nccgroup / umap2 Goto Github PK

View Code? Open in Web Editor NEW

244.0 24.0 68.0 663 KB

Umap2 is the second revision of NCC Group's python based USB host security assessment tool.

License: GNU Affero General Public License v3.0

Python 95.47% Shell 0.08% Makefile 0.02% Roff 4.43%

umap2's Introduction

Umap2

Umap2 is the second revision of NCC Group's python based USB host security assessment tool.

This revision will have all the features that were supported in the first revision:

umap2emulate - USB device emulation
umap2scan - USB host scanning for device support
umap2detect - USB host OS detection (no implemented yet)
umap2fuzz - USB host fuzzing

In this revision there will be some additional features:

USB host fuzzing uses kitty as fuzzing engine
Umap2 not only contains executable scripts, but is also installed as a package and may be used as a library

Umap2 is developed by NCC Group and Cisco SAS team.

Warning: umap2 is still an experimental, alpha stage tool. The APIs, executable names, etc. are likely to be changed in the near future. Use at your own risk.

Support

- IRC: #umap2 on Freenode Installation ------------

Since this is a very early version, Umap2 is not yet available from pypi, instead, use pip to install it directly from github:

$ pip install git+https://github.com/nccgroup/umap2.git#egg=umap2

Python Versions

Umap2 is python2/3 compatible for most parts. However, the fuzzer script (umap2kitty) runs only on python2.

"Soft" Dependencies

Umap2's dependencies are listed in setup.py and will be installed with umap2, however, there are couple of things that you might want to do to add support for some devices:

Mass Storage

Requires a disk image called stick.img in the running directory

MTP

Requires a folder/file called mtp_fs in the current directory.
Requires the python package pymtpdevice. This package is not on pypi at the moment, but can be downloaded and installed from here: https://github.com/BinyaminSharet/Mtp

Hardware

Facedancer is the recommended hardware for Umap2. Umap2 was developed based on it, and you'll get the most support with it.
Raspdancer <http://wiki.yobi.be/wiki/Raspdancer> is supported on RPi
GadgetFS is partially supported. This support is very experimental (even more than the rest of Umap2) and limited.
- BeagleboneBlack starting from Linux kernel 4.4.9 with a patched gadgetfs driver
- RaspberryPi Zero W starting from Linux kernel 4.12.0-rc3+ which requires no patches
- Since 4.12.0-rc3+ requires no patches, there might be other devices that can be supported, if you know of such device or have made changes to make it run on other devices, please send us a word.

If you are interested, read the gadget/README.rst for more information.

Usage

Device Emulation

Umap2's basic functionallity is emulating a USB device. You can emulate one of the existing devices (use umap2list to see the available devices):

$ umap2emulate -P fd:/dev/ttyUSB0 -C mass_storage

or emulate your own device:

$ umap2emulate -P fd:/dev/ttyUSB0 -C ~/my_mass_storage.py

A detailed guide to add your device will be added soon, in the meantime, you can take a look at umap2 devices under umap2/dev/

Device Support Scanning

Umap2 can attempt to detect what types of USB devices are supported by the host. It is done by emulating each device that is implemented in Umap2 for a short period of time, and checking whether a device-specific message was sent.

$ umap2scan -P fd:/dev/ttyUSB0

Vendor Specific Device Support Scanning

In addition for scanning support of various device classes, Umap2 can scan the host for support of vendor specific devices.

Vendor specific scanning helps identifying the vendor specific drivers that are available on the host.

This can be done using the current Umap2 VID-PID DB (still working on it), or another file in the same format:

$ umap2vsscan -P fd:/dev/ttyUSB0 -d $UMAP2_DIR/data/vid_pid_db.py

Or by scanning a specific vid-pid range -in this example -scan for each combination of VID from 0x1001 to 0x1004 and PID from 0x0000 to 0xffff:

$ umap2vsscan -P fd:/dev/ttyUSB0 -s 1001-1004:0000-ffff

Any patches/additions to the vid_pid_db.py file are very welcome!

Fuzzing

A detailed guide for fuzzing using Umap2 can be found in docs/fuzzing.rst

Fuzzing with Umap2 is composed of three steps, which might be unified into a single script in the future.

Find out what is the order of messages for the host you want to fuzz and the USB device that you emulate:
```
$ umap2stages -P fd:/dev/ttyUSB0 -C keyboard -s keyboard.stages
```
Start the kitty fuzzer in a separate shell, and provide it with the stages generated in step 1.
```
$ umap2kitty -s keyboard.stages
```
Start the umap2 keyboard emulation in fuzz mode
```
$ umap2fuzz -P fd:/dev/ttyUSB0 -C keyboard
```

After stage 3 is performed, the fuzzing session will begin.

Note About MTP fuzzing

While umap2 may be used to emulate and discover MTP devices (see "Soft dependencies" section of this README), it does not fuzz the MTP layer at this point. In order to fuzz the MTP layer, you can use the fuzzer embedded in the MTP library. We plan to support MTP fuzzing directly from umap2 in future releases.

Host OS Detection

TBD

Toubleshooting

If you have issues with Umap2, try the troubleshooting section

Raspdancer

You need SPI-Py <https://github.com/lthiery/SPI-Py> and GPIO python libraries. Use phy rd

umap2's People

Contributors

Stargazers

Watchers

umap2's Issues

Type Error

Continuous Type error exceptions are occurred whilst executing the tool as shown below.

[INFO ] [Interface] Calling get_descriptor (stage: "interface_descriptor")
[ERROR ] Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 76, in wrapper
response = func(self, *args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_interface.py", line 130, in get_descriptor
d += e.get_descriptor(usb_type, valid)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_cs_interface.py", line 63, in get_descriptor
response = struct.pack('BB', length & 0xff, descriptor_type) + self.cs_config
TypeError: can't concat str to bytes

[ERROR ] File "/usr/local/bin/umap2scan", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.9/dist-packages/umap2/apps/scan.py", line 80, in main
app.run()
File "/usr/local/lib/python3.9/dist-packages/umap2/apps/scan.py", line 50, in run
device.run()
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_device.py", line 144, in run
self.phy.run()
File "/usr/local/lib/python3.9/dist-packages/umap2/phy/facedancer/max342x_phy.py", line 194, in run
self.service_irqs()
File "/usr/local/lib/python3.9/dist-packages/umap2/phy/facedancer/max342x_phy.py", line 217, in service_irqs
self.connected_device.handle_request(b)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_device.py", line 250, in handle_request
handler(req)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_device.py", line 322, in handle_get_descriptor_request
response = response(dindex)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_device.py", line 337, in get_configuration_descriptor
return self.configurations[num].get_descriptor()
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 76, in wrapper
response = func(self, *args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_configuration.py", line 97, in get_descriptor
interface_descriptors += i.get_descriptor(usb_type, valid)
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 76, in wrapper
response = func(self, *args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/umap2/dev/audio.py", line 173, in get_descriptor
return super(USBAudioControlInterface, self).get_descriptor(usb_type, valid)
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 79, in wrapper
self.logger.error(''.join(traceback.format_stack()))

[ERROR ] Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 76, in wrapper
response = func(self, *args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/umap2/dev/audio.py", line 173, in get_descriptor
return super(USBAudioControlInterface, self).get_descriptor(usb_type, valid)
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 80, in wrapper
raise e
File "/usr/local/lib/python3.9/dist-packages/umap2/fuzz/helpers.py", line 76, in wrapper
response = func(self, *args, **kwargs)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_interface.py", line 130, in get_descriptor
d += e.get_descriptor(usb_type, valid)
File "/usr/local/lib/python3.9/dist-packages/umap2/core/usb_cs_interface.py", line 63, in get_descriptor
response = struct.pack('BB', length & 0xff, descriptor_type) + self.cs_config
TypeError: can't concat str to bytes

[ERROR ] File "/usr/local/bin/umap2scan", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.9/dist-packages/umap2/apps/scan.py", line 80, in main

How to fuzz a single descriptor

Once a stages file is created the fuzzer goes through the record flow and fuzzes all the descriptors the host is expecting (normal operation), is there a way to just fuzz a singular descripter eg. the configuration descriptor ?

GreatFET support

Hi,

I decided to open a new issue just in case somebody can shed a little bit of light on this. The problem is exactly like #31, and I have already commented there as well, but it is currently closed. The main problem I am having is that GreatFET does not connect to the computer as a serial connection like GoodFET or Facedancer 21, so it does not have any tty assigned to it. The error and its exception are obvious since there is no /dev/ttyUSB0 to connect to.

$ umap2scan -P fd:/dev/ttyUSB0 
[ALWAYS] Scanning host for supported devices
[INFO  ] Loading physical interface: fd:/dev/ttyUSB0
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 322, in open
    self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
FileNotFoundError: [Errno 2] No such file or directory: '/dev/ttyUSB0'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/v/.local/bin/umap2scan", line 8, in <module>
    sys.exit(main())
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/scan.py", line 80, in main
    app.run()
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/scan.py", line 42, in run
    phy = self.load_phy(self.options['--phy'])
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/base.py", line 66, in load_phy
    s = Serial(dev_name, 115200, parity=PARITY_NONE, timeout=2)
  File "/usr/local/lib/python3.8/dist-packages/serial/serialutil.py", line 244, in __init__
    self.open()
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 325, in open
    raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port /dev/ttyUSB0: [Errno 2] No such file or directory: '/dev/ttyUSB0'

dmesg's output does not help either.

[ 3163.722217] usb 1-2: new high-speed USB device number 5 using xhci_hcd
[ 3163.891946] usb 1-2: New USB device found, idVendor=1d50, idProduct=60e6, bcdDevice= 1.00
[ 3163.891951] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 3163.891953] usb 1-2: Product: GreatFET
[ 3163.891955] usb 1-2: Manufacturer: Great Scott Gadgets
[ 3163.891956] usb 1-2: SerialNumber: 000000000000000057cc67e630aa7857

There is a /dev/ path created called /dev/greatfet-oneX-Y, where X and Y are two variable numbers, but you can not write to it and umap2 crashes as well.

$ umap2scan -P fd:/dev/greatfet-one1-2 
[ALWAYS] Scanning host for supported devices
[INFO  ] Loading physical interface: fd:/dev/greatfet-one1-2
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 398, in _reconfigure_port
    orig_attr = termios.tcgetattr(self.fd)
termios.error: (25, 'Inappropriate ioctl for device')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/v/.local/bin/umap2scan", line 8, in <module>
    sys.exit(main())
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/scan.py", line 80, in main
    app.run()
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/scan.py", line 42, in run
    phy = self.load_phy(self.options['--phy'])
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/base.py", line 66, in load_phy
    s = Serial(dev_name, 115200, parity=PARITY_NONE, timeout=2)
  File "/usr/local/lib/python3.8/dist-packages/serial/serialutil.py", line 244, in __init__
    self.open()
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 332, in open
    self._reconfigure_port(force_update=True)
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 401, in _reconfigure_port
    raise SerialException("Could not configure port: {}".format(msg))
serial.serialutil.SerialException: Could not configure port: (25, 'Inappropriate ioctl for device')

GreatFET supports UART and other kinds of serial connection to the board, but using these as a roundabout to talk with the device is futile as well, even if it now has an actual /dev/tty path.

$ umap2scan -P fd:/dev/ttyUSB0 
[ALWAYS] Scanning host for supported devices
[INFO  ] Loading physical interface: fd:/dev/ttyUSB0
[INFO  ] Facedancer resetting...
Traceback (most recent call last):
  File "/home/v/.local/bin/umap2scan", line 8, in <module>
    sys.exit(main())
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/scan.py", line 80, in main
    app.run()
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/scan.py", line 42, in run
    phy = self.load_phy(self.options['--phy'])
  File "/home/v/.local/lib/python3.8/site-packages/umap2/apps/base.py", line 68, in load_phy
    phy = Max342xPhy(self, s)
  File "/home/v/.local/lib/python3.8/site-packages/umap2/phy/facedancer/max342x_phy.py", line 73, in __init__
    self.device = Facedancer(serial_port)
  File "/home/v/.local/lib/python3.8/site-packages/umap2/phy/facedancer/facedancer.py", line 14, in __init__
    self.reset()
  File "/home/v/.local/lib/python3.8/site-packages/umap2/phy/facedancer/facedancer.py", line 33, in reset
    raise Exception("Facedancer reset fault.")
Exception: Facedancer reset fault.

The old issue was closed by @shtry, so I was wondering if they could get it to work or they just abandoned the project. I am curious and adamant to get it to work (changing code as little as possible) and given umap's compatibility with Facedancer, I think this is highly feasible, but I currently lack the understanding to do so. I would be delighted if any of the devs could share their experience with this device.

Thanks in advance.

pickle on python3 issue

making an issue for feedback, rather than contributing a commit because I'm not 100% this problem is experienced by anyone else.

getting an issue with cPickle not existing in python3. cPickle IS NOT a package you can installl. My patch is below.

# line: https://github.com/nccgroup/umap2/blob/master/umap2/apps/vsscan.py#L45

import six.moves.cPickle as cPickle
#import cPickle

umap2kitty ImportError: No module named 'templates'

I'm struggling with the set-up of my umap2. There seems to be a mix of python2 and python3 that's causing all sorts of issues (some PR to follow...).

At the moment I try to follow the fuzzing instructions from the main README.

$ umap2kitty -s ~/Tools/umap2/umap2/fuzz/templates/mass_storage.stages 
Traceback (most recent call last):
  File "/usr/local/bin/umap2kitty", line 9, in <module>
    load_entry_point('umap2==2.0.1', 'console_scripts', 'umap2kitty')()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 542, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2569, in load_entry_point
    return ep.load()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2229, in load
    return self.resolve()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2235, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.5/dist-packages/umap2-2.0.1-py3.5.egg/umap2/fuzz/fuzz_engine.py", line 23, in <module>
ImportError: No module named 'templates'

Not sure how to fix this, maybe using PYTHONPATH but it seems to have averse side effects.

Cannot execute failed tests

Hi,
I used umap2kitty to record a session (with -f flag) and then I tried to execute again failed tests (with -r flag) however umap2fuzz crashes with the following error:

Exception: Got error from RPC server when called "start" error: {u'message': u'exception in call "start({})" -> Specified test range exceeds the maximum mutation count', u'code': -32603}

The same issue is the one described in #25 (same trace).

To avoid this error as "fast workaround", I changed the RangesList class set_last function in kitty/fuzzers/test_list.py file as follows, then the tests re-execution worked fine.

    def set_last(self, last):
        last_list = self._lists[-1]
        if last > last_list._start and last_list.open_ended():
            last_list.set_last(last)

[MassStorage] Re-implement Mode Sense handling

SCSI Mode sense handler is currently partial and wrong.
The handler should be fixed and the fuzzing templates should be implemented

session-file

Hi all

I have performed some fuzzing (nice tool) I have a kitty_***.log file with 'errors and failures' after running a complete fuzzing cycle (i assume errors/failures are worth further exploration) so running umap2kitty -s keyboard.stages -k -h tells me I can retest failed/error tests from a 'session-file', are the tests stored somewhere, do i need to create one, I'm missing something obvious im sure ;)

[Printer] Umap2 crashes on Linux

When emulating a Printer, Umap2 crashes on Linux.
linux_printer.txt

dmesg output:

[84249.184055] usb 1-1: new full-speed USB device number 51 using xhci_hcd
[84249.492976] usb 1-1: New USB device found, idVendor=0922, idProduct=0021
[84249.492981] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[84249.492985] usb 1-1: Product: DYMO LabelWriter 450 Turbo
[84249.492988] usb 1-1: Manufacturer: Dymo-CoStar Corp.
[84249.492990] usb 1-1: SerialNumber: 10031908350047
[84249.593177] usblp 1-1:1.0: usblp0: USB Bidirectional printer dev 51 if 0 alt 0 proto 2 vid 0x0922 pid 0x0021
[84254.680368] usblp0: removed
[84254.830074] usblp: can't set desired altsetting 0 on interface 0
[84447.684718] usb 1-1: USB disconnect, device number 51

umap2kitty invalid syntax

Trying to run the umap2kitty command but I'm receiving the following error:

└─# python2.7 /usr/local/bin/umap2kitty -s mass_storage.stages
Traceback (most recent call last):
File "/usr/local/bin/umap2kitty", line 5, in
from umap2.fuzz.fuzz_engine import main
File "/usr/local/lib/python2.7/dist-packages/umap2/fuzz/fuzz_engine.py", line 16, in
from kitty.remote.rpc import RpcServer
File "/usr/local/lib/python2.7/dist-packages/kitty/remote/init.py", line 23, in
from kitty.remote.rpc import RpcServer, RpcClient
File "/usr/local/lib/python2.7/dist-packages/kitty/remote/rpc.py", line 22, in
import requests
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/init.py", line 95, in
File "/usr/share/offsec-awae-wheels/urllib3-1.25.9-py2.py3-none-any.whl/urllib3/contrib/pyopenssl.py", line 46, in
File "/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/init.py", line 8, in
File "/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py", line 12, in
File "/usr/local/lib/python2.7/dist-packages/cryptography/x509/init.py", line 6, in
from cryptography.x509 import certificate_transparency
File "/usr/local/lib/python2.7/dist-packages/cryptography/x509/certificate_transparency.py", line 22
class SignedCertificateTimestamp(metaclass=abc.ABCMeta):
^
SyntaxError: invalid syntax

Does anyone have a work around/fix?

support greatfet?

Hi.

Does umap2 tool support greatfet?

I get a device error as below.

$ sudo umap2emulate -P fd:/dev/ttyUSB0 -C fidi
[INFO  ] Loading physical interface: fd:/dev/ttyUSB0
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 322, in open
    self.fd = os.open(self.portstr, os.O_RDWR | os.O_NOCTTY | os.O_NONBLOCK)
FileNotFoundError: [Errno 2] No such file or directory: '/dev/ttyUSB0'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/umap2emulate", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/dist-packages/umap2/apps/emulate.py", line 53, in main
    app.run()
  File "/usr/local/lib/python3.8/dist-packages/umap2/apps/emulate.py", line 35, in run
    self.phy = self.load_phy(self.options['--phy'])
  File "/usr/local/lib/python3.8/dist-packages/umap2/apps/base.py", line 66, in load_phy
    s = Serial(dev_name, 115200, parity=PARITY_NONE, timeout=2)
  File "/usr/local/lib/python3.8/dist-packages/serial/serialutil.py", line 244, in __init__
    self.open()
  File "/usr/local/lib/python3.8/dist-packages/serial/serialposix.py", line 325, in open
    raise SerialException(msg.errno, "could not open port {}: {}".format(self._port, msg))
serial.serialutil.SerialException: [Errno 2] could not open port /dev/ttyUSB0: [Errno 2] No such file or directory: '/dev/ttyUSB0'

umap2vsscan does not work, but umap2scan and umap works?

Running umap2vsscan with vid_pid_db.py gives

[INFO ] have been waiting long enough (over 5 secs.), disconnect

For all devices, even if they are supported or not. Running umap (not umap2) with -i shows supported devices, aswell as umap2scan after fixing some errors when running it in python3. So both umap and umap2scan shows supported devices (testing it against a windows 10 desktop). However, if I run umap2vsscan -s with the same vin:pid as one of the supported devices tested in umap2scan it just gives the same message as above. For some reason I keep having this issue where the host disconnects. This happens in umap2scan aswell but it still shows the device as supported:

[INFO ] [AudioDevice] Response: b'280355004d00410050003200200041007500640069006f0020004100640061007000740065007200'
[INFO ] have been waiting long enough (over 6 secs.), disconnect
[INFO ] [Max342xPhy] Disconnected device AudioDevice
[INFO ] [Max342xPhy] Disconnect called when already disconnected
[ALWAYS] Device is SUPPORTED

Can someone provide me insight to why umap2vsscan is not working, and why I constantly get this "have been waiting long enough" message? I have tried increasing the timeout but issue persists.

EDIT --

For example running umap2scan it shows that Keyboard is supported.
If I try to use the same vid:pid with umap2vsscan by doing:
umap2vsscan -P fd:/dev/ttyUSB0 -s 610b:4653

It does not respond, which makes sense since on the target computer it comes up as:
"UMAP2. PID0x4653" in Other Devices

While in umap2scan the keyboard shows up as
"USB Reciever" and recognized as a keyboard.

It seems that in umap2scan the devices are more properly configured, while umap2vsscan only uses vid:pin, causing the target to not recognize the usb device.

However, I would like to scan for certain devices/drivers such as this person does in his project:
https://github.com/ea/bosch_headunit_root

EDIT 2 ---
The problems seems to be with how VendorSpecificDevice are setup compared to specific classes such as USBKeyboardDevice

GadgetFsPhy does not handle OUT control requests with data

The reason for this issue is not clear yet, however, but some of the OUT control messages that has data are often not received by the phy, and when they do, an attempt to read the data cause OSError 43 (Identifier removed):

[INFO  ] [GadgetFsPhy] length of events buffer: 0xc
[DEBUG ] [GadgetFsPhy] EP0 event type SETUP(0x3)
[INFO  ] [GadgetFsPhy] expecting additional data on control ep - 0x2 bytes
[INFO  ] [GadgetFsPhy] dir=0x0 (out), type=0x1 (class), rec=0x1 (interface), req=0x4, val=0x200, idx=0xd00, len=0x2
[ERROR ] Got exception while connecting/running device
[ERROR ] Traceback (most recent call last):
  File "/root/umap2/umap2/apps/emulate.py", line 39, in run
    self.dev.run()
  File "/root/umap2/umap2/core/usb_device.py", line 143, in run
    self.phy.run()
  File "/root/umap2/umap2/phy/gadgetfs/gadgetfs_phy.py", line 185, in run
    self._handle_ep0()
  File "/root/umap2/umap2/phy/gadgetfs/gadgetfs_phy.py", line 248, in _handle_ep0
    self._handle_ep0_setup(event)
  File "/root/umap2/umap2/phy/gadgetfs/gadgetfs_phy.py", line 275, in _handle_ep0_setup
    data = os.read(self.control_fd, req.length)
OSError: [Errno 43] Identifier removed

[INFO  ] [GadgetFsPhy] Disconnected device AudioDevice

load_db_from_file ValueError - level must be >= 0

user@hostname:~/research/umap2$ sudo umap2vsscan -P fd:/dev/ttyUSB0 -d data/vid_pid_db.py
[ALWAYS] Resume file not found. Creating new one
[INFO  ] loading vid_pid db file: data/vid_pid_db.py
Traceback (most recent call last):
  File "/usr/local/bin/umap2vsscan", line 9, in <module>
    load_entry_point('umap2', 'console_scripts', 'umap2vsscan')()
  File "/home/user/research/umap2/umap2/apps/vsscan.py", line 304, in main
    app.run()
  File "/home/user/research/umap2/umap2/apps/vsscan.py", line 223, in run
    self.build_scan_session()
  File "/home/user/research/umap2/umap2/apps/vsscan.py", line 191, in build_scan_session
    self.load_db_from_file(db_file)
  File "/home/user/research/umap2/umap2/apps/vsscan.py", line 152, in load_db_from_file
    module = __import__(modulename, globals(), locals(), [], -1)
ValueError: level must be >= 0

Cannot replay tests

I recorded a fuzzing session using umap2kitty. When I try to replay, I get the following error:

>umap2kitty -s stages/keyboard.stage -k "-r fuzz/keyboard.fuzz"
Waiting for a client to connect to url http://localhost:26007/
[INFO    ][base._load_session] No session loaded

On the fuzzer side, I get some kind of nasty RPC error, mutation count exceeds maximum.

>umap2fuzz -P rd -C keyboard
Traceback (most recent call last):
  File "/usr/local/bin/umap2fuzz", line 11, in <module>
    load_entry_point('umap2==2.0.1', 'console_scripts', 'umap2fuzz')()
  File "build/bdist.linux-armv6l/egg/umap2/apps/fuzz.py", line 110, in main
  File "build/bdist.linux-armv6l/egg/umap2/apps/emulate.py", line 34, in run
  File "build/bdist.linux-armv6l/egg/umap2/apps/fuzz.py", line 43, in get_fuzzer
  File "/usr/local/lib/python2.7/dist-packages/kittyfuzzer-0.7.1-py2.7.egg/kitty/remote/rpc.py", line 169, in _
    raise Exception('Got error from RPC server when called "%s" error: %s' % (method, response['error']))
Exception: Got error from RPC server when called "start" error: {u'message': u'exception in call "start({})" -> Specified test range exceeds the maximum mutation count', u'code': -32603}

Any idea how to get past this?

Usage with USB Gadget (OTG)?

This is more of a suggestion/feature request than an actual issue.

For targeting remote devices (such as an iOS device) where we don't have a shell to start with, it'd be useful to take advantage of Linux's USB gadget framework on a debugger 'server' (e.g. Raspberry Pi).

[Apps] umap2vsscan hangs with GadgetFsPhy

Seems like when using GadgetFsPhy with umap2vsscan, there are not enough messages on EP0, so packet_processed is not called after basic enumeration and the app never stops.

I think this issue should be solved by changing the callback to be just some kind of query, and not only when a message is processed.

Test case ensuring fuzzing is working

Is there a well known "vulnerability" that can easily be found with the umap2fuzz ?

I have a spare laptop on which I installed an old Fedora with a 4.2 kernel (couldn't go older than that).
I am currently fuzzing the keyboard class, it will take 2 days and I have no certainty that it will find something.

So my question is, is there a well known "vulnerability" so I can (and everyone here setting up this project can too) ensure the fuzzing is correctly working ?

[MtpDevice] request not handled: dir=0x1 (in), type=0x2 (vendor), rec=0x0 (device), req=0x33, val=0x0, idx=0x0, len=0x2

Using command: umap2stages -P fd:/dev/ttyUSB0 -C mtp -s mtp I receive the following errors:

[INFO ] [DeviceVendor] Calling handle_msos_vendor_extended_config_descriptor (stage: "msos_vendor_extended_config_descriptor")
[INFO ] [DeviceVendor] Response: 2800000000010000010000000000000000014d545000000000000000000000000000000000000000
[ERROR ] [MtpDevice] request not handled: dir=0x1 (in), type=0x2 (vendor), rec=0x0 (device), req=0x33, val=0x0, idx=0x0, len=0x2
[ERROR ] [MtpDevice] handler entity type: <class 'umap2.dev.mtp.USBMsosVendor'>
[ERROR ] [MtpDevice] handler entity: <umap2.dev.mtp.USBMsosVendor object at 0x7f8191518dd0>
[ERROR ] [MtpDevice] handler_entity.request_handlers: {0: <bound method USBMsosVendor.handle_all of <umap2.dev.mtp.USBMsosVendor object at 0x7f8191518dd0>>}
[ERROR ] [MtpDevice] 0x00: <bound method USBMsosVendor.handle_all of <umap2.dev.mtp.USBMsosVendor object at 0x7f8191518dd0>>
[ERROR ] [MtpDevice] invalid handler, stalling
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/umap2/core/usb_device.py", line 249, in handle_request
handler(req)
TypeError: 'NoneType' object is not callable
[ERROR ] Got exception while connecting/running device
[ERROR ] Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/umap2/apps/emulate.py", line 39, in run
self.dev.run()
File "/usr/local/lib/python2.7/dist-packages/umap2/core/usb_device.py", line 143, in run
self.phy.run()
File "/usr/local/lib/python2.7/dist-packages/umap2/phy/facedancer/max342x_phy.py", line 194, in run
self.service_irqs()
File "/usr/local/lib/python2.7/dist-packages/umap2/phy/facedancer/max342x_phy.py", line 217, in service_irqs
self.connected_device.handle_request(b)
File "/usr/local/lib/python2.7/dist-packages/umap2/core/usb_device.py", line 249, in handle_request
handler(req)
TypeError: 'NoneType' object is not callable

[INFO ] [Max342xPhy] Disconnected device MtpDevice

Same error is received whe trying to emulate mtp or mass_storage

CSInterface and CSEndpoint refactor

There's a big mess with the class-specific actors, and they need to be heavily refactored.