Find file History
Failed to load latest commit information.


Author: Zachary Cutlip
        uid000 AT gmail dot com
Target: DIR-815 Rev A1
Firmware: 1.01
hedwig.cgi buffer overflow in HTTP header field Cookie: uid="<cookie value>"

Credit: Craig Heffner (@devttyS0) for discovering the vulnerability

This exploit code exploits a buffer overflow in the HTTP Cookie header field as processed by the /htdocs/cgibin executable.


You can run the exploit code against a live target using the -t option. Alternatively, you may want to run the cgi binary standalone in QEMU.

In this case, run the exploit code with the -F option. The name of the output file should be "cgibinoverflow.txt", and the path should be the directory above the root directory of the firmware's file system.

If the firmware's filesystem is in your QEMU machine under:


Then you would run the exploit code with

-F /root/dir-815-rev-a1/cgibinoverflow.txt

When you run the exploit code in this mode, it will write the overflow string to the output file, start the connect-back server and wait.

In QEMU, copy to the directory above the firmware's file system, and run it from that directory. If you have gdbserver in the firmware's root directory, you may invoke it with this script by setting DEBUG=1:

#DEBUG=1 ./

And the binary will run with gdbserver attached listening on port 1234.

The usage of the exploit script is:

Usage: ./ [OPTIONS]

Option summary:
-t, --target=IP_ADDRESS     Remote target to exploit.
                This option is mutually exclusive with -F and -f.
-c,--connectback_ip     Connect-back IP address.
                This option is mandatory in all cases.
-F,--file=FILE          Output file to write the overflow string to.
                This option is mutually exclusive with -t.
-f,--find_offset=FIND_STRING    String whose offset in the overflow buffer
                to find and report.
                This option is mutually exclusive with -t.