• Stars
    star
    532
  • Rank 83,377 (Top 2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

IDA Pro plugin for query based searching within the binary useful mainly for vulnerability research.

VulFi v2.1

Introduction

The VulFi (Vulnerability Finder) tool is a plugin to IDA Pro which can be used to assist during bug hunting in binaries. Its main objective is to provide a single view with all cross-references to the most interesting functions (such as strcpy, sprintf, system, etc.). For cases where a Hexrays decompiler can be used, it will attempt to rule out calls to these functions which are not interesting from a vulnerability research perspective (think something like strcpy(dst,"Hello World!")). Without the decompiler, the rules are much simpler (to not depend on architecture) and thus only rule out the most obvious cases.

Installation

Place the vulfi.py, vulfi_prototypes.json and vulfi_rules.json files in the IDA plugin folder (cp vulfi* <IDA_PLUGIN_FOLDER>).

Preparing the Database File

Before you run VulFi make sure that you have a good understanding of the binary that you work with. Try to identify all standard functions (strcpy, memcpy, etc.) and name them accordingly. The plugin is case insensitive and thus MEMCPY, Memcpy and memcpy are all valid names. However, note that the search for the function requires exact match. This means that memcpy? or std_memcpy (or any other variant) will not be detected as a standard function and therefore will not be considered when looking for potential vulnerabilities. If you are working with an unknown binary you need to set the compiler options first Options > Compiler. After that VulFi will do its best to filter all obvious false positives (such as call to printf with constant string as a first parameter). Please note that while the plugin is made without any ties to a specific architecture some processors do not have full support for specifying types and in such case VulFi will simply mark all cross-references to potentially dangerous standard functions to allow you to proceed with manual analysis. In these cases, you can benefit from the tracking features of the plugin.

Usage

Scanning

To initiate the scan, select Search > VulFi option from the top bar menu. This will either initiate a new scan, or it will read previous results stored inside the idb/i64 file. The data are automatically saved whenever you save the database.

Once the scan is completed or once the previous results are loaded a table will be presented with a view containing following columns:

  • IssueName - Used as a title for the suspected issue.
  • FunctionName - Name of the function.
  • FoundIn - The function that contains the potentially interesting reference.
  • Address - The address of the detected call.
  • Status - The review status, initial Not Checked is assigned to every new item. The other statuses are False Positive, Suspicious and Vulnerable. Those can be set using a right-click menu on a given item and should reflect the results of the manual review of the given function call.
  • Priority - An attempt to prioritize more interesting calls over the less interesting ones. Possible values are High, Medium and Low (also Info for cases where the scanner was not able to identify all parameters properly). The priorities are defined along with other rules in vulfi_rules.json file.
  • Comment - A user defined comment for the given item.

In case that there are no data inside the idb/i64 file or user decides to perform a new scan. The plugin will ask whether it should run the scan using the default included rules or whether it should use a custom rules file. Please note that running a new scan with already existing data does not overwrite the previously found items identified by the rule with the same name as the one with previously stored results. Therefore, running the scan again does not delete existing comments and status updates.

basic

In the right-click context menu within the VulFi view, you can also remove the item from the results or remove all items. Please note that any comments or status updates will be lost after performing this operation. As of version 2.1, VulFi also supports operations performed on multiple selected items at once. This allows multiple items to be marked with certain status, deleted or same comment added to multiple rows. Sometimes it happens that the operation does not refreshe correctly. When this occurs, refresh the UI (Ctrl+U) couple times until you see the changes reflected.

Investigation

Whenever you would like to inspect the detected instance of a possible vulnerable function, just double-click anywhere in the desired row and IDA will take you to the memory location which was identified as potentially interesting. Using a right-click and option Set Vulfi Comment allows you to enter comment for the given instance (to justify the status for example).

Adding More Functions

The plugin also allows for creating custom rules. These rules could be defined in the IDA interface (ideal for single functions) or supplied as a custom rule file (ideal for rules that aim to cover multiple functions).

Within the Interface

When you would like to trace a custom function, which was identified during the analysis, right-click anywhere within its body and select Add <name> function to VulFi. You could also highlight and right-click a function name within current disassembly/decompiler view to avoid switching into the function body.

add custom

Custom Set of Rules

It is also possible to load a custom file with set of multiple rules. To create a custom rule file with the below structure you can use the included template file here.

[   // An array of rules
    {
        "name": "RULE NAME", // The name of the rule
        "function_names":[
            "function_name_to_look_for" // List of all function names that should be matched against the conditions defined in this rule
        ],
        "wrappers":true,    // Look for wrappers of the above functions as well (note that the wrapped function has to also match the rule)
        "mark_if":{
            "High":"True",  // If evaluates to True, mark with priority High (see Rules below)
            "Medium":"False", // If evaluates to True, mark with priority Medium (see Rules below)
            "Low": "False" // If evaluates to True, mark with priority Low (see Rules below)
        }
    }
]

An example rule that looks for all cross-references to function malloc and checks whether its paramter is not constant and whether the return value of the function is checked is shown below:

{
    "name": "Possible Null Pointer Dereference",
    "function_names":[
        "malloc",
        "_malloc",
        ".malloc"
    ],
    "wrappers":false,
    "mark_if":{
        "High":"not param[0].is_constant() and not function_call.return_value_checked()",
        "Medium":"False",
        "Low": "False"
    }
}

Rules

Available Variables

  • param[<index>]: Used to access the parameter to a function call (index starts at 0)
  • function_call: Used to access the function call event
  • param_count: Holds the count of parameters that were passed to a function

Available Functions

  • Is parameter a constant: param[<index>].is_constant()
  • Get numeric value of parameter: param[<index>].number_value()
  • Get string value of parameter: param[<index>].string_value()
  • Is parameter set to null after the call: param[<index>].set_to_null_after_call()
  • Is return value of a function checked: function_call.return_value_checked(<constant_to_check>)
  • Is the parameter also used as a parameter in one of the calls to a specified list of functions before/after: param[<index>].used_in_call_<before|after>(["function1","function2"])
  • Is the call to the selected function reachable from a specific other function: function_call.reachable_from("<function_name>")

Examples

  • Mark all calls to a function where third parameter is > 5: param[2].number_value() > 5
  • Mark all calls to a function where the second parameter contains "%s": "%s" in param[1].string_value()
  • Mark all calls to a function where the second parameter is not constant: not param[1].is_constant()
  • Mark all calls to a function where the return value is validated against the value that is equal to the number of parameters: function_call.return_value_checked(param_count)
  • Mark all calls to a function where the return value is validated against any value: function_call.return_value_checked()
  • Mark all calls to a function where none of the parameters starting from the third are constants: all(not p.is_constant() for p in param[2:])
  • Mark all calls to a function where any of the parameters are constant: any(p.is_constant() for p in param)
  • Mark all calls to a function: True
  • Mark all calls to a function where the second paramter is not constant and is not checked with strlen: not param[1].is_constant() and not param[1].used_in_call_before(["strlen"])
  • Mark all calls to a function which are reachable from read function: function_call.reachable_from("read")

Issues and Warnings

  • When you request the parameter with index that is out of bounds any call to a function will be marked as Low priority. This is a way to avoid missing cross references where it was not possible to correctly get all parameters (this mainly applies to disassembly mode).
  • When you search within the VulFi view and change context out of the view and come back, the view will not load. You can solve this either by terminating the search operation before switching the context, moving the VulFi view to the side-view so that it is always visible or by closing and re-opening the view (no data will be lost).
  • Scans for more exotic architectures end with a lot of false positives.
  • With addition of multi-select operations in the VulFi chooser, the refresh operations sometimes fails to update the view. If you notice that your changes were not reflected, use Ctrl+U shortcut ot manually refresh the view (couple times).

More Repositories

1

AmpliGraph

Python library for Representation Learning on Knowledge Graphs https://docs.ampligraph.org
Python
2,147
star
2

Spartacus

Spartacus DLL/COM Hijacking Toolkit
C#
989
star
3

adop-docker-compose

Talk to us on Gitter: https://gitter.im/Accenture/ADOP
Shell
765
star
4

reactive-interaction-gateway

Create low-latency, interactive user experiences for stateless microservices.
Elixir
590
star
5

jenkins-attack-framework

Python
554
star
6

Codecepticon

.NET/PowerShell/VBA Offensive Security Obfuscator
C#
481
star
7

Ocaramba

C# Framework to automate tests using Selenium WebDriver
C#
277
star
8

CLRvoyance

Managed assembly shellcode generation
Assembly
263
star
9

protobuf-finder

IDA Pro plugin for reconstructing original .proto files from binary.
Python
256
star
10

alexia

A Framework for creating Amazon Echo (Alexa) skills using Node.js
JavaScript
164
star
11

adop-jenkins

Groovy
152
star
12

sfmc-devtools

Fast-track your developers and devops engineers by allowing them to programmatically copy-paste / deploy changes and work offline
JavaScript
137
star
13

Labs-Federated-Learning

Accenture Labs Federated Learning
92
star
14

FirmLoader

Python
90
star
15

mercury

Reference engine for composable applications
Java
81
star
16

serverless-ephemeral

This is a Serverless Framework plugin that helps bundling any stateless zipped library to AWS Lambda.
JavaScript
67
star
17

adop-platform-management

Groovy
60
star
18

adop-cartridge-java

Groovy
59
star
19

Condstanta

Python
56
star
20

EcoSonar

EcoSonar, the ecodesign audit tool
JavaScript
54
star
21

bdd-for-all

Flexible and easy to use library to enable your behavorial driven development (BDD) teams to easily collaborate while promoting automation, transparency and reporting.
Java
51
star
22

Cymple

Cymple - a productivity tool for creating Cypher queries in Python
Python
49
star
23

adop-gerrit

Shell
45
star
24

adop-aws

This repository contains a hardened, 2-tiered implementation of the DevOps Platform -> https://github.com/Accenture/adop-docker-compose
35
star
25

AARO-Bugs

Vulnerabilities, exploits, and PoCs
C
34
star
26

AIR

A deep learning object detector framework written in Python for supporting Land Search and Rescue Missions.
Python
30
star
27

generator-mario

Generator for Backbone/Marionette applications with lots of bells and whistles to help keep a non-trivial sized application moving forward at a breakneck pace!
JavaScript
29
star
28

sfmc-customapp

JavaScript
28
star
29

DBTestCompare

Application to compare results of two SQL queries
Java
25
star
30

AutoFixture.XUnit2.AutoMock

Autofixture auto-mocking for XUnit2 using a mocking library of your choice.
C#
22
star
31

kx.as.code

kx.as.code
Shell
19
star
32

openathon-2019-angular

IV OpenAthon CSE - Angular
TypeScript
19
star
33

OSDU-Ontology

An ontology designed for oil and gas, and subsurface energy data based on the industry standards.
HTML
18
star
34

alexia-starter-kit

Starter Kit project with sample Amazon Echo skill created using Alexia Framework
JavaScript
17
star
35

mv-unreal-aws

C++
16
star
36

tldr

The Lightweight Docker Runtime
Shell
15
star
37

pyheal

PyHeal is a Python wrapper for Microsoft SEAL aimed at making operations easier to use.
Python
15
star
38

openathon-2019-react

Openathon edition organised for the Accenture Technology Custom Open Cloud community where we will have again the opportunity to discover, in a practical way, the possibilities offered by the different architectures and leading frameworks in the market.
JavaScript
15
star
39

openathon-2019-docker

13
star
40

mercury-python

Python language pack for Mercury
Python
12
star
41

openathon-2020-serverless

Openathon VI - Custom Software Engineering
HTML
11
star
42

adop-sonar

Shell
11
star
43

waterfall-config

A simplistic configuration library for Java, heavily based on Typesafehub Config with some additional opinionated features
Java
9
star
44

sfmc-connector

Apex
8
star
45

askme

askme is a simple application designed to solicit immediate feedback during public speaking engagements, and is used as a demo app for multiple application architecture and dev process demos. It's also a cool and useful application in its own right.
JavaScript
8
star
46

adop-nexus

Shell
7
star
47

sfmc-devtools-copado

SFMC DevTools made easy using Copado Multi-Cloud's webinterface
JavaScript
7
star
48

mercury-composable

Reference implementation toolkit for writing composable applications
Java
7
star
49

adop-nginx

CSS
6
star
50

openathon-2020-python

openathon-2020-python
Python
6
star
51

ALM-SF-Metadata-API-Python-Tools

ALM SF Metadata API Python Tools
Python
6
star
52

DX-Mate

DX Mate
TypeScript
5
star
53

sfmc-devtools-vscode

Accenture SFMC DevTools for VS Code
TypeScript
5
star
54

Off-chain-storage-verification

A Blockchain-based Auditing Framework for Off-chain Storage
JavaScript
5
star
55

grails-spring-security-oauth-azure

grails-spring-security-oauth-azure
Groovy
5
star
56

mac-enablement

Shell
5
star
57

ALM-SF-DX-Python-Tools

ALM SF DX Python Tools
Python
5
star
58

adop-jenkins-worker

Dockerfile
4
star
59

adop-ldap-phpadmin

Shell
4
star
60

hiera-aws-sm

A Hiera 5 backend for AWS Secrets Manager
Ruby
4
star
61

Cockpit

Java
4
star
62

digital-products-boosters

digital-products-boosters
JavaScript
4
star
63

ALM-SF-DX-Pipelines

ALM SF DX Pipelines
Groovy
4
star
64

ALM-SF-Metadata-API-Pipelines

ALM SF Metadata API Pipelines
Groovy
4
star
65

openathon-2018-spring-boot-cloud

Materials (detailed guideline and exemplar solution) for the first Openathon organized by Accenture Technology Custom Software Engineering practice in Spain, focused on learning the basic to microservice development with Spring Boot and Spring Cloud.
Java
4
star
66

adop-cartridge-java-regression-tests

Java
3
star
67

speech2spikes

Python
3
star
68

mercury-nodejs

Reference engine for composable applications
TypeScript
3
star
69

alexa-pokitdok

JavaScript
3
star
70

cna-aws-cdk-patterns

TypeScript
3
star
71

openathon-2019-appian

OpenAthon 2019 - Appian
3
star
72

openathon-2021-quarkus

openathon-2021-quarkus
Shell
3
star
73

adop-cartridge-specification

Shell
3
star
74

adop-sensu

Ruby
3
star
75

azure-arc-playground-builder

Azure Arc Quickstart showcasing Arc-enabled App Service & Data Services
Shell
3
star
76

can_dlc_fuzzer

C++
3
star
77

tldr-alb

Application Load Balancer container for the The Lightweight Docker Runtime
Shell
2
star
78

evil_update

C
2
star
79

adop-cartridge-java-pipeline

Groovy
2
star
80

energy-consumption-measuring-toolkit

Python
2
star
81

openathon-2019-docker-spring-boot-app

Java
2
star
82

adop-cartridge-java-environment-template

2
star
83

DBTestCompareGenerator

Tool for generating database tests
C#
2
star
84

Mendix.RecaptchaWidget

JavaScript
2
star
85

adop-ldap-ltb

PHP
2
star
86

morpheus-data-api

Python client to Morpheus Data API https://apidocs.morpheusdata.com
Python
2
star
87

reactive_technologylearningpills

Technology Learning Pills: Reactive
TypeScript
2
star
88

adop-platform-extension-chef

Chef Server v12 extension for the ADOP platform.
2
star
89

Docknet

A pure Numpy implementation of neural networks for educational purposes
Jupyter Notebook
2
star
90

NEC850_Architecture

C++
2
star
91

Mendix.ObjectivityCommons

Java
1
star
92

Mendix.GlobusTheme

Objectivityโ€™s UI resources module and theme for building apps on the Mendix 9 platform.
SCSS
1
star
93

Mendix.IfElse

JavaScript
1
star
94

adop-logstash

1
star
95

Shakespeare_RNN

Python
1
star
96

adop-gitlab

Shell
1
star
97

CIFR_Yara

YARA
1
star
98

Mendix.CssClassSwitcher

A Mendix widget that adds CSS classes determined by a microflow (or nanoflow) to elements determined by CSS selector.
CSS
1
star
99

docker-plaso

Makefile
1
star
100

openathon-2019-docker-angular-app

TypeScript
1
star