Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-27646 PoC — NETGEAR R6700v3 授权问题漏洞

Source
https://github.com/cyber-defence-campus/netgear_r6700v3_circled
Associated Vulnerability
Title:NETGEAR R6700v3 授权问题漏洞 (CVE-2022-27646)
Description:This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the circled daemon. A crafted circleinfo.txt file can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15879.
Description
Demonstrate some functionalities of Morion by generating an exploit for CVE-2022-27646 (stack buffer overflow on Netgear R6700v3 routers).
Readme
# Exploiting a Stack Buffer Overflow on the NETGEAR R6700v3 (CVE-2022-27646) with the Help of Symbolic Execution
## Introduction
This repository is intended to demonstrate some functionalities of
[Morion](https://github.com/cyber-defence-campus/morion), a proof-of-concept (PoC) tool to
experiment with **symbolic execution** on real-world (ARMv7) binaries. We show some of
[Morion](https://github.com/cyber-defence-campus/morion)'s capabilities by giving a concrete
example, namely, how it can assist during the process of creating a working
**exploit for CVE-2022-27646** - a stack buffer overflow vulnerability in NETGEAR R6700v3 routers
(affected version 1.0.4.120_10.0.91, fixed in later versions).

The repository contains all **files** (under [firmware](./firmware/), [libcircled](./libcircled/),
[morion](./morion/) and [server](./server/)) needed to follow along (e.g. scripts to emulate the
vulnerable ARMv7 binary) and reproduce the discussed steps of how to use
[Morion](https://github.com/cyber-defence-campus/morion). The **documentation**
(under [docs](./docs/) and [logs](./logs/)), to demonstrate
[Morion](https://github.com/cyber-defence-campus/morion)'s workings, contains the following
chapters:
1. [Setup](docs/1_setup.md) - Explains how to setup analysis (running *Morion*) and target systems
    (running target binary *circled*).
2. [Emulation](docs/2_emulation.md) - Explains how to emulate the vulnerable target binary.
3. [Tracing](docs/3_tracing.md) - Explains how to record a concrete execution trace of the target
    binary using *Morion*.
4. [Symbolic Execution](docs/4_symbex.md) - Explains how to use *Morion* for analyzing the recorded
     trace symbolically.
5. [Vulnerability CVE-2022-27646](docs/5_vulnerability.md) - Provides some background information to
    the targeted vulnerability.
6. [Exploitation](docs/6_exploitation.md) - Explains how *Morion* can assist during the process of
    crafting an exploit.
## References
- Morion PoC Tool:
  - https://github.com/cyber-defence-campus/morion
- Defeating the NETGEAR R6700v3:
  - https://www.synacktiv.com/en/publications/pwn2own-austin-2021-defeating-the-netgear-r6700v3.html
- Emulating, Debugging and Exploiting NETGEAR R6700v3 *cicled* Binary:
  - https://medium.com/@INTfinity/1-1-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-1-5bab391c91f2
  - https://medium.com/@INTfinity/1-2-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-2-cf1571493117
  - https://medium.com/@INTfinity/1-3-exploiting-and-debugging-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-a80dbaf1245d
- NVRAM Emulator:
  - https://github.com/firmadyne/libnvram
- Ready-to-Use Cross-Compilation Toolchains:
  - https://toolchains.bootlin.com/
- Other Tools:
  - https://github.com/ReFirmLabs/binwalk
  - https://github.com/pwndbg/pwndbg
  - https://github.com/slimm609/checksec.sh
  - https://github.com/sashs/Ropper
  - https://github.com/JonathanSalwan/ROPgadget
## Authors
- [Damian Pfammatter](https://github.com/pdamian), [Cyber-Defense Campus (ar S+T)](https://www.cydcampus.admin.ch/)
File Snapshot

 [4.0K]  /data/pocs/d1c8a562aab6611d8786f34e600cd7feacde5e7d
├── [4.0K]  docs
│   ├── [3.3K]  1_setup.md
│   ├── [4.4K]  2_emulation.md
│   ├── [ 24K]  3_tracing.md
│   ├── [ 23K]  4_symbex.md
│   ├── [7.4K]  5_vulnerability.md
│   └── [ 44K]  6_exploitation.md
├── [4.0K]  firmware
│   ├── [4.0K]  bins
│   │   ├── [5.7M]  gdbserver
│   │   ├── [7.0K]  libcircled.so
│   │   └── [ 31K]  libnvram.so
│   ├── [1.3K]  circled.driver.sh
│   ├── [1.2K]  circled.patch.py
│   └── [ 45M]  R6700v3-V1.0.4.120_10.0.91.zip
├── [4.0K]  images
│   ├── [111K]  Memory_Layout-PoV.svg
│   ├── [260K]  Morion_Overview.svg
│   ├── [ 71K]  RE_Vuln_01.svg
│   ├── [130K]  RE_Vuln_02.svg
│   ├── [108K]  RE_Vuln_03.svg
│   ├── [193K]  ROP_Chain.bak.svg
│   └── [ 26K]  ROP_Chain.svg
├── [4.0K]  libcircled
│   ├── [2.0K]  circled.c
│   └── [ 315]  Makefile
├── [ 11K]  LICENSE
├── [4.0K]  logs
│   ├── [1.9M]  circled.symbex.control.log
│   ├── [1.9M]  circled.symbex.log
│   ├── [2.0M]  circled.symbex.rop.log
│   └── [2.8M]  circled.trace.log
├── [4.0K]  morion
│   ├── [1.6K]  circled.debug.gdb
│   ├── [2.4K]  circled.init.yaml
│   ├── [ 451]  circled.rop1.py
│   ├── [ 893]  circled.rop2.py
│   └── [1.8K]  circled.trace.gdb
├── [ 459]  mount.sh
├── [3.1K]  README.md
└── [4.0K]  server
    ├── [4.0K]  bins
    │   └── [2.2M]  ncat
    ├── [8.6K]  circled.server.py
    └── [4.0K]  resources
        ├── [ 149]  circleinfo.txt
        └── [8.2M]  database.bin

10 directories, 37 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →