Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-27255 PoC — Realtek AP-Router SDK 输入验证错误漏洞

Source
https://github.com/infobyte/cve-2022-27255
Associated Vulnerability
Title:Realtek AP-Router SDK 输入验证错误漏洞 (CVE-2022-27255)
Description:Realtek AP-Router SDK是中国瑞昱半导体(Realtek)公司的一种用于无线芯片组的软件包。 Realtek AP-Router SDK 存在输入验证错误漏洞,该漏洞源于通过包含恶意 SDP 数据的精心制作的 SIP 数据包远程执行代码。
Readme
# CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow 

This repository contains the materials for the talk "Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS.", which was presented at [DEFCON30](https://forum.defcon.org/node/241835). 

The contents of this repo include:

- `analysis`: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run `analyse_firmware.py`).
- `exploits_nexxt`: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
- `ghidra_scripts`: Vulnerable function call searching script and CVE-2022-27255 detection script.
- `DEFCON`: Slide deck & poc video.

## Vulnerable devices:

- Nexxt Nebula 300 Plus
- Tenda F6 V5.0
- Tenda F3 V3
- Tenda F9 V2.0
- Tenda AC5 V3.0
- Tenda AC6 V5.0
- Tenda AC7 V4.0
- Tenda A9 V3
- Tenda AC8 V2.0
- Tenda AC10 V3
- Tenda AC11 V2.0
- Tenda FH456 V4.0
- Zyxel NBG6615 V1.00
- Intelbras RF 301K V1.1.15
- Multilaser AC1200 RE018
- iBall 300M-MIMO (iB-WRB303N)
- Brostrend AC1200 extender
- MT-Link MT-WR850N
- MT-Link MT-WR950N
- Everest EWR-301
- D-Link DIR-822 h/w version B
- Speedefy K4
- Ultra-Link Wireless N300 Universal Range Extender
- Keo KLR 301
- QPCOM QP-WR347N
- NEXT 504N
- Nisuta NS-WIR303N (probably V2)
- Rockspace AC2100 Dual Band Wi-Fi Range Extender
- KNUP KP-R04
- Hikvision DS-3WR12-E

If you find a new vulnerable device, please submit a pull request.

## Acknowledgements

- Octavio Gianatiempo (@ogianatiempo).
- Octavio Galland (@GallandOctavio)
- Javier Aguinaga (@pastaCLS)
- Emilio Couto (@ekio_jp)

## Corrections:
- @munchkindev
File Snapshot

 [4.0K]  /data/pocs/5614b137d9f368ee060102689ad4c2c1f22524aa
├── [4.0K]  analysis
│   ├── [3.4K]  analyse_firmware.py
│   └── [3.8K]  firmware_base_address_finder.py
├── [4.0K]  DEFCON
│   ├── [ 26M]  poc.mp4
│   └── [4.0M]  slides.pdf
├── [4.0K]  exploits_nexxt
│   ├── [4.0K]  exploit_custom_command_injector
│   │   ├── [  89]  Dockerfile
│   │   ├── [ 131]  linker.ld
│   │   ├── [5.8K]  main.c
│   │   ├── [4.0K]  main.h
│   │   ├── [ 193]  Makefile
│   │   ├── [4.3K]  poc_telnet_custom_cmd.py
│   │   ├── [ 112]  readme.md
│   │   └── [ 153]  run.sh
│   ├── [3.1K]  exploit_telnet_no_reboot.py
│   ├── [2.7K]  exploit_telnet_reboot.py
│   └── [1.1K]  poc_crash.py
├── [4.0K]  ghidra_scripts
│   ├── [2.5K]  find_vulnerable_calls.py
│   └── [5.3K]  firmware_vulnerability_checker.py
├── [ 34K]  LICENSE
└── [1.7K]  README.md

5 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.