TEW-654TR router vulnerability analysis and mining-vulnerability warning-the black bar safety net

ID MYHACK58:62201783623
Type myhack58
Reporter 影武者实验室
Modified 2017-02-21T00:00:00


Read the complete devttys0 predecessors of”exploiting embedded systems”series. Analysis under the relevant firmware router model: TEW-654TR firmware download address: http://download.trendnet.com/TEW-654TR/firmware/ 0×01 environment settings !

!/ bin/bash

INPUT="$1" LEN=$(echo-n "$INPUT" | wc-c) PORT="1234" if [ "$LEN" == "0" ] || [ "$INPUT" == "-h" ] || [ "$UID" != "0" ] then echo-e "\nUsage: sudo $0 \n" exit 1 fi cp $(which qemu-mipsel-static) ./ qemu echo "$INPUT" | chroot . ./ qemu-E REQUEST_METHOD="POST" -E CONTENT_LENGTH=$LEN-E CONTENT_TYPE="application/x-www-form-urlencoded" -E REMOTE_ADDR="" -g $PORT /usr/bin/my_cgi. cgi 2>/dev/null rm-f ./ qemu Here because is the small end of the machine mips architecture,so copy the qemu-mipsel-static,mips architecture with intel architecture in the vulnerability discovery ideas and nothing was different,just use a difference between,for example, overflow when you want to determine whether it is a leaf function, and so on. Because the cgi script with getenv action,so use-E To set the env,-g specify the gdb remote debug port. /usr/bin/my_cgi. cgi is in the Read configuration files when achieved,of course, this can also be from the actual submitted request to see. 0×02 vulnerability analysis a:read the router admin account password Real login request packet: request=login&user_name=admin&user_pwd=password In the static analysis,can directly query the relevant keywords,navigate to the login function of the position. Here the search request,the positioning to the main function within !

First save the field to the stack,and then call getenv(“REQUEST_METHOD”),acquired less than,jump to the loc_40914c from the stack restore s0-s7, fp, ra value,and then jump to the ra to re-call getenv. Returns true then the judge is a get or post method !


Get the length, type, remote_addr equivalent after,down the track found there is an open database action. . text:00409460 blez $s1, loc_409938 . text:00409464 lui $s0, 2 . text:00409468 la $t9, open_db . text:0040946C ori $a0, $s0, 0xE5F0 . text:00409470 jalr $t9 ; open_db . text:00409474 addu $a0, $s3, $a0 . text:00409478 lw $gp, 0x2E6F0+var_2E6E0($sp) . text:0040947C nop We search the presence of the db file: root@ubuntu:~/_TEW-654TRA1_FW110B12. bin. extracted/squashfs-root# find ./ -name *. db ./ mnt/wizard_rt. db ./ mnt/user. db ./ mnt/ap. db ./ mnt/rt. db ./ mnt/default_rt. db ./ mnt/default_apc. db ./ mnt/wizard_ap. db ./ mnt/default_ap. db ./ mnt/apc. db ./ mnt/iface. db Take a look at the content: root@ubuntu:~/_TEW-654TRA1_FW110B12. bin. extracted/squashfs-root# file ./ mnt/user. db ./ mnt/user. db: SQLite 3. x database root@ubuntu:~/_TEW-654TRA1_FW110B12. bin. extracted/squashfs-root# sqlite3 ./ mnt/user. db SQLite version 3.11.0 2016-02-15 17:29:24 Enter ". help" for usage hints. sqlite> . tables login_info sqlite> . schema login_info CREATE TABLE "login_info" ("login_ip" VARCHAR NOT NULL , "login_time" INTEGER NOT NULL , "login_level" CHAR NOT NULL ); sqlite> select * from login_info; sqlite> select * from login_info; sqlite> open ...> ; Error: near "open": syntax error sqlite> ^Z [1]+ Stopped sqlite3 ./ mnt/user. db root@ubuntu:~/_TEW-654TRA1_FW110B12. bin. extracted/squashfs-root# sqlite3 ./ mnt/rt. db

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [[13]] (<83623_13.htm>) next