关联漏洞
标题:NETGEAR R6700v3 授权问题漏洞 (CVE-2022-27646)Description:NETGEAR R6700v3是美国网件(NETGEAR)公司的一款路由器。连接两个或多个网络的硬件设备,在网络间起网关的作用。 NETGEAR R6700v3 1.0.4.120_10.0.91版本存在授权问题漏洞。攻击者利用该漏洞通过特制的circleinfo.txt文件触发固定长度的基于堆栈的缓冲区溢出,进而在root环境中执行代码。
Description
Demonstrate some functionalities of Morion by generating an exploit for CVE-2022-27646 (stack buffer overflow on Netgear R6700v3 routers).
介绍
# Exploiting a Stack Buffer Overflow on the NETGEAR R6700v3 (CVE-2022-27646) with the Help of Symbolic Execution
## Introduction
This repository is intended to demonstrate some functionalities of
[Morion](https://github.com/cyber-defence-campus/morion), a proof-of-concept (PoC) tool to
experiment with **symbolic execution** on real-world (ARMv7) binaries. We show some of
[Morion](https://github.com/cyber-defence-campus/morion)'s capabilities by giving a concrete
example, namely, how it can assist during the process of creating a working
**exploit for CVE-2022-27646** - a stack buffer overflow vulnerability in NETGEAR R6700v3 routers
(affected version 1.0.4.120_10.0.91, fixed in later versions).
The repository contains all **files** (under [firmware](./firmware/), [libcircled](./libcircled/),
[morion](./morion/) and [server](./server/)) needed to follow along (e.g. scripts to emulate the
vulnerable ARMv7 binary) and reproduce the discussed steps of how to use
[Morion](https://github.com/cyber-defence-campus/morion). The **documentation**
(under [docs](./docs/) and [logs](./logs/)), to demonstrate
[Morion](https://github.com/cyber-defence-campus/morion)'s workings, contains the following
chapters:
1. [Setup](docs/1_setup.md) - Explains how to setup analysis (running *Morion*) and target systems
(running target binary *circled*).
2. [Emulation](docs/2_emulation.md) - Explains how to emulate the vulnerable target binary.
3. [Tracing](docs/3_tracing.md) - Explains how to record a concrete execution trace of the target
binary using *Morion*.
4. [Symbolic Execution](docs/4_symbex.md) - Explains how to use *Morion* for analyzing the recorded
trace symbolically.
5. [Vulnerability CVE-2022-27646](docs/5_vulnerability.md) - Provides some background information to
the targeted vulnerability.
6. [Exploitation](docs/6_exploitation.md) - Explains how *Morion* can assist during the process of
crafting an exploit.
## References
- Morion PoC Tool:
- https://github.com/cyber-defence-campus/morion
- Defeating the NETGEAR R6700v3:
- https://www.synacktiv.com/en/publications/pwn2own-austin-2021-defeating-the-netgear-r6700v3.html
- Emulating, Debugging and Exploiting NETGEAR R6700v3 *cicled* Binary:
- https://medium.com/@INTfinity/1-1-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-1-5bab391c91f2
- https://medium.com/@INTfinity/1-2-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-2-cf1571493117
- https://medium.com/@INTfinity/1-3-exploiting-and-debugging-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-a80dbaf1245d
- NVRAM Emulator:
- https://github.com/firmadyne/libnvram
- Ready-to-Use Cross-Compilation Toolchains:
- https://toolchains.bootlin.com/
- Other Tools:
- https://github.com/ReFirmLabs/binwalk
- https://github.com/pwndbg/pwndbg
- https://github.com/slimm609/checksec.sh
- https://github.com/sashs/Ropper
- https://github.com/JonathanSalwan/ROPgadget
## Authors
- [Damian Pfammatter](https://github.com/pdamian), [Cyber-Defense Campus (ar S+T)](https://www.cydcampus.admin.ch/)
文件快照
[4.0K] /data/pocs/d1c8a562aab6611d8786f34e600cd7feacde5e7d
├── [4.0K] docs
│ ├── [3.3K] 1_setup.md
│ ├── [4.4K] 2_emulation.md
│ ├── [ 24K] 3_tracing.md
│ ├── [ 23K] 4_symbex.md
│ ├── [7.4K] 5_vulnerability.md
│ └── [ 44K] 6_exploitation.md
├── [4.0K] firmware
│ ├── [4.0K] bins
│ │ ├── [5.7M] gdbserver
│ │ ├── [7.0K] libcircled.so
│ │ └── [ 31K] libnvram.so
│ ├── [1.3K] circled.driver.sh
│ ├── [1.2K] circled.patch.py
│ └── [ 45M] R6700v3-V1.0.4.120_10.0.91.zip
├── [4.0K] images
│ ├── [111K] Memory_Layout-PoV.svg
│ ├── [260K] Morion_Overview.svg
│ ├── [ 71K] RE_Vuln_01.svg
│ ├── [130K] RE_Vuln_02.svg
│ ├── [108K] RE_Vuln_03.svg
│ ├── [193K] ROP_Chain.bak.svg
│ └── [ 26K] ROP_Chain.svg
├── [4.0K] libcircled
│ ├── [2.0K] circled.c
│ └── [ 315] Makefile
├── [ 11K] LICENSE
├── [4.0K] logs
│ ├── [1.9M] circled.symbex.control.log
│ ├── [1.9M] circled.symbex.log
│ ├── [2.0M] circled.symbex.rop.log
│ └── [2.8M] circled.trace.log
├── [4.0K] morion
│ ├── [1.6K] circled.debug.gdb
│ ├── [2.4K] circled.init.yaml
│ ├── [ 451] circled.rop1.py
│ ├── [ 893] circled.rop2.py
│ └── [1.8K] circled.trace.gdb
├── [ 459] mount.sh
├── [3.1K] README.md
└── [4.0K] server
├── [4.0K] bins
│ └── [2.2M] ncat
├── [8.6K] circled.server.py
└── [4.0K] resources
├── [ 149] circleinfo.txt
└── [8.2M] database.bin
10 directories, 37 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。