Vendor:http://totolink.net/
Firmware:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/259/ids/36.html
V2.0.0-B20230727.1043
sub_447E18 (handle function of formMeshUploadConfig) of /bin/boa in firmware has buffer overflow vulnerability.
Parameter "submit-url" is read from HTTP request into $v0_7, then copied to variable data_48e234, which locates on BSS segment. When "submit-url" has excessive length, this would result a buffer overflow.
I'm not able to provide full exploit for this vulnerability due to legal reasons.