华为路由器Huawei HG532漏洞复现过程
漏洞分析
这次出问题的点是upnp
程序
home/oit/Downloads/_router HG532e.rar-0.extracted/_HG532eV100R001C01B020_upgrade_packet.bin.extracted/squashfs-root/bin [oit@ubuntu] [18:36]
> file upnp
upnp: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size
是MIPS32位大端格式
UPnP 是由“通用即插即用论坛”(UPnP™ Forum)推广的一套网络协议。该协议的目标是使家庭网络(数据共享、通信和娱乐)和公司网络中的各种设备能够相互无缝连接,并简化相关网络的实现。
丢到IDA中分析
LOAD:004074FC la $a1, aNewstatusurl # "NewStatusURL"
LOAD:00407500 move $a2, $zero
LOAD:00407504 jalr $t9 ; ATP_XML_GetChildNodeByName
LOAD:00407508 addiu $a3, $sp, 0x24
LOAD:0040750C lw $gp, 0x18($sp)
LOAD:00407510 bnez $v0, loc_407564
LOAD:00407514 move $s1, $v0
LOAD:00407518 lw $v0, 0x24($sp)
LOAD:0040751C nop
LOAD:00407520 beqz $v0, loc_407564
LOAD:00407524 addiu $s0, $sp, 0x28
LOAD:00407528 la $t9, snprintf
LOAD:0040752C lw $a3, 0x20($sp)
LOAD:00407530 la $a2, aUpgGUST1Firmwa # "upg -g -U %s -t '1 Firmware Upgrade Ima"...
LOAD:00407538 move $a0, $s0
LOAD:0040753C li $a1, 0x400
LOAD:00407540 jalr $t9 ; snprintf
LOAD:00407544 sw $v0, 0x10($sp)
LOAD:00407548 lw $gp, 0x18($sp)
LOAD:0040754C nop
OAD:00407520 beqz $v0, loc_407564
LOAD:00407524 addiu $s0, $sp, 0x28
LOAD:004075