Associated Vulnerability
Readme
# CVE-2025-29384 Proof-of-Concept Exploit
## Overview
This repository contains an advanced proof-of-concept (PoC) exploit for **CVE-2025-29384**, a critical **stack-based buffer overflow** vulnerability discovered in the **Tenda AC9** router running firmware version **V15.03.05.14_multi**. This vulnerability allows **unauthenticated remote attackers** to crash the router’s web server (**Denial-of-Service, DoS**) and potentially execute arbitrary code (**Remote Code Execution, RCE**).
The purpose of this project is to **demonstrate exploit development skills**, contribute to the cybersecurity community, and provide an educational showcase for academic evaluations
## Vulnerability Details
### CVE Description
CVE-2025-29384 affects the **Tenda AC9** router’s **web management interface**, specifically the endpoint:
```
/goform/AdvSetMacMtuWan
```
The vulnerability exists due to **improper bounds checking** on the `wanMTU` parameter, which is processed via an **HTTP POST request**. The input is copied into a **fixed-size stack buffer without validation**, leading to a classic **stack-based buffer overflow**.
#### **Impact**
- **Denial-of-Service (DoS)**: Crashes the router’s HTTP server, making it unresponsive until a reboot.
- **Potential RCE**: An attacker could **overwrite the return address** and execute arbitrary code on the router’s **MIPS-based architecture**.
- **No Authentication Required**: The vulnerability can be triggered remotely without credentials, increasing its severity.
#### **Technical Breakdown**
The vulnerable function (hypothetical reconstruction) follows this structure:
```c
void process_mtu(char *input) {
char buffer[256]; // Fixed-size stack buffer
strcpy(buffer, input); // No length check, causes overflow
// Process MTU value...
}
```
An attacker sending an oversized payload (e.g., 1024+ bytes) **overwrites adjacent memory**, including the **function’s return address**, potentially leading to **code execution**.
### **CVSS v3.1 Score: 9.8 (Critical)**
| Metric | Value |
|----------------------|-------|
| **Attack Vector** | Network |
| **Attack Complexity** | Low |
| **Privileges Required** | None |
| **User Interaction** | None |
| **Confidentiality Impact** | High |
| **Integrity Impact** | High |
| **Availability Impact** | High |
## Affected Device
The **Tenda AC9** is a **dual-band wireless router** with the following specifications:
- **CPU**: Broadcom BCM4708 (MIPS 74Kc, dual-core, ~1 GHz)
- **RAM**: 128 MB
- **Flash**: 16 MB
- **Wi-Fi**: Dual-band 802.11ac (AC1200)
- **Ports**: 1x Gigabit WAN, 4x Gigabit LAN
- **Firmware**: **V15.03.05.14_multi** (confirmed vulnerable)
## Disclosure Timeline
- **March 14, 2025** – CVE-2025-29384 published on **NVD/MITRE**.
- **March 17, 2025** – This PoC developed and tested.
- **March 17, 2025** – No official patch from Tenda as of this date.
## PoC Exploit Details
### **Exploit Overview**
This PoC is a **Python-based exploit** that sends oversized input to `/goform/AdvSetMacMtuWan`, triggering a buffer overflow to **crash the web server**.
### **Features**
**Multithreading** – Launches multiple concurrent exploit attempts for reliability.
**Dynamic Payloads** – Generates randomized base64-encoded attack strings.
**Logging** – Uses Python’s logging module for structured debugging.
**Customizable Parameters** – Adjusts **target IP, payload size, and thread count**.
### **Usage**
#### **Prerequisites**
- **Python 3.x**
- **requests module** (`pip install requests`)
- **Tenda AC9 router with V15.03.05.14_multi firmware**
#### **Installation**
```bash
git clone https://github.com/Otsmane-Ahmed/cve-2025-29384-poc
cd cve-2025-29384-poc
pip install requests
```
#### **Running the Exploit**
```bash
python poc.py --target <router_ip> --size 2048 --threads 10
```
##### **Arguments:**
| Argument | Description |
|----------|-------------|
| `--target` | Router IP (default: `192.168.0.1`) |
| `--size` | Payload size in bytes (default: `1024`) |
| `--threads` | Number of concurrent threads (default: `5`) |
#### **Example Output**
```
[+] CVE-2025-29384 Exploit Engine
[INFO] Target: 192.168.0.1
[INFO] Sending payload (2048 bytes)...
[WARNING] Target timeout - possible crash!
[INFO] Exploit sequence completed.
```
### **Expected Results**
**Success**: Router’s web interface becomes unresponsive (**DoS condition**).
**Failure**: The router still responds (**not vulnerable or wrong firmware**).
## Disclaimer
This project is for **educational and ethical hacking purposes only**. Unauthorized use of this exploit **is illegal**. The author **is not responsible** for misuse or damage caused by this code.
**Developed with by Otsmane Ahmed**
File Snapshot
[4.0K] /data/pocs/3843a814a81d73c19cb785ca8620af830726e427
├── [4.5K] poc.py
└── [4.7K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.