揭秘家用路由器0day漏洞挖掘技术-修复路由的运行环境
|
125
|
0
|
Routing

1769 字
|
8 分钟

1.前言

1.概述

我们在拿到路由的固件之后,想用qemu对固件环境及逆行模拟测试,但是经常遇到因为路由固件的检测问题导致无法启动,或者启动报错。所以我们需要一定的处理来绕过这些报错

2.大致思路

  1. 模拟运行程序,定位报错位置
  2. 分析报错的异常处理函数,对该函数进行流程伪造或者其他操作
  3. 使用LD_PRELOAD环境变量加载i虚拟的动态库来劫持目标程序中的一场函数

2.实验案例(以D-link某固件样例分析)

1.固件提取

大多数老版本的路由固件都是可以在官网进行获取的

用到的固件地址:https://support.dlink.com/resource/products/dir-605l/REVA/DIR-605L_FIRMWARE_1.13.ZIP

2.固件分解

binwalk进行分解

iot@research:~/Desktop/iot-cve$ binwalk -Me dir605L_FW_113.bin

Scan Time:     2024-06-27 17:22:33
Target File:   /home/iot/Desktop/iot-cve/dir605L_FW_113.bin
MD5 Checksum:  c62a7e15ffcdc020231e61d06b590553
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
11280         0x2C10          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2129920 bytes
563234        0x89822         Squashfs filesystem, big endian, version 2.0, size: 64160 bytes, 7 inodes, blocksize: 65536 bytes, created: 2012-05-25 04:03:47
628788        0x99834         Squashfs filesystem, big endian, version 2.0, size: 2301312 bytes, 495 inodes, blocksize: 65536 bytes, created: 2012-05-25 04:04:00


Scan Time:     2024-06-27 17:22:34
Target File:   /home/iot/Desktop/iot-cve/_dir605L_FW_113.bin.extracted/2C10
MD5 Checksum:  6f8e9fceef5a5f98be6496b7ca5afabd
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
630360        0x99E58         Certificate in DER format (x509 v3), header length: 4, sequence length: 31
1326568       0x143DE8        Certificate in DER format (x509 v3), header length: 4, sequence length: 130
1753232       0x1AC090        Linux kernel version 2.4.18
1760744       0x1ADDE8        Unix path: /usr/lib/libc.so.1
1796455       0x1B6967        HTML document header
1796618       0x1B6A0A        HTML document footer
2110208       0x203300        AES S-Box

iot@research:~/Desktop/iot-cve$

binwalk分解的详细信息解读

之前讲过binwalk的原理,就是通过他强大的魔术头库,对文件进行扫描拆解

(之前没有注意)这次仔细看看他分析出了什么

第一部分

Scan Time:     2024-06-27 17:22:33
Target File:   /home/iot/Desktop/iot-cve/dir605L_FW_113.bin
MD5 Checksum:  c62a7e15ffcdc020231e61d06b590553
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
11280         0x2C10          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2129920 bytes
563234        0x89822         Squashfs filesystem, big endian, version 2.0, size: 64160 bytes, 7 inodes, blocksize: 65536 bytes, created: 2012-05-25 04:03:47
628788        0x99834         Squashfs filesystem, big endian, version 2.0, size: 2301312 bytes, 495 inodes, blocksize: 65536 bytes, created: 2012-05-25 04:04:00
1.LZMA compressed data

在偏移量 0x2C10处,binwalk 识别到一个 LZMA 压缩数据块。LZMA 是一种高压缩比的压缩算法(数据的字典大小为 8388608 字节,未压缩大小为 2129920 字节)

2.Squashfs filesystem

在偏移量 0x89822处,识别到一个 Squashfs 文件系统,采用大端序格式,版本为 2.0,大小为 64160 字节,有 7 个 inode,块大小为 65536 字节,创建于 2012-05-25 04:03:47。

在偏移量 0x99834处,识别到另一个 Squashfs 文件系统,采用大端序格式,版本为 2.0,大小为 2301312 字节,有 495 个 inode,块大小为 65536 字节,创建于 2012-05-25 04:04:00

第二部分

Scan Time:     2024-06-27 17:22:34
Target File:   /home/iot/Desktop/iot-cve/_dir605L_FW_113.bin.extracted/2C10
MD5 Checksum:  6f8e9fceef5a5f98be6496b7ca5afabd
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
630360        0x99E58         Certificate in DER format (x509 v3), header length: 4, sequence length: 31
1326568       0x143DE8        Certificate in DER format (x509 v3), header length: 4, sequence length: 130
1753232       0x1AC090        Linux kernel version 2.4.18
1760744       0x1ADDE8        Unix path: /usr/lib/libc.so.1
1796455       0x1B6967        HTML document header
1796618       0x1B6A0A        HTML document footer
2110208       0x203300        AES S-Box
1.Certificates in DER format (x509 v3)

在偏移量 0x99E58 和 0x143DE8 处分别识别到两个 DER 格式的 x509 v3 证书,序列长度分别为 31 和 130

2.Linux kernel version 2.4.18

在偏移量 0x1AC090 处识别到一个 Linux 内核版本号为 2.4.18

3.Unix path:

在偏移量 0x1ADDE8 处识别到一个 Unix 路径 /usr/lib/libc.so.1

4.HTML document

在偏移量 0x1B6967 和 0x1B6A0A 处分别识别到一个 HTML 文档的头部和尾部

5.AES S-Box

在偏移量 0x203300 处识别到一个 AES S-Box

提取服务程序

image-20240627175222565

3.初次运行boa

1.按照书上运行指令(坑坑坑)

将qemu的mips模式运行文件粘贴过来

cp $(which qemu-mips) ./

提一下权限

chmod 777 qemu-mips

chroot切换文件运行根目录运行boa文件

 sudo chroot ./qemu-mips ./bin/boa

2.修改模拟指令

这个地方可能因为书上的环境比较老了(具体原因不知道为什么)

这个地方直接使用qemu-mips进行仿真会出问题

image-20240627210029210

进行指令替换和修改

cp $(which qemu-mips-static) ./
sudo chroot ./ ./qemu-mips-static ./bin/boa
image-20240627210147880

这样就可以仿真成功

3.出现报错

iot@research:~/Desktop/iot-cve/_dir605L_FW_113.bin.extracted/squashfs-root-0$ sudo chroot ./ ./qemu-mips-static ./bin/boa
Initialize AP MIB failed!
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault

4.报错分析

利用ida分析,找到报错的这个Initialize AP MIB failed!报错原因

1.字符串检索,交叉引用找到函数调用

image-20240627210849907

2.报错逻辑分析

image-20240627211331608
image-20240627211315653

分析得到:

apmib_init函数执行失败后会跳转打印这个信息

3.分析apmib_init函数

1.在lib库中寻找

可以看到这个地方的apmib_init是一个回调函数,我们要在lib.so库里找到

这个名字比较显眼,就省事检索了

image-20240627212222869

2.ida分析apmib_init函数

1.检索直接定位到这个函数
image-20240627212910288
2.分析逻辑

这个地方简单分析一下逻辑,应该是跟模糊测试没有什么关系(不影响用户仿真),主要是个初始化的函数

int apmib_init()
{
  int v0; // 返回值,默认为1
  int v1; // 用于存储硬件配置函数的返回值
  int v2; // 用于存储数据存储配置函数的返回值
  int v3; // 临时变量
  int v4; // 临时变量
  int v5; // 临时变量
  int v6; // 临时变量
  int v7; // 临时变量
  int v8; // 临时变量
  int v9; // 临时变量
  int v10; // 临时变量
  int v11; // 临时变量
  int v12; // 临时变量
  int v13; // 临时变量
  int v14; // 临时变量
  int v15; // 临时变量
  int v16; // 临时变量
  int v17; // 临时变量
  int v18; // 临时变量
  int v19; // 临时变量
  int v20; // 临时变量
  int v21; // 临时变量
  int v22; // 临时变量
  int v23; // 临时变量
  int v24; // 临时变量
  int v25; // 临时变量
  int v26; // 临时变量
  int v27; // 临时变量
  int v28; // 临时变量
  int v29; // 临时变量
  int v30; // 临时变量
  int v31; // 临时变量
  int v32; // 临时变量
  int v33; // 临时变量
  int v34; // 临时变量
  int v35; // 临时变量
  int v36; // 临时变量
  int v37; // 临时变量
  int v38; // 临时变量
  int v39; // 临时变量
  int v40; // 临时变量
  int v41; // 临时变量
  int i;   // 循环计数器

  v0 = 1; // 默认返回值为1,表示初始化成功

  // 如果 pMib 没有被初始化
  if (!pMib)
  {
    // 执行硬件配置函数,并根据返回值进行判断
    v1 = apmib_hwconf();
    v0 = 0; // 如果硬件配置失败,返回值设为0
    
    if (v1)
    {
      pHwSetting = v1; // 将硬件配置函数返回的值保存到 pHwSetting
      
      // 执行数据存储配置函数
      v2 = apmib_dsconf();
      
      // 如果数据存储配置函数返回失败,则释放内存并返回
      if (!v2)
      {
        v3 = pHwSetting;
        free(v3); // 释放之前分配的内存
        return 0; // 返回失败
      }
      
      pMibDef = v2; // 将数据存储配置函数返回的值保存到 pMibDef
      
      // 根据一些条件执行不同的配置函数
      v4 = v2 + 3734;
      if (*((_BYTE *)&elf_hash_chain[71] + pHwSetting))
        strcpy(v4, (char *)&elf_hash_chain[71] + pHwSetting);
      
      // 执行配置函数 apmib_csconf,并根据返回值进行处理
      v5 = apmib_csconf(v4);
      v6 = 0;
      
      if (!v5)
      {
        free(pHwSetting); // 如果配置失败,释放之前分配的内存
        v3 = pMibDef;
        free(v3);
        return 0; // 返回失败
      }
      
      pMib = v5; // 将 apmib_csconf 返回的值保存到 pMib
      
      v7 = 0;
      v8 = 0;
      
      // 使用循环处理一些配置数据
      do
      {
        // 执行一些特定的子函数,根据返回值进行条件判断
        if (!sub_207C((char *)&unk_4DF80 + v8, 47, 25))
          goto LABEL_63;
        
        v9 = 0;
        
        // 根据特定的条件和函数返回值,继续处理
        if (*(_BYTE *)(v7 + pMib + 1585))
        {
          v10 = 0;
          
          while (1)
          {
            v11 = sub_2194((char *)&unk_4DF80 + v8, v7 + v10 + pMib + 1586);
            ++v9;
            v10 += 47;
            
            if (!v11)
              break;
            
            if (v9 >= *(unsigned __int8 *)(v7 + pMib + 1585))
              goto LABEL_15;
          }
          
          // 跳转至特定标签处
LABEL_64:
          v40 = pMib;
          goto LABEL_67;
        }
        
LABEL_15:
        *(_DWORD *)((char *)&unk_4DF80 + v8 + 20) = 47;
        
        if (!sub_207C((char *)&unk_4DFA0 + v8, 51, 8))
          goto LABEL_63;
        
        v12 = 0;
        
        if (*(_BYTE *)(v7 + pMib + 3120))
        {
          v13 = 0;
          
          do
          {
            v14 = sub_2194((char *)&unk_4DFA0 + v8, v7 + v13 + pMib + 3121);
            ++v12;
            v13 += 51;
            
            if (!v14)
              goto LABEL_64;
          }
          while (v12 < *(unsigned __int8 *)(v7 + pMib + 3120));
        }
        
        ++v6;
        *(_DWORD *)((char *)&unk_4DFA0 + v8 + 20) = 51;
        v8 += 32;
        v7 += 2634;
      }
      while (v6 <= 0);
      
      // 继续处理其他配置数据
      if (!sub_207C(&unk_4DFE0, 96, 24))
        goto LABEL_63;
      
      v15 = 0;
      
      if (*(_BYTE *)(pMib + 4270))
      {
        v16 = 0;
        
        while (1)
        {
          v17 = sub_2194(319456, pMib + v16 + 4271);
          ++v15;
          v16 += 96;
          
          if (!v17)
            break;
          
          if (v15 >= *(unsigned __int8 *)(pMib + 4270))
            goto LABEL_26;
        }
        
LABEL_65:
        v40 = pMib;
        goto LABEL_67;
      }
      
LABEL_26:
      dword_4DFF4 = 56;
      
      if (!sub_207C(&unk_4E000, 28, 34))
        goto LABEL_63;
      
      v18 = 0;
      
      if (*(_BYTE *)(pMib + 6576))
      {
        v19 = 0;
        
        do
        {
          v20 = sub_2194(319488, pMib + v19 + 6577);
          ++v18;
          v19 += 28;
          
          if (!v20)
            goto LABEL_65;
        }
        while (v18 < *(unsigned __int8 *)(pMib + 6576));
      }
      
      dword_4E014 = 28;
      
      if (!sub_207C(&unk_4E080, 88, 24))
        goto LABEL_63;
      
      v21 = 0;
      
      if (*(_BYTE *)(pMib + 7530))
      {
        v22 = 0;
        
        do
        {
          v23 = sub_2194(319616, pMib + v22 + 7531);
          ++v21;
          v22 += 88;
          
          if (!v23)
            goto LABEL_65;
        }
        while (v21 < *(unsigned __int8 *)(pMib + 7530));
      }
      
      dword_4E094 = 48;
      
      if (!sub_207C(&dword_4E120, 82, 24))
        goto LABEL_63;
      
      v24 = 0;
      
      if (*(_BYTE *)(pMib + 14062))
      {
        v25 = 0;
        
        do
        {
          v26 = sub_2194(319776, pMib + v25 + 14063);
          ++v24;
          v25 += 82;
          
          if (!v26)
            goto LABEL_65;
        }
        while (v24 < *(unsigned __int8 *)(pMib + 14062));
      }
      
      dword_4E134 = 82;
      
      if (!sub_207C(&unk_4E0A0, 184, 24))
        goto LABEL_63;
      
      v27 = 0;
      
      if (*(_BYTE *)(pMib + 9644))
      {
        v28 = 0;
        
        do
        {
          v29 = sub_2194(319648, pMib + v28 + 9645);
          ++v27;
          v28 += 184;
          
          if (!v29)
            goto LABEL_65;
        }
        while (v27 < *(unsigned __int8 *)(pMib + 9644));
      }
      
      dword_4E0B4 = 184;
      
      if (!sub_207C(&unk_4E160, 57, 16))
        goto LABEL_63;
      
      v30 = 0;
      
      if (*(_BYTE *)(pMib + 16037))
      {
        v31 = 0;
        
        do
        {
          v32 = sub_2194(319840, pMib + v31 + 16038);
          ++v30;
          v31 += 57;
          
          if (!v32)
            goto LABEL_65;
        }
        while (v30 < *(unsigned __int8 *)(pMib + 16037));
      }
      
      dword_4E174 = 57;
      
      if (!sub_207C(&unk_4E0E0, 78, 50))
        goto LABEL_63;
      
      v33 = 0;
      
      if (*(_BYTE *)(pMib + 16951))
      {
        v34 = 0;
        
        do
        {
          v35 = sub_2194(319712, pMib + v34 + 16952);
          ++v33;
          v34 += 78;
          
          if (!v35)
            goto LABEL_65;
        }
        while (v33 < *(unsigned __int8 *)(pMib + 16951));
      }
      
      dword_4E0F4 = 44;
      sub_207C(&unk_4E180, 44, 24);
      
      v36 = 0;
      
      if (*(_BYTE *)(pMib + 22))
      {
        v37 = 0;
        
        do
        {
          sub_2194(319872, pMib + v37 + 23);
          ++v36;
          v37 += 44;
        }
        while (v36 < *(unsigned __int8 *)(pMib + 22));
      }
      
      dword_4E194 = 4;
      sub_207C(&unk_4E1A0, 6, 32);
      
      v38 = 0;
      
      if (*(_BYTE *)(pMib + 23641))
      {
        v39 = 0;
        
        do
        {
          sub_2194(319904, pMib + v39 + 23449);
          ++v38;
          v39 += 6;
        }
        while (v38 < *(unsigned __int8 *)(pMib + 23641));
      }
      
      dword_4E1B4 = 6;
      
      // 检查某些条件,执行相应的处理
      if (!sub_207C(&unk_4E140, 32, 32))
      {
LABEL_63:
        v40 = pMib;
        goto LABEL_67;
      }
      
      v41 = 0;
      
      // 循环执行一些特定的函数调用
      for (i = *(unsigned __int8 *)(pMib + 21701); i; i = v41 < *(unsigned __int8 *)(pMib + 21701))
      {
        if (!sub_2194(319808, pMib + 32 * v41++ + 21702))
        {
          v40 = pMib;
          goto LABEL_67;
        }
      }
      
      dword_4E154 = 26;
      memset(&WizMib, 0, 1042);
      pWizMib = (int)&WizMib;
      
      // 同步闪存操作
      Wizard_Sync_Flash();
      return 1; // 返回初始化成功
    }
  }
  
  return v0; // 返回初始化结果
}
3.结论

这个函数不影响模糊测试,可以直接伪造函数的返回值为1,这样让函数可以正常的执行后续流程

5.劫持伪造apmib_init函数

1.伪造函数

#include<stdio.h>
#include<stdlib.h>
int apmib_init(void){
    //fake
    return 1;
}

2.编译伪造的函数

1.安装mips-linux-gnu-gcc交叉编译器

sudo apt-get update
sudo apt-get install gcc-mips-linux-gnu

2.执行交叉编译

mips-linux-gnu-gcc -Wall -fPIC -shared apmib.c -o apmib-ld.so

这里将我们要劫持的函数打包为apmib-ld.so

image-20240707155833644

3.利用LD_PRELOAD劫持

利用LD_PRELOAD环境变量加载apmib-ld.so,从而劫持到ampb.so中的apmib_init()函数

1.LD_PRELOAD环境变量原理

1.动态加载顺序

在程序启动时,动态链接器会先加载LD_PRELOAD环境变量指定的共享库,再加载程序自身的其他库

2.函数覆盖原理

因为动态链接库先查找LD_PRELOAD环境变量指定的库中的函数的符号,若果存在会先覆盖原始库中的同名符号

2.劫持命令执行

sudo chroot ./ ./qemu-mips-static -E LD_PRELOAD="/apmib-ld.so" ./bin/boa

4.劫持成功

iot@research:~/Desktop/iot-cve/_dir605L_FW_113.bin.extracted/squashfs-root-0$ sudo chroot ./ ./qemu-mips-static -E LD_PRELOAD="/apmib-ld.so" ./bin/boa
Create chklist file error!
Create chklist file error!
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
image-20240707161023541

6.新报错分析

1.ida静态分析

通过检索报错关键字,定位到报错的地方

image-20240707161935221

向上索引找到报错返回的原因

image-20240707162117345
image-20240707162127178

我们这里看不到什么具体导致的这里报错,所以采用动态调试

2.gdb动态调试

ida远程连接也可以gdb方便点

1.指令

设置运行端口

sudo chroot ./ ./qemu-mips-static -E LD_PRELOAD="/apmib-ld.so" -g 1234 ./bin/boa

gdb远程连接

gdb-multiarch
target remote :1234

2.报错

屏幕截图 2024-07-07 175903

在这个地址的位置断下来了,不知道为什么,看了一下没什么东西,呜呜呜,踩雷了

3.报错处理

这个地方要对文件进行一次指定,否则pwndbg无法识别这个地方的文件

这样指令应该改成

gdb-multiarch
file boa
target remote :1234
image-20240707204355964

然后就可以进行调试了

4.跟进调试

因为在qemu运行时是默认关闭ASLR的所以,我们直接对照ida上的地址下断点执行

image-20240707205502226
image-20240707205720108

5.定位关键回调函数

结合前面gdb调试退出崩溃的地方和ida地址对应的查找我们可以确定是apmib_get函数导致的进程结束

image-20240707210706469

6.同上分析apmib_get函数

在ida中定位到apmib_get函数

int __fastcall apmib_get(int a1, unsigned __int8 *a2)
{
  int v2; // 保存传入参数 a1
  int v3; // 保存全局变量 vwlan_idx
  int v5; // 临时变量
  char *v6; // 临时指针变量
  int *v7; // 临时指针变量
  BOOL v8; // 临时布尔变量
  int v9; // 保存计算结果
  unsigned __int8 *v10; // 临时指针变量
  int v11; // 临时变量
  int v12; // 临时变量
  char *v13; // 临时指针变量
  unsigned int v14; // 临时变量
  unsigned __int8 *v15; // 临时指针变量
  int v16; // 临时变量
  int v17; // 临时变量
  int v18; // 临时变量
  unsigned int v19; // 临时变量
  unsigned int v20; // 临时变量
  int v21; // 临时变量
  char *v22; // 临时指针变量
  int v23; // 临时变量
  int *v24; // 临时指针变量
  int v26; // 保存调用结果

  v2 = a1; // 保存 a1
  v3 = vwlan_idx; // 保存 vwlan_idx
  if (a1 == 500)
  {
    if (boot_ver) // 如果 boot_ver 非空
      strcpy(a2, &boot_ver); // 复制 boot_ver 到 a2
    else
      *a2 = 0; // 否则将 a2 置为 0
    return 0; // 返回 0
  }
  if (sub_22D0(a1, &mib_table, &v26)) // 调用 sub_22D0 函数
  {
    v6 = (char *)&mib_table;
    v7 = &pMib;
LABEL_76:
    v9 = *v7; // 将 v7 的值赋给 v9
    goto LABEL_79;
  }
  if (sub_22D0(v2, mib_wlan_table, &v26)) // 调用 sub_22D0 函数
  {
    if (vwlan_idx > 0)
    {
      if (v2 == 20)
      {
        v2 = 616;
      }
      else if (v2 >= 21)
      {
        if (v2 == 32)
        {
          v2 = 624;
        }
        else if (v2 >= 33)
        {
          if (v2 == 35)
          {
            v2 = 630;
          }
          else if (v2 >= 36)
          {
            if (v2 == 38)
            {
              v2 = 620;
            }
            else if (v2 >= 39)
            {
              if (v2 == 81)
                v2 = 633;
            }
            else if (v2 == 36)
            {
              v2 = 623;
            }
          }
          else if (v2 == 33)
          {
            v2 = 625;
          }
          else
          {
            v2 = 626;
          }
        }
        else if (v2 == 28)
        {
          v2 = 618;
        }
        else if (v2 >= 29)
        {
          v8 = v2 < 31;
          if (v2 == 30)
          {
            v2 = 621;
          }
          else
          {
            v2 = 622;
            if (v8)
              v2 = 619;
          }
        }
        else if (v2 == 22)
        {
          v2 = 639;
        }
        else if (v2 == 25)
        {
          v2 = 637;
        }
      }
      else if (v2 == 7)
      {
        v2 = 644;
      }
      else if (v2 >= 8)
      {
        if (v2 == 10)
        {
          v2 = 646;
        }
        else if (v2 >= 11)
        {
          if (v2 == 12)
          {
            v2 = 634;
          }
          else if (v2 < 12)
          {
            v2 = 647;
          }
          else if (v2 == 13)
          {
            v2 = 615;
          }
        }
        else if (v2 == 8)
        {
          v2 = 614;
        }
        else
        {
          v2 = 645;
        }
      }
      else if (v2 == 4)
      {
        v2 = 613;
      }
      else if (v2 >= 5)
      {
        if (v2 == 5)
          v2 = 642;
        else
          v2 = 643;
      }
      else if (v2 == 1)
      {
        v2 = 609;
      }
      else if (v2 == 3)
      {
        v2 = 612;
      }
      sub_22D0(v2, mib_wlan_table, &v26); // 再次调用 sub_22D0 函数
      vwlan_idx = 0; // 将 vwlan_idx 置为 0
    }
    v6 = (char *)mib_wlan_table; // 将 mib_wlan_table 赋给 v6
    v9 = pMib + 2634 * wlan_idx + 1457; // 计算 v9 的值
    if (v2 == 303)
    {
      strcpy(a2, v9 + mib_wlan_table[12 * v26 + 10]); // 复制字符串
      if (!memcmp(a2, dword_8CD0, 8)) // 比较内存区域
      {
        sub_22D0(214, hwmib_table, &v26); // 调用 sub_22D0 函数
        v10 = a2;
        v11 = pHwSetting + hwmib_table[12 * v26 + 10];
LABEL_119:
        v2 = 214;
        strcpy(v10, v11); // 复制字符串
        goto LABEL_141;
      }
    }
  }
  else
  {
    if (sub_22D0(v2, hwmib_table, &v26))
    {
      v6 = (char *)hwmib_table;
      v7 = &pHwSetting;
      goto LABEL_76;
    }
    v12 = sub_22D0(v2, hwmib_wlan_table, &v26);
    v5 = 0;
    if (!v12)
      return v5;
    v6 = (char *)hwmib_wlan_table;
    v9 = pHwSetting + 1152 * wlan_idx + 13;
  }
LABEL_79:
  v13 = &v6[48 * v26]; // 计算 v13 的值
  v14 = *((_DWORD *)v13 + 9); // 计算 v14 的值
  if (v14 == 13)
  {
    v21 = *a2;
    v15 = a2;
    v24 = &dword_4E120;
    return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
  }
  if (v14 >= 0xE)
  {
    if (v14 == 20)
    {
      v21 = *a2;
      v15 = a2;
      v22 = (char *)&unk_4DFA0;
      v23 = 32 * wlan_idx;
      goto LABEL_126;
    }
    if (v14 < 0x15)
    {
      if (v14 == 16)
      {
        v21 = *a2;
        v15 = a2;
        v24 = (int *)&unk_4E180;
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
      if (v14 < 0x11)
      {
        if (v14 == 14)
        {
          v21 = *a2;
          v15 = a2;
          v24 = (int *)&unk_4E0A0;
        }
        else
        {
          v15 = a2;
          v21 = *a2;
          v24 = (int *)&unk_4E140;
        }
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
      if (v14 != 18)
      {
        if (v14 == 19)
          memcpy(a2, v9 + *((_DWORD *)v13 + 10), *((_DWORD *)v13 + 11)); // 复制内存
        goto LABEL_141;
      }
LABEL_122:
      *(_DWORD *)a2 = _byteswap_ulong(*(_DWORD *)(v9 + *((_DWORD *)v13 + 10))); // 字节交换
      goto LABEL_141;
    }
    if (v14 == 24)
    {
      v21 = *a2;
      v15 = a2;
      v24 = (int *)&unk_4E160;
      return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
    }
    if (v14 >= 0x19)
    {
      if (v14 == 26)
      {
        v21 = *a2;
        v15 = a2;
        v24 = (int *)&unk_4E1A0;
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
      if (v14 < 0x1A)
      {
        v21 = *a2;
        v15 = a2;
        v24 = (int *)&unk_4E0C0;
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
      v15 = a2;
      if (v14 == 99)
      {
        v21 = *a2;
        v24 = (int *)&unk_4E0E0;
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
    }
    else
    {
      if (v14 == 21)
      {
        v21 = *a2;
        v15 = a2;
        v24 = (int *)&unk_4E000;
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
      v15 = a2;
      if (v14 == 22)
      {
        v21 = *a2;
        v24 = (int *)&unk_4DFE0;
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
    }
  }
  else
  {
    if (v14 == 5)
    {
      v18 = v9 + *((_DWORD *)v13 + 10);
      v19 = _byteswap_ulong(*(_DWORD *)(v18 + 4));
      v20 = _byteswap_ulong(*(_DWORD *)(v18 + 8));
      *(_DWORD *)a2 = _byteswap_ulong(*(_DWORD *)v18);
      *((_DWORD *)a2 + 1) = v19;
      *((_DWORD *)a2 + 2) = v20;
      a2[12] = *(_BYTE *)(v18 + 12);
      goto LABEL_141;
    }
    if (v14 < 6)
    {
      if (v14 != 2)
      {
        if (v14 >= 3)
        {
          if (v14 == 3)
          {
            v16 = v9 + *((_DWORD *)v13 + 10);
            *(_DWORD *)a2 = _byteswap_ulong(*(_DWORD *)v16);
            a2[4] = *(_BYTE *)(v16 + 4);
          }
          else
          {
            v17 = v9 + *((_DWORD *)v13 + 10);
            *(_DWORD *)a2 = _byteswap_ulong(*(_DWORD *)v17);
            a2[4] = *(_BYTE *)(v17 + 4);
            a2[5] = *(_BYTE *)(v17 + 5);
          }
        }
        else if (v14)
        {
          *(_DWORD *)a2 = *(unsigned __int16 *)(v9 + *((_DWORD *)v13 + 10));
        }
        else
        {
          *(_DWORD *)a2 = *(unsigned __int8 *)(v9 + *((_DWORD *)v13 + 10));
        }
        goto LABEL_141;
      }
      strcpy(a2, v9 + *((_DWORD *)v13 + 10));
      if (v2 != 303 || *a2)
        goto LABEL_141;
      sub_22D0(214, hwmib_wlan_table, &v26);
      v11 = pHwSetting + 1152 * wlan_idx + 13 + hwmib_wlan_table[12 * v26 + 10];
      v10 = a2;
      goto LABEL_119;
    }
    if (v14 == 8)
    {
      v21 = *a2;
      v15 = a2;
      v24 = (int *)&unk_4DFC0;
      return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
    }
    if (v14 < 9)
    {
      if (v14 != 6)
      {
        v15 = a2;
        v21 = *a2;
        v22 = (char *)&unk_4DF80;
        v23 = 32 * wlan_idx;
LABEL_126:
        v24 = (int *)&v22[v23];
        return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
      }
      goto LABEL_122;
    }
    if (v14 == 10)
    {
      v21 = *a2;
      v15 = a2;
      v24 = (int *)&unk_4E060;
      return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
    }
    if (v14 < 0xA)
    {
      v21 = *a2;
      v15 = a2;
      v24 = (int *)&unk_4E040;
      return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
    }
    v15 = a2;
    if (v14 == 11)
    {
      v21 = *a2;
      v24 = (int *)&unk_4E080;
      return sub_2310(v24, v15, v21); // 调用 sub_2310 函数
    }
  }
LABEL_141:
  if (v3 != vwlan_idx) // 如果 vwlan_idx 发生变化
  {
    vwlan_idx = v3; // 还原 vwlan_idx
    if (v2 == 639)
    {
      if (*(_DWORD *)a2)
        *(_DWORD *)a2 = 0; // 置零
      else
        *(_DWORD *)a2 = 1; // 置一
    }
  }
  return 1; // 返回 1
}

7.劫持伪造apmib_get函数

综合分析这个函数的功能,我们伪造三个关键的绕过case

这里我们将两个劫持都编译到一起,这里我们为了方便调试,就将这里的fork函数也劫持了

1.伪造的函数

#include<stdio.h>
#include<stdlib.h>
#define MIB_HW_VER 0x250
#define MIB_IP_ADDR 170
#define MIB_CAPTCHA 0x2C1
int apmib_init(void){
    //fake
    return 1;
}
void apmib_get(int code,int *value)
{
    switch(code)
    {
    case MIB_HW_VER:
    *value=0xF1;
    break;
    case MIB_IP_ADDR:
    *value =0x7F000001;
    break;
    case MIB_CAPTCHA:
    *value=1;
    break;
    }
}
int fork(void){
    return 0;
}

2.同上指令编译

mips-linux-gnu-gcc -Wall -fPIC -shared apmib.c -o apmib-ld.so
image-20240707215210369

8.再次运行boa文件

sudo chroot ./ ./qemu-mips-static -E LD_PRELOAD="/apmib-ld.so" ./bin/boa
image-20240707215300654
iot@research:~/Desktop/iot-cve/_dir605L_FW_113.bin.extracted/squashfs-root-0$ sudo chroot ./ ./qemu-mips-static -E LD_PRELOAD="/apmib-ld.so" ./bin/boa
[sudo] password for iot: 
Create chklist file error!
Create chklist file error!
hard ver is
Create f/w version file error!
Create chklist file error!
boa: server version Boa/0.94.14rc21
boa: server built May 25 2012 at 13:03:21.
boa: starting server pid=7391, port 80
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
smart 404 ----------------------------------
killall: dnsmasq: no process killed
killall: proxyd: no process killed

dnsmasq: failed to seed the random number generator: No such file or directory

dnsmasq: failed to seed the random number generator: No such file or directory
iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
smart404 start ok.
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
Unsupported ioctl: cmd=0x89f0
device ioctl:: Function not implemented
image-20240707215428540

boa成功启动,劫持成功

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇