├── Cisco-RV34x-RCE
    ├── README.md
    └── upload.cgi
├── H3C-ERg2-RCE
    ├── README.md
    └── cmdi.png
├── README.md
└── Sonicwall-CVE-2019-7482
    └── README.md


/Cisco-RV34x-RCE/README.md:
--------------------------------------------------------------------------------
 1 | ## cisco-RV34x-RCE
 2 | The bug was found several mounths ago and it was reported by others.   
 3 | The cve-id should be CVE-2020-3451 or ....   
 4 | 
 5 | ## Detail
 6 | The bug exists in upload cgi.   
 7 | ```
 8 |   ......
 9 |   jsonutil_get_string(dword_22F84, &v24, "\"file.path\"", -1);
10 |   jsonutil_get_string(dword_22F84, &haystack, "\"filename\"", -1);
11 |   jsonutil_get_string(dword_22F84, &v25, "\"pathparam\"", -1);
12 |   jsonutil_get_string(dword_22F84, &v26, "\"fileparam\"", -1);
13 |   jsonutil_get_string(dword_22F84, &v27, "\"destination\"", -1);
14 |   jsonutil_get_string(dword_22F84, &v28, "\"option\"", -1);
15 |   jsonutil_get_string(dword_22F84, &v29, "\"cert_name\"", -1);
16 |   jsonutil_get_string(dword_22F84, &v30, "\"cert_type\"", -1);
17 |   jsonutil_get_string(dword_22F84, &v31, "\"password\"", -1);
18 |   if ( v3 )
19 |   {
20 |     StrBufSetStr(v33, v3);
21 |     v3 = 0;
22 |     v10 = (char *)StrBufToStr(v33);
23 |     for ( i = strtok_r(v10, ";", &save_ptr); i; i = strtok_r(0, ";", &save_ptr) )
24 |     {
25 |       v12 = strstr(i, "sessionid=");
26 |       if ( v12 )
27 |         v3 = v12 + 10;
28 |     }
29 |   }
30 |   if ( !v24 )
31 |   {
32 |     puts("Content-type: text/html\n");
33 |     printf("Error Input");
34 |     goto LABEL_24;
35 |   }
36 |   StrBufSetStr(v34, v26);
37 |   v13 = haystack;
38 |   if ( haystack )
39 |   {
40 |     if ( strstr(haystack, ".xml") )
41 |     {
42 |       v14 = "Configuration";
43 |     }
44 |     else
45 |     {
46 |       if ( !strstr(v13, ".img") )
47 |       {
48 | LABEL_18:
49 |         StrBufSetStr(v34, v13);
50 |         goto LABEL_19;
51 |       }
52 |       v14 = "Firmware";
53 |     }
54 |     v25 = v14;
55 |     goto LABEL_18;
56 |   }
57 | LABEL_19:
58 |   v15 = v25;
59 |   v16 = v24;
60 |   v17 = StrBufToStr(v34);
61 |   sub_11500(pathparam, file.path, filename);
62 |   ......
63 | ```
64 | Step into sub_11500:   
65 | ```
66 |  ...
67 |   sprintf(&s, "%s/%s", v7, v4);
68 |   sprintf((char *)&v11, "mv -f %s %s", file.path, &s);
69 |   debug("cmd=%s", &v11);
70 |   result = v11;
71 |   if ( v11 )
72 |   {
73 |     v10 = system((const char *)&v11);
74 |     if ( v10 < 0 )
75 |       error((int)"upload.cgi: %s(%d) Upload failed!", (int)"prepare_file", (const char *)0xAA);
76 |     result = v10;
77 |   }
78 |   return result;
79 | }
80 | ...
81 | ```
82 | It's easy to inject a system command.    
83 | 
84 | It doesn't requrie authentication and you can get a shell with www-data privilege.
85 | 


--------------------------------------------------------------------------------
/Cisco-RV34x-RCE/upload.cgi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/w0lfzhang/some_nday_bugs/4b9c6574d3dab8725ae5330c5a5fb0c2efe496d7/Cisco-RV34x-RCE/upload.cgi


--------------------------------------------------------------------------------
/H3C-ERg2-RCE/README.md:
--------------------------------------------------------------------------------
1 | The bug affects the H3C ER G2 series routers.   
2 | 
3 | 


--------------------------------------------------------------------------------
/H3C-ERg2-RCE/cmdi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/w0lfzhang/some_nday_bugs/4b9c6574d3dab8725ae5330c5a5fb0c2efe496d7/H3C-ERg2-RCE/cmdi.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Some Bugs
 2 | Publishing some bugs(already pathched) found by me  and exploits written by me(tagged).
 3 | |  Bugs   | Links  |
 4 | |  ----  | ----  |
 5 | | Sonicwall SMA RCE(writing exp)     |   https://github.com/w0lfzhang/some_iot_bugs/tree/master/Sonicwall-CVE-2019-7482 |
 6 | | Cisco RV34x RCE  | https://github.com/w0lfzhang/some_iot_bugs/tree/master/Cisco-RV34x-RCE |
 7 | | H3C ERg2 RCE  | https://github.com/w0lfzhang/some_iot_bugs/tree/master/H3C-ERg2-RCE |
 8 | |  Goahead Memory Leaking   |  https://github.com/embedthis/goahead-gpl/issues/2#issuecomment-633738262 |
 9 | |   Zyxel Firewall Buffer-overflow  | https://www.zyxel.com/us/en/support/Zyxel-security-advisory-for-buffer-overflow-vulnerability.shtml |
10 | |   Dlink DIR-878 RCE and Multi Buffer-overflow |  TianfuCup 2019 and https://support.dlink.com/resource/SECURITY_ADVISEMENTS/DIR-882/REVA/DIR-882_REVA_RELEASE_NOTES_v1.30B06_HOTFIX.pdf |
11 | |   ASUS Router Buffer-overflow |  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5721 |
12 | |  Draytek Vigor 2960 RCE  |   Patched  |
13 | 
14 | 


--------------------------------------------------------------------------------
/Sonicwall-CVE-2019-7482/README.md:
--------------------------------------------------------------------------------
1 | PoC:
2 | https://github.com/w0lfzhang/sonicwall-cve-2019-7482
3 | 


--------------------------------------------------------------------------------