Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-15416 PoC — NETGEAR R6700 缓冲区错误漏洞

Source
https://github.com/k3vinlusec/R7000_httpd_BOF_CVE-2020-15416
Associated Vulnerability
Title:NETGEAR R6700 缓冲区错误漏洞 (CVE-2020-15416)
Description:This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9703.
Description
https://www.zerodayinitiative.com/advisories/ZDI-20-712/
Readme
# R7000_httpd_BOF(CVE-2020-15416)
I demenstrated you on how to set up a debugging environment using QEMU user mode for Netgear R7000 wifi router.  Then I provide a walkthrough of an Exploit of Netgear WiFi Router httpd Buffer Overflow Vulnerability(CVE-2020-15416). It refers to https://www.zerodayinitiative.com/advisories/ZDI-20-712/.
The detailed analysis refers to A_Walkthrough_of_an_Exploit_of_Netgear_WiFi_Router_httpd_Buffer_Overflow_Vulnerability.pdf
File Snapshot

 [4.0K]  /data/pocs/b47943efe4b842c80f63b1a3b8c12f05675968e1
├── [8.9M]  A_Walkthrough_of_an_Exploit_of_Netgear_WiFi_Router_httpd_Buffer_Overflow_Vulnerability.pdf
├── [1.6K]  exploit_r7000.py
├── [1.8M]  httpd
├── [1.8M]  httpd_r7000_patch
├── [940K]  httpd_RBS40V_EXT-V1.0.0.46_1.0.35
├── [940K]  httpd_RBS40V_EXT-V1.0.0.48_1.0.38
├── [ 19K]  libnvram-faker.so
├── [4.0K]  nvram-faker
│   ├── [ 289]  arch.mk
│   ├── [1.0K]  buildarm_modify.sh
│   ├── [ 907]  buildarm.sh
│   ├── [ 894]  buildmipsel.sh
│   ├── [ 862]  buildmips.sh
│   ├── [4.0K]  contrib
│   │   └── [4.0K]  inih
│   │       ├── [4.0K]  cpp
│   │       │   ├── [2.0K]  INIReader.cpp
│   │       │   ├── [1.9K]  INIReader.h
│   │       │   └── [ 648]  INIReaderTest.cpp
│   │       ├── [4.0K]  examples
│   │       │   ├── [ 152]  config.def
│   │       │   ├── [1020]  ini_dump.c
│   │       │   ├── [1.1K]  ini_example.c
│   │       │   ├── [1.2K]  ini_xmacros.c
│   │       │   └── [ 309]  test.ini
│   │       ├── [4.0K]  extra
│   │       │   └── [ 320]  Makefile.static
│   │       ├── [4.9K]  ini.c
│   │       ├── [2.3K]  ini.h
│   │       ├── [8.7K]  ini.o
│   │       ├── [1.5K]  LICENSE.txt
│   │       ├── [  99]  Makefile
│   │       ├── [ 183]  README.txt
│   │       └── [4.0K]  tests
│   │           ├── [  18]  bad_comment.ini
│   │           ├── [  12]  bad_multi.ini
│   │           ├── [  76]  bad_section.ini
│   │           ├── [ 984]  baseline_multi.txt
│   │           ├── [ 905]  baseline_single.txt
│   │           ├── [  54]  bom.ini
│   │           ├── [ 265]  multi_line.ini
│   │           ├── [ 574]  normal.ini
│   │           ├── [ 151]  unittest.bat
│   │           ├── [1.6K]  unittest.c
│   │           └── [  45]  user_error.ini
│   ├── [8.7K]  ini.o
│   ├── [ 19K]  libnvram-faker.so
│   ├── [1.1K]  LICENSE.txt
│   ├── [ 729]  Makefile
│   ├── [2.9K]  nvram-faker.c
│   ├── [ 119]  nvram-faker.h
│   ├── [ 694]  nvram-faker-internal.h
│   ├── [ 551]  nvram_faker_main.c
│   ├── [8.6K]  nvram-faker.o
│   ├── [ 795]  nvram.ini
│   └── [2.6K]  README.md
├── [3.0K]  nvram.ini
├── [ 460]  README.md
└── [1019]  setupdebuggerenv.txt

7 directories, 52 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →