释放双眼，带上耳机，听听看~！

0x00 漏洞信息

Tenda AC8V4 V16.03.34.06版本中存在一个堆栈溢出漏洞，该漏洞位于set_qosMib_list函数的list参数中。

漏洞严重性评分（CVSS）：未提供

指定的CNA（CVE编号分配机构）：MITRE公司

日期记录创建：2023年08月07日

参考链接：Tenda官方网站/GitHub上的相关信息

0x01 漏洞影响

影响版本：Tenda AC8V4 V16.03.34.06

0x02 固件模拟

固件下载：

https://www.tenda.com.cn/download/detail-3518.html

解压zip包后是bin文件。

US_AC8V4.0si_V16.03.34.06_cn_TDC01.bin

binwalk可以直接解压，结果为mipsel32 (mips小端序)。

cp /bin/qemu-mipsel-static ./ sudo chroot . ./qemu-mipsel-static ./bin/sh

模拟运行停在这里即可开始调试。

1.gdb调试

开始调试

 ./qemu-mipsel-static -g 1234 ./bin/httpdgdb-multiarch set arch mips set solib-search-path /your lib path file /your httpd path target remote 192.168.0.1:1234

调试发现程序在以下部分停止执行

  while ( 1 )  {    lan_ifname = ifaddrs_get_lan_ifname();    if ( ifaddrs_get_ifip(lan_ifname, v10) >= 0 )      break;    sleep(1u);  }

2.使用ida准备patch

查看汇编

li    $a0, 1           # secondsla    $v0, sleepnopmove    $t9, $v0jalr    $t9 ; sleepnoplw      $gp, 0x6B8+var_6A8($fp)b      loc_43ACECnop

将b loc_43ACEC改为nop

lan_ifname = ifaddrs_get_lan_ifname();if ( ifaddrs_get_ifip(lan_ifname, v10) < 0 )    sleep(1u);

保存(edit->patch program->apply)

└─$ sudo chroot . ./qemu-mipsel-static  ./bin/httpd        sh: can't create /proc/sys/kernel/core_pattern: nonexistent directory
 Yes:
       ****** WeLoveLinux****** 
  ****** Welcome to ****** connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  connect: No such file or directory func:cfms_mib_proc_handle, line:191 connect cfmd is error.  sh: can't create /etc/httpd.pid: nonexistent directory sh: can't create /proc/sys/net/ipv4/tcp_timestamps: nonexistent directory [httpd][debug]----------------------------webs.c,158 bind: Address in use bind: Address in use bind: Address in use bind: Address in use bind: Address in use websOpenListen 253: Couldn't open a socket on ports 80 initWebs 511: websOpenServer failed main -> initWebs failed

3.修改网络配置错误

在is_lan_host中可以看到：

   v20.s_addr = ifaddrs_get_interface_addr("br0");   ifaddrs_get_if_netmask("br0", v17);

通过网络接口br0获取IP地址：

sudo ip link add br0 type bridge sudo ip link set dev br0 up sudo ip link set dev eth0 master br0 sudo ip address add 192.168.0.1/24 dev br0     sudo ip link set br0 up[httpd][debug]----------------------------webs.c,158 httpd listen ip = 192.168.0.1 port = 80 webs: Listening for HTTP requests at address 192.168.0.1

4.解决网页访问问题

此时网页无法正确访问，而网页访问方法为websSetDefaultDir()：

inet_aton(g_lan_ip, &in);strcpy(v6, off_504620);websSetDefaultDir(v6);

off_504620处数据为”/webroot”：

lrwxrwxrwx  1 kali kali       9 Nov  6 05:05 webroot -> /dev/null

发现webroot_ro里面有大量网页信息，但webroot为空，因此创建软链接解决网页访问问题：

rm -rf webrootln -s webroot_ro/ webroot

0x03 漏洞原理

formSetQosBand函数中将网络中list的参数传递给var，set_qosMib_list对var的数据进行分割。

在set_qosMib_list函数中：

根据上图猜测可以通过list达到栈溢出的效果，因此尝试进行漏洞复现：

0x0048d188 in set_qosMib_list ()(gdb) ni
Program received signal SIGSEGV, Segmentation fault.0x3ffc5038 in ?? ().text:0048D184 move    $t9, $v0.text:0048D188 bal     set_client_qos.text:0048D18C nop