ursachec/hardcoded_creds.sc

## hardcoded_creds.sc
import io.shiftleft.codepropertygraph.Cpg
import io.shiftleft.semanticcpg.language._
import scala.io.Source

// joern --script hardcoded_creds.sc --params binaryIn=/home/claudiu/src/joern/artifacts/mtfwu
@main def exec(binaryIn: String) = {
    importCode.ghidra(binaryIn)
    val decompiledBinary = cpg.method.dumpRaw.mkString("\n")
    val entry = Source.fromFile("entry.c").getLines.mkString
    importCode.c.fromString(decompiledBinary + "\n\n" + entry)
    run.ossdataflow

   cpg.method.fullNameExact("getenv").newTagNode("attacksurface").store
   run.commit

   def sprintfTransform =
     cpg.method.fullNameExact("sprintf")
       .callIn
       .where(_.argument(2).isLiteral.code(".*[xX][\"']?"))

   def parameterHexTransform =
     sprintfTransform.flatMap { sprintf =>
       def m = sprintf.method
       if(m.parameter.where(sprintf.argument(1).reachableBy(_)).size >= 1 &&
          m.parameter.where(sprintf.argument(3).reachableBy(_)).size >= 1) {
         Some(m)
       } else {
         None
       }
     }

   def cmpTransform =
     parameterHexTransform.flatMap { m =>
       def relevantCallers =
         m.caller.filter { cm =>
           cm.call.methodFullNameExact("strcmp").argument.reachableBy(cm.parameter).l.size > 0
         }.filter { cm =>
           m.parameter.reachableBy(cm.parameter).l.size > 0
         }
       if (relevantCallers.size > 0) {
         Some(relevantCallers)
       } else {
         None
       }
     }.flatten

   def hardcodedCreds =
     cmpTransform.dedupBy(_.fullName).flatMap{ tc =>
       def fromOutside = cpg.tag("attacksurface").method.callIn
       val reachable = tc.parameter.reachableBy(fromOutside).dedup.l
       if (reachable.size >= 2) {
         Some((tc, reachable))
       } else {
         None
       }
     }

   if (hardcodedCreds.size > 0) {
     hardcodedCreds.foreach { backdoor =>
       println("Hardcoded credentials found: ")
       println("  method => `" + backdoor._1.fullName + "`")
       backdoor._2.foreach { c =>
         println("     input => `" + c.code + "`")
       }
     }
   } else {
     println("No _hardcoded credentials_ found.")
   }
}
	import io.shiftleft.codepropertygraph.Cpg
	import io.shiftleft.semanticcpg.language._
	import scala.io.Source

	// joern --script hardcoded_creds.sc --params binaryIn=/home/claudiu/src/joern/artifacts/mtfwu
	@main def exec(binaryIn: String) = {
	importCode.ghidra(binaryIn)
	val decompiledBinary = cpg.method.dumpRaw.mkString("\n")
	val entry = Source.fromFile("entry.c").getLines.mkString
	importCode.c.fromString(decompiledBinary + "\n\n" + entry)
	run.ossdataflow

	cpg.method.fullNameExact("getenv").newTagNode("attacksurface").store
	run.commit

	def sprintfTransform =
	cpg.method.fullNameExact("sprintf")
	.callIn
	.where(_.argument(2).isLiteral.code(".*[xX][\"']?"))

	def parameterHexTransform =
	sprintfTransform.flatMap { sprintf =>
	def m = sprintf.method
	if(m.parameter.where(sprintf.argument(1).reachableBy(_)).size >= 1 &&
	m.parameter.where(sprintf.argument(3).reachableBy(_)).size >= 1) {
	Some(m)
	} else {
	None
	}
	}

	def cmpTransform =
	parameterHexTransform.flatMap { m =>
	def relevantCallers =
	m.caller.filter { cm =>
	cm.call.methodFullNameExact("strcmp").argument.reachableBy(cm.parameter).l.size > 0
	}.filter { cm =>
	m.parameter.reachableBy(cm.parameter).l.size > 0
	}
	if (relevantCallers.size > 0) {
	Some(relevantCallers)
	} else {
	None
	}
	}.flatten

	def hardcodedCreds =
	cmpTransform.dedupBy(_.fullName).flatMap{ tc =>
	def fromOutside = cpg.tag("attacksurface").method.callIn
	val reachable = tc.parameter.reachableBy(fromOutside).dedup.l
	if (reachable.size >= 2) {
	Some((tc, reachable))
	} else {
	None
	}
	}

	if (hardcodedCreds.size > 0) {
	hardcodedCreds.foreach { backdoor =>
	println("Hardcoded credentials found: ")
	println(" method => `" + backdoor._1.fullName + "`")
	backdoor._2.foreach { c =>
	println(" input => `" + c.code + "`")
	}
	}
	} else {
	println("No _hardcoded credentials_ found.")
	}
	}