Reviewing Netgear WNR2200 Heap Overflow
0x00 Preface
Although the security protection on routers is relatively poor, it is also necessary to learn some attack surfaces and how to exploit them on different platforms. Porting exploits to a Netgear WNR2200 is an example of using the exp in MSF to compromise easily the router with old version samba. While the cross platform exploitation has been completed, it can be known that the function pointer of the structure is covered due to a heap overflow, with the executable permissions and brute force on the heap, the shellcode in different architectures is carried out. There is a Netgear WNR2200 on in my hand, and the firmware version is the same as the one in the text. Therefore, it is a good chance to analyze the exploitation of CVE-2007-2446 on the router.
0x01 Environment preparation
Unpacking the firmware
There are some obstructions during the firmware unpacking in the original article, but the newer binwalk in Kali hasn’t pressure at all:
Obtaining the shell
If you are too lazy like me to find out the serial port, let’s explore whether the router will start the telnet related process or not:
The method of opening telnet service is given: turning on the router debug mode and sending a specific package to telnetenable process. I am always curious about everything with my IDA, it can be seen that 23 port of UDP is binded, and the payload is filled. It is only after the correct compare that the utelnetd will be started:
The original telenetenable script seems to be useless, but the excellent elder has made corresponding modifications, which is worth learning:
Setting up Samba
The friends who understand Samba know that some configuration jobs have to be done before starting it. I happen to have a same router, so it’s natural to plug in the U disk and set up a shared folder by Samba process:
If you use QEMU to simulate samba, you have to run the /etc/init.d/samba
script to boot service, which I won’t talk about more in the article.
If you like x86 instead of mipsbe, compiling and installing by yourself is helpful for subsequent analysis and exploitation.
0x02 Analysis
You can see that the version of the smbd is 3.0.24 and the Linux kernel version is relatively low and old in the shell, and the author has ported the ‘lsa_io_trans_names’Heap Overflow vulnerability. Owing to the rare analysis of the vulnerability in the Internet, there should be a meal.
At the beginning of the analysis I went into the misunderstanding and always wanted to understand the content or specification of the samba, dcerpc, LSA protocol in exploitation. In fact, the complex process in exploitation could cover up the real vulnerabilities. Under the xd_xd shifu’s reveal, we can see the vulnerability more clearly through its patch, in which the num_entries and num_entries2 fields are compared and unified:
Being combined with the vulnerability function lsa_io_trans_names, the source code will be more clear. Num_entries and num_entries2 are our controlled fields in the protocol, which assigns num_entries LSA_TRANS_NAME structure size memory, and then writes the structure from network stream to memory in a num_entries2 times loop. If num_entries2 is larger than num_entries, the metadata of second allocated heap trn->uni_name
will be overwritten:
As luck would have it, samba uses a custom heap allocator, talloc, which adds a number of meta information to make up a new metadata. It also contains a function pointer that will be called when the heap is being freed:
The things after hijacking pc by overriding are routine. If you are still crazy about the protocol, it is more efficient to read the source code and capture the traffic to analysis at the same time. The connection and login operation based on the samba protocol are no need to explain, binding handle to generate dcerpc, then calling LsarOpenPolicy to open a context handle, finally, calling LsarLookupSids to convert Sids to name ports to the vulnerability function. In general, the relationship between several agreements is the following:
0x03 Exploit
Before we debug the vulnerability, let’s take a look at the relevant security mechanism. Although ASLR in the system is 1, its memory distribution is unchanged even after rebooting the system, and the heap has executable permission:
Samba forks sub process for each connection, the memory layout is the same and the crash does not affect the parent process. After the coverage of the function pointer, we can jump to the executable heap, the heap also has the shellcode that we carry in the package, but we don’t know which address the shellcode is on. Nop sled and brute force are used to trigger the shellcode in the exploitation.
At first, I wanted to debug the overflow on the router remotely, but it was found that the router’s system might not support fork debugging and could not be interrupted in the sub process. In fact, we don’t have to stick at a platform using the same exploitation, so I will debug on the lovely Ubuntu.
After setting the breakpoint on lsa_io_trans_names
and target on Ubuntu, the processing of packets can be seen during the exploitation:
After calling second PRS_ALLOC_MEM
, let’s look at the second talloc_chunk header (16 bytes alignment). We can use the \x70\xec\x14\xe8
flags value in exploitation as the location reference, at this time the function pointer is 0:
After writing the memory num_entries2 times, the function pointer in the metadata of header is covered with 0x08352000
in the exploitation. It is more interesting that the next
and prev
covered with 0x41414141
would cause an exception in the article, but MSF has no problem with the script that has been modified to 0x00000000
; The place that is 0x50505050
is changed to 0x00005050
, it is no harm because of some aligned operations:
After calling smb_io_unistr2
, it will return 0 to make lsa_io_trans_names2
return False directly:
After contine instruction, the function pointer will be called in the talloc free process:
The heap address is left to brute force beacuse of the mines on it:
The router is the mips bigend environment, MSF is also very considerate for us to prepare the mipsbe/better
NOP and rebound shell payload, it is more magical that the heap address scope on mips platform is added to brute force, which may be the author’s masterpiece:
Get road with code, get shell with dream:
0x04 Conclusion
- The exploit way in the article also gives us a new IoT security audit point: pay attention to the historical vulnerability of old version service; the use of the samba protocol in the IoT device is also noteworthy.
- There is a
\xe9
jump in the exploitation, we need to think about the intention here. - Smbd can be interrupted by using QEMU according to the original method.