Netgear Nighthawk R8300 upnpd PreAuth RCE 复现辅助

Posted by Mr.Be1ieVe on Monday, October 19, 2020

小声:因为nvram那里我实在搞不定了,如果有愿意帮忙的师傅欢迎联系!

环境

固件下载地址

md5sum

c3eb8f8c004d466796a05b4c60503162  R8300-V1.0.2.130_1.0.99.zip

binwalk

binwalk R8300-V1.0.2.130_1.0.99.chk 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
58            0x3A            TRX firmware header, little endian, image size: 32653312 bytes, CRC32: 0x5CEAB739, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x21AB50, rootfs offset: 0x0
86            0x56            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5470272 bytes
2206602       0x21AB8A        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 30443160 bytes, 1650 inodes, blocksize: 131072 bytes, created: 2018-12-13 04:36:38

查找upnpd

iot@attifyos ~/t/f/_/_R8300-V1.0.2.130_1.0.99.chk.extracted> cd squashfs-root/
iot@attifyos ~/t/f/_/_/squashfs-root> ls
bin/  etc/  media@  opt/   sbin/   sys/  usr/  www/
dev/  lib/  mnt/    proc/  share/  tmp/  var@
iot@attifyos ~/t/f/_/_/squashfs-root> find . -name upnpd
./usr/sbin/upnpd
iot@attifyos ~/t/f/_/_/squashfs-root> file ./usr/sbin/upnpd
./usr/sbin/upnpd: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, stripped

fat模拟

./fat.py R8300-V1.0.2.130_1.0.99.zip 

                               __           _
                              / _|         | |
                             | |_    __ _  | |_
                             |  _|  / _` | | __|
                             | |   | (_| | | |_
                             |_|    \__,_|  \__|

                Welcome to the Firmware Analysis Toolkit - v0.3
    Offensive IoT Exploitation Training http://bit.do/offensiveiotexploitation
                  By Attify - https://attify.com  | @attifyme
    
[+] Firmware: R8300-V1.0.2.130_1.0.99.zip
[+] Extracting the firmware...
[+] Image ID: 1
[+] Identifying architecture...
[+] Architecture: armel
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
[+] Network interfaces: []
[+] All set! Press ENTER to run the firmware...
[+] When running, press Ctrl + A X to terminate qemu

没有提供ip和端口的话,一般就不能自动处理了。

qemu user mode模拟

sudo chroot . ./qemu-arm-static  ./usr/sbin/upnpd
或者 
sudo chroot . ./qemu-arm-static --strace ./usr/sbin/upnpd

-strace QEMU_STRACE log system calls

33359 open("/var/run/upnpd.pid",O_RDWR|O_CREAT|O_TRUNC,0666) = -1 errno=2 (No such file or directory)

查看文件结构后

drwxr-xr-x  4 mrbelieve mrbelieve     4096 Oct 20 00:00 tmp
drwxrwxr-x 10 mrbelieve mrbelieve     4096 Dec 12  2018 usr
lrwxrwxrwx  1 mrbelieve mrbelieve        7 Dec 12  2018 var -> tmp/var
drwxr-xr-x  8 mrbelieve mrbelieve    24576 Dec 12  2018 www

通过mkdir -p ./tmp/var/run解决,再次运行后显示大量

open("/dev/nvram",O_RDWR) = -1 errno=2 (No such file or directory)

或者

/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
open: No such file or directory

均与NVRAM有关,该错误在进行IoT设备仿真时会经常遇到。NVRAM中保存了设备的一些配置信息,而程序运行时需要读取配置信息,由于缺少对应的外设,因此会报错。一种常见的解决方案是"劫持"NVRAM读写相关的函数,通过软件的方式来提供相应的配置。

网上有很多类似的模拟NVRAM行为的库,而Firmadyne框架提供的libnvram库:支持很多常见的api,对很多嵌入式设备进行了适配,同时还会解析固件中默认的一些NVRAM配置,实现方式比较优雅。采用该库,往往只需要做很少的改动,甚至无需改动,就可以满足需求。

libnvram文档。编译好后直接放在squashfs-root

编译可以使用buildroot,make menuconfig记得将"Target Architecture"改成ARM(little endian) ,最后使用buildroot/output/host/usr/bin/arm-linux-gcc -Wall -fPIC -shared nvram.c -o libnvram.so.armel -nostdlib 即可

具体选项来自libnvram的Makefile

sem_lock: Triggering NVRAM initialization!
nvram_init: Initializing NVRAM...
sem_get: Unable to get semaphore key!
sem_lock: Unable to get semaphore!
sem_get: Unable to get semaphore key!
sem_unlock: Unable to get semaphore!
nvram_init: Unable to mount tmpfs on mount point /firmadyne/libnvram/!
sem_get: Unable to get semaphore key!
sem_lock: Unable to get semaphore!
sem_get: Unable to get semaphore key!
sem_unlock: Unable to get semaphore!
nvram_get_buf: Unable to open key: /firmadyne/libnvram/upnpd_debug_level!

这样可以开始调nvram的配置了

这样我就实在调不来了。。。最终死在lan_ipaddr上面,怎么设置都不对。。。

qemu system mode模拟

过于麻烦,本质是起一个完整虚拟机然后再跑这个服务的样子(而且虚拟机很慢)

下面是ubuntu20环境,attifyOS还未测试成功过。

新建一个tap接口,并配置ip

sudo tunctl -t tap0 -u `whoami`

sudo ifconfig tap0 192.168.2.1/24

The tap networking backend makes use of a tap networking device in the host. It offers very good performance and can be configured to create virtually any type of network topology. Unfortunately, it requires configuration of that network topology in the host which tends to be different depending on the operating system you are using.

然后把vmlinuz-3.2.0-4-vexpressinitrd.img-3.2.0-4-vexpress -drivedebian_wheezy_armhf_standard.qcow2放到当前目录下。前面几个东西的下载地址

armel and armhf

The ARM EABI (armel) port targets a range of older 32-bit ARM devices, particularly those used in NAS hardware and a variety of *plug computers. The newer ARM hard-float (armhf) port supports newer, more powerful 32-bit devices using version 7 of the ARM architecture specification.

qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic

关于这个root=/dev/mmcblk0p2,我自己尝试直接将文件夹放进去会起不来。。。我的解决方法是先这样跑然后通过scp传进去

cp -r root@192.168.2.2 ./squashfs-root /home/user/squashfs-root

等待……

启动之后

  • Root password: root
  • User account: user
  • User password: user
root@debian-armhf:/home/user# ifconfig eth0 192.168.2.2/24
root@debian-armhf:/home/user# ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:00:12:34:56  
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:2178 (2.1 KiB)
          Interrupt:47 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
root@debian-armhf:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@debian-armhf:/home/user# mount -t proc /proc ./squashfs-root/proc
root@debian-armhf:/home/user# mount -o bind /dev ./squashfs-root/dev
root@debian-armhf:/home/user# chroot ./squashfs-root/ sh #切换根目录后执行新目录结构下的 sh shell


BusyBox v1.7.2 (2018-12-13 12:34:27 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

uid=0 gid=0(root)

PS: 使用 chroot 后,系统读取的是新根下的目录和文件,也就是固件的目录和文件 chroot 默认不会切换 /dev 和 /proc, 因此切换根目录前需要先挂载这两个目录

-v, –invert-match select non-matching lines

没有任何信息就exit了

==咋调试出是open的问题的。。。==

创建了/var/run之后,就提示

/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory
/dev/nvram: No such file or directory

分析参考

分析总结

PC寄存器在arm中的作用

Program Counter 存储下一条程序指令的地址。顺序执行的情况是存储当前地址+4

可用rasm2工具翻译汇编指令到机器指令

例子:

0030a0e1

这样可以在ida Patch program - Change byte里使用

多关注较危险函数

strcpy,等

strcpy拷贝的时候,如果n < src的长度,那只是将src的前几个字符复制到dest的前n个字符里,不会自动添加\x00。而如果src小于n,则会自动填充\x00到dest直至复制完

未初始化的空间

函数与漏洞点之间路径较短

栈上数据不会发生太大变化,可以复用填充的rop gadgets

arm栈溢出之后好像可以一路覆盖到n个寄存器(有待详细确认

参考

分析参考

qemu部分参考

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付