..." \ 'YWJj YScqKyo6LV/Dpw==' \ '/target/ //JQLite - the following ones shouldnt be an issue anymore as we require more than 6 bytes: done echo else gen/ ////' \ '(?:[A-Za-z0-9+/]{4}){2,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)' \ "5_general_base64_content.txt" - #case sensitive, the regex is insensitive anyway + # case sensitive, the regex is insensitive anyway - #As the following regex had way too many false positives (thousands of english words match), we require the base64 to include - #at least one equal sign at the end. The old regex was: - #'(?:[A-Za-z0-9_-]{4})+(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})' + # As the following regex had way too many false positives (thousands of english words match), we require the base64 to include + # at least one equal sign at the end. The old regex was: + # '(?:[A-Za-z0-9_-]{4})+(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})' grepit_search "Base64 URL-safe encoded data (that is more than 6 bytes long). To get from URL-safe base64 to regular base64 you need .replace('-','+').replace('_','/'). This regex won't detect a base64 encoded value over several lines and won't detect one that does not end with an equal sign..." \ 'YScqKyo6LV_Dpw==' \ '/target/ //JQLite - the following ones shouldnt be an issue anymore as we require more than 6 bytes: done echo else gen/ ////' \ '(?:[A-Za-z0-9_-]{4}){2,}(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)' \ "5_general_base64_urlsafe.txt" - #case sensitive, the regex is insensitive anyway + # case sensitive, the regex is insensitive anyway grepit_search "Base64 as a word used" \ 'Base64' \ @@ -5018,8 +5018,8 @@ grepit_module_general() { "4_general_swear_crap.txt" \ "-i" - #IP-Adresses - #\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. + # IP-Adresses + # \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. # (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. # (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. # (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b From fef894289c5b85e3a637bbf5659c4c9f77e4eb30 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 3 Jan 2023 15:59:05 +0100 Subject: [PATCH 2/2] checker for spaces after comment sign --- modules/S99_grepit.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/S99_grepit.sh b/modules/S99_grepit.sh index 686f9e9a7..ba71f6ea5 100755 --- a/modules/S99_grepit.sh +++ b/modules/S99_grepit.sh @@ -632,21 +632,21 @@ grepit_module_java() { "javax.validation" \ "5_java_javax-validation.txt" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search 'Setting values in Java objects from HTTP/JSON requests directly can be very dangerous. This is usually a fasterxml.jackson binding. These properties might be secret inputs the server accepts, but are unlinked in the client side JavaScript code. For example imagine such an annotation on the username attribute of a User Java class. This would allow to fake the username by sending a username attribute in the JSON payload.' \ '@JsonProperty("version")' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ '@JsonProperty\(' \ "4_java_jsonproperty_annotation.txt" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search 'Validation in Java can be done via certain @constraint' \ '@constraint' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ '@constraint' \ "5_java_constraint_annotation.txt" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search 'Lint will sometimes complain about security related stuff, this annotation deactivates the warning' \ '@SuppressLint' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \ @@ -954,7 +954,7 @@ grepit_module_java_spring() { "\.getHeader\(" \ "5_java_spring_http_getHeader.txt" - #Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings + # Take care with the following regex, @ has a special meaning in double quoted strings, but not in single quoted strings grepit_search "Check for Spring View Manipulation https://github.com/veracode-research/spring-view-manipulation/" \ '@GetMapping("/safe/redirect")' \ 'FALSE_POSITIVES_EXAMPLE_PLACEHOLDER' \