Router vulnerability reproduction: from the principle to the first verification-vulnerability and early warning-the black bar safety net

2018-07-25T00:00:00
ID MYHACK58:62201890956
Type myhack58
Reporter 佚名
Modified 2018-07-25T00:00:00

Description

The IOT vulnerability to reproduction and the traditional system vulnerabilities to reproduce the different point is that the physical network vulnerability depends on the hardware, almost every vulnerability all have to buy a new piece of hardware to reproduce, which is different from the traditional system just download the correct corresponding version of the software. Therefore, the local virtual environment to reproduce the vulnerability is a extremely economical approach. And in the formal to the actual hardware to reproduce the vulnerability before, in the local virtual environment to reproduce would be beneficial to debugging the actual environment of unpredictable problems. This article is therefore to router vulnerability D-Link DIR-505, for example, describes how the local virtual machine to complete the vulnerability is reproduced. In the secret home router 0day vulnerability Mining Technology of the inside of Chapter 12, describes how the mining and the use of D-Link DIR-505 vulnerabilities. But the book which introduced the method, if you want to in the local QEMU virtual machine inside perform, then there is a problem, because when using bash script output when executed, will automatically filter out null characters, then a key calling system The address of the function it contains a null character, thus making the local QEMU fails verification. This article and the book inside of a different method, the use of calling external library libc. so. 0 inside the system function, and in libc. so. 0 find can use the gadget to achieve in the local QEMU virtual machine environment, for the D-Link DIR-505 vulnerability exploit, without in the actual device test. If you need actual device to test, only need to change into the library function of the base address of the can. In this article, I will introduce: 1.The How to call from shared library libc. so. 0 inside to call the system function, 2. How to determine the shared library libc. so. 0 of the base address. Wherein, for the 2, I provide two ways, actually there is a third way, but I have yet to verify that, in theory, is also feasible, will also be in the text after proposed. Below into the chase. The premise is the assumption that readers already have set up the QEMU environment.

1. binwalk firmware extraction First, the old rules, the use binwalk to download the Dlink firmware extraction: $ binwalk-Me DIR505A1_FW108B07. bin

2. Analysis of the vulnerability of key position Reuse the books for the publication of the vulnerability details of the analysis can be found in breaches of the critical location, in the root directory of/usr/bin/my_cgi. cgi. And the key input source is the storage_path=xx. Although CONTENT_LENGTH for read the storage_path Content Length restrictions, but for the CONTENT_LENGTH value is not limited, resulting in a virtually arbitrary Length the string content can be read, leading to a stack overflow vulnerability. Detailed analysis can be reference books in Chapter 12, not repeat them here.

3. Analysis of the RA offset The next step is analysis can for function return register RA, generates an overflow of the offset address location. Use the books provided patternLocOffset. py script to generate a string matching script to calculate the offset. $ python patternLocOffset.py –c –l 600 –f dir505test [*] Create the pattern string contains 600 characters ok! [+] output to passwd ok! [+] take time: 0.0026 s

4. QEMU run a vulnerability program Then use the following script to make the my_cgi. the cgi in the QEMU environment to perform:

sudo bash my_cgi_test.sh

INPUT=python-c "print 'storage_path='+open('dir505test','r'). read()"

INPUT=python-c "print 'storage_path='+'B'*477450+open('dir505test','r'). read()"

LEN=$(echo-n "INPUT" | wc-c)

((LEN=477472+0x100)) PORT="1234" if [ "$LEN" == "0" ] || [ "$INPUT" == "-h" ] || [ "$UID" != "0" ] then echo-e "usage: sudo bash my_cgi_test.sh" exit 1 fi cp $(which qemu-mips-static) ./ qemu echo "CONTENT_LENGTH" + $LEN echo "$INPUT" | chroot . ./ qemu-E CONTENT_LENGTH=$LEN-E CONTENT_TYPE="manultipart/form-data" -E SCRIPT_NAME="common" -E REQUEST_METHOD="POST" -E REQUEST_URI="/my_cgi. cgi" -g $PORT /usr/bin/my_cgi. cgi 2>/dev/null echo "youtest" rm-f ./ qemu Of special note here two points: the point is that CONTENT_LENGTH is best to manually specify the length of the original book which provides a script to set the CONTENT_LENGTH the length is wrong, it shows just the bash script parameters of a number in General, is 3 or 5, then this is the case, it is not always read to us after all the set contents of the payload, the part I've been stuck for a long time, and the books also never mention this, hope that friends in the reproduction when a certain note. So here we set((LEN=477472+0x100))。 After LEN will be assigned the value of CONTENT_LENGTH is. Another point, storage_path here to cover off the entire global variable length, this portion is similar to the books analysis can be found in memset(entries, 0 , 477450)477450 length, so we set 477450 pre-covered length.

5. Run the script after the use of IDA to mount the program, in the return of RA at the set breakpoint, view the RA data. ! Can be found covering the string content of 61374161, then we find this: $ python patternLocOffset.py -s 0x61374161-l 700 [] Create the pattern string contains 700 characters ok! [] Exact match at offset 22 [+] take time: 0.0012 s Discovery is the 22 offset. So if you want the cover to the RA while the front for a total offset of 477450+22=477472.

6. gadget find and use According to the book the original approach directly found in my_cgi. cgi inside a gadget address for 0x00405B1C, this address is calling the system function's address, and then in the corresponding position of the cover to the incoming CMD can be. But as mentioned earlier, if bash script, it will put the null character filtered off, the resulting address is not entered correctly, 0x00405B1C contains a null character 0x00. So we start following to look for the shared library function in libc. so. 0 inside the system function, and also in libc. so. 0 use looking for you can use the gadget to achieve system function calls, pass parameters. In order to accomplish the above tasks, you need to complete the following steps: A. find the libc. so. 0 the base address of B. Find the system function of the position C. Looking for the libc. so. 0 inside you can use the gadget

7. Looking for the libc. so. 0 base address This article provides two methods: the use of the Read proc file, and use the gdb Debugger. First, the use of reading proc files. Running a bash script, and use IDA to hang after downloading, run the ps –ef to view the corresponding process id

[1] [2] [3] [4] next