Vulnerability information: D-Link DIR 615/645/815 router 1. 03 and previous firmware version is the presence of a remote command execution vulnerability. The vulnerability is due to service. the cgi in the splicing of the HTTP POST request data, causing background commands splicing, leading to execute arbitrary commands. An operating environment analysis First download the relevant firmware, dir815_FW_102. bin, this file the corresponding D-Link815 router 102 version firmware binwalk unlock after you find the cgibin files. IDA open Cgibin look at the main function, if you want to run to the processing service. the cgi function of the branch, you will need a parameter set to the corresponding string ! Tried before online some great script method, with the standard input parameter or directly in the qemu command followed by parameters, as in the following code, without success echo "$INPUT" |chroot . ./ qemu ./ htdocs/cgibin chroot . ./ qemu ./ htdocs/cgibin service. cgi Later found the need to use qemu -0 a way to specify the parameters of the first parameter chroot. ./ qemu -0 “service. cgi” ./ htdocs/cgibin. Running cgibin,you also need to configure some necessary parameters,search first servicecgi_main, found inside, and a sub-function cgibin_parse_request inside will take the following environment variables,if you do not configure the appropriate environment variables so cgibin run after will directly go to http failure to resolve the branch. ! ! ! ! Therefore, in the implementation cgibin also need to add the following environment variables -E REQUEST_METHOD="POST" -E CONTENT_LENGTH=10-EREQUEST_URI="service. cgi-ECONTENT_TYPE="application/x-www-form-urlencoded" -EHTTP_COOKIE="uid=aaaaa" If you need to debug further to be added-g parameter to specify the port number, then integrated into the following shell script:
PORT=1234 cp $(which qemu-mipsel-static) ./ qemu chroot . ./ qemu -0 "service. cgi" -EREQUEST_METHOD="POST" -E REQUEST_URI="service. cgi" -E CONTENT_LENGTH=$LEN-ECONTENT_TYPE="application/x-www-form-urlencoded" -EHTTP_COOKIE="uid=aaaaa" -g $PORT-E REMOTE_ADDR="127.0.0.1” ./ htdocs/cgibin Ubuntu following the first switch to the root user and then run this script ! In this case cgibin it has been waiting for Debugger connection status. Two Debugger settings The debugger can select the following two methods: 1. With the machine inside the compiled gdb to debug, Step as shown in the figure, with gdb to start debug the file after setting the appropriate remote debugging address and port
! 2. With the IDA remote debugging, ! First Ubuntu install wine,then use wine to run ida With the ida open cgibin ! debugger option in the settings F9 start debug,select the file and the port,parameter, etc. ! Confirm attach to the remote process. ! Then find the ida off in the library function inside ! F9 to run,just to the main function at the entrance. ! Three debugging process CGI in General by the getenv or stdlib library functions getenv to get environment variables get the post back data, In the cgibin is not found in stdin,scanf like this functions or strings,therefore to be injected command as the input parameter transfer is not successful, carefully check each genenv,to inject commands into the request_uri environment variable when successful !