影响版本:v6.29~v6.43rc3
更新版本:v6.42.1 和 v6.43rc4
论坛说明:
ip
address
add address=192.168.148.*/24 interface=ether1
mkdir /tmp/d2
sudo mount /dev/sda2 /tmp/d2
将gdbserver传入RouterOS 中
What's new in 6.42.1 (2018-Apr-23 10:46):
!) winbox - fixed vulnerability that allowed to gain access to an unsecured router;
*) bridge - fixed hardware offloading for MMIPS and PPC devices;
*) bridge - fixed LLDP packet receiving;
*) crs3xx - fixed failing connections through bonding in bridge;
*) ike2 - use "policy-template-group" parameter when picking proposal as initiator;
*) led - added "dark-mode" functionality for hAP ac and hAP ac^2 devices;
*) led - improved w60g alignment trigger;
*) lte - allow to send "at-chat" command over disabled LTE interface;
*) routerboard - fixed "mode-button" support on hAP lite r2 devices;
*) w60g - allow to manually set "tx-sector" value;
*) w60g - fixed incorrect RSSI readings;
*) w60g - show phy rate on "/interface w60g monitor" (CLI only);
*) winbox - fixed bridge port MAC learning parameter values;
*) winbox - show "Switch" menu on cAP ac devices;
*) winbox - show correct "Switch" menus on CRS328-24P-4S+;
*) wireless - improved compatibility with BCM chipset devices;
下载https://download2.mikrotik.com/routeros/6.40.5/routeros-x86-6.40.5.npk
用7z打开,可以直接解压缩出来。
打过补丁的版本:
https://download2.mikrotik.com/routeros/6.42.1/routeros-x86-6.42.1.npk
比较两个文件下所有不同的文件
8291端口对应winbox的bin 文件:
通过bindiff 比较补丁前后两个版本的mproxy文件,只找到下面一处不同。补丁增加了对’.’的判断:
这里只是找到疑似的漏洞点,具体分析不动了。。。。
往8291端口发送数据根本不触发那里的函数
搭建环境:https://xz.aliyun.com/t/1907
RouterOS越狱工具:https://github.com/0ki/mikrotik-tools
Mikrotik官网:https://mikrotik.com/
论坛讨论:https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
http://blog.seekintoo.com/chimay-red.html
之前的老漏洞:http://133tsec.com/2012/04/0day-ddos-mikrotik-server-side-ddos-attack/
gdbserver下载地址:https://pan.baidu.com/s/1ylmVq_SVpYAhuMgB1iGpag
静态编译后的busybox下载地址:https://pan.baidu.com/s/1YPp13WZKY5k2-MQ6g8mVSA
diff 用法:http://man.linuxde.net/diff
样本相关信息:https://twitter.com/craiu/status/989052729480876032