Exploit for Stack-based Buffer Overflow in Netgear R6400 Firmware CVE-2022-27646 CVE-2022-27644

Name: Exploit for Stack-based Buffer Overflow in Netgear R6400 Firmware CVE-2022-27646 CVE-2022-27644
Rating: 5 (95 reviews)
2023-06-01 | CVSS 8.8
## https://sploitus.com/exploit?id=14A2FC15-D054-55B5-B8E9-42A6020BAE43
# Exploiting a Stack Buffer Overflow on the NETGEAR R6700v3 (CVE-2022-27646) with the Help of Symbolic Execution
## Introduction
This repository is intended to demonstrate some functionalities of
[Morion](https://github.com/cyber-defence-campus/morion), a proof-of-concept (PoC) tool to
experiment with **symbolic execution** on real-world (ARMv7) binaries. We show some of
[Morion](https://github.com/cyber-defence-campus/morion)'s capabilities by giving a concrete
example, namely, how it can assist during the process of creating a working
**exploit for CVE-2022-27646** - a stack buffer overflow vulnerability in NETGEAR R6700v3 routers
(affected version 1.0.4.120_10.0.91, fixed in later versions).

The repository contains all **files** (under [firmware](./firmware/), [libcircled](./libcircled/),
[morion](./morion/) and [server](./server/)) needed to follow along (e.g. scripts to emulate the
vulnerable ARMv7 binary) and reproduce the discussed steps of how to use
[Morion](https://github.com/cyber-defence-campus/morion). The **documentation**
(under [docs](./docs/) and [logs](./logs/)), to demonstrate
[Morion](https://github.com/cyber-defence-campus/morion)'s workings, contains the following
chapters:
1. [Setup](docs/1_setup.md) - Explains how to setup analysis (running *Morion*) and target systems
    (running target binary *circled*).
2. [Emulation](docs/2_emulation.md) - Explains how to emulate the vulnerable target binary.
3. [Tracing](docs/3_tracing.md) - Explains how to record a concrete execution trace of the target
    binary using *Morion*.
4. [Symbolic Execution](docs/4_symbex.md) - Explains how to use *Morion* for analyzing the recorded
     trace symbolically.
5. [Vulnerability CVE-2022-27646](docs/5_vulnerability.md) - Provides some background information to
    the targeted vulnerability.
6. [Exploitation](docs/6_exploitation.md) - Explains how *Morion* can assist during the process of
    crafting an exploit.
## References
- Morion PoC Tool:
  - https://github.com/cyber-defence-campus/morion
- Defeating the NETGEAR R6700v3:
  - https://www.synacktiv.com/en/publications/pwn2own-austin-2021-defeating-the-netgear-r6700v3.html
- Emulating, Debugging and Exploiting NETGEAR R6700v3 *cicled* Binary:
  - https://medium.com/@INTfinity/1-1-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-1-5bab391c91f2
  - https://medium.com/@INTfinity/1-2-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-2-cf1571493117
  - https://medium.com/@INTfinity/1-3-exploiting-and-debugging-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-a80dbaf1245d
- NVRAM Emulator:
  - https://github.com/firmadyne/libnvram
- Ready-to-Use Cross-Compilation Toolchains:
  - https://toolchains.bootlin.com/
- Other Tools:
  - https://github.com/ReFirmLabs/binwalk
  - https://github.com/pwndbg/pwndbg
  - https://github.com/slimm609/checksec.sh
  - https://github.com/sashs/Ropper
  - https://github.com/JonathanSalwan/ROPgadget
## Authors
- [Damian Pfammatter](https://github.com/pdamian), [Cyber-Defense Campus (ar S+T)](https://www.cydcampus.admin.ch/)