技术分析：“厄运cookie”漏洞（CVE-2014-9222）解密

现在的问题是如何获得在ROM:8010E5F8中$s4的值? 其实很简单，只要将$s4里面的内容复制到一个很少用到的寄存器如$s7，然后立即触发”Kernel Painc”。我们现在来试试，首先我们将

ROM:8010E5FC                 move    $s0, $v0 ROM:8010E600                 addu    $at, $s1, $s0

改变成

ROM:8010E5FC                 add    $s7, $s4,$zero ROM:8010E600                 jr    $zero

这两条指令的hex值为

"add$s7, $s4,$zero"   =  0x0280b820 "jr$zero"             =  0x00000008

此时，我们就能获得$s4的值

BootbaseVersion: VTC_SPI1.26 |  2012/12/2616:00:00 RAM: Size= 8192 Kbytes Found SPIFlash 2MiB Winbond W25Q16 at 0xbfc00000 SPI FlashQuad Enable Turn offQuad Mode   RASVersion: 1.0.0 Build 121121 Rel.08870 System   ID: $2.12.58.23(G04.BZ.4)3.20.7.020120518_V003  | 2012/05/18   Press anykey to enter debug mode within 3 seconds. ....... EnterDebug Mode ATEN1,A847D6B1 OK ATWL80014BC0, ac30fffc OK ATGR      (Compressed)      Version: FDATA, start: bfc85830      Length: A94C, Checksum: DCEE      Compressed Length: 1D79, Checksum: 01BB Flash datais the same!!      (Compressed)      Version: ADSL ATU-R, start: bfc95830      Length: 3E7004, Checksum: 3336      Compressed Length: 122D57, Checksum: 3612   ERROR ATWL8010E5FC, 0280b820 OK ATWL8010E600, 00000008 OK ATGO80020000   Copyright(c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD initializech = 0, TC2105MJ, ethernet address: 14:cc:20:57:38:2a initializech = 1, ethernet address: 14:cc:20:57:38:2a WanChannel init ........ done Reset dmt Check DMTversion =b2 ........ InitializingADSL F/W ........ done ADSL HWversion: b2, HCLK 140 ok   ==>natTableMemoryInit <==natTableMemoryInitANNEXAIJLM US bitswapon,DS bitswap on OlrON SRAON Testlab 32 largeDflag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511) portreverse: on   inputline: sysdisa Erasing 4KSector...   Erasing 4KSector...   writeRomBlock():Erase OK! ble PM! DyingaspOFF! dhcpaddress probe action is disabled Valid Lossof power OFF! rundistributePvcFakeMac! set trymultimode number to 3 (dropmode try num 3) Syncookieswitch On! rundistributePvcFakeMac! rundistributePvcFakeMac! run d Erasing 4KSector...   Erasing 4KSector...   writeRomBlock():Erase OK! istributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! PressENTER to continue...   Erasing 4KSector...   Erasing 4KSector...   writeRomBlock():Erase OK!