Vendor:http://totolink.net/
Firmware:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/259/ids/36.html
V2.0.0-B20230727.1043
sub_4163AC (handle function of formPortFw) of /bin/boa in firmware has multiple buffer overflow vulnerabilities.
Parameter "service_type" is read from HTTP request into $v0_5, then copied to stack variable var_b1. When "service_type" has excessive length, this would result an stack buffer overflow.
Parameter "ip_subnet" is read from HTTP request into $v0_27. Parameter "fw_ip" is read from HTTP request into $v0_28.
Stack variable var_74 is constructed using sprintf. When "ip_subnet" or "fw_ip" has excessive length, this would result an stack buffer overflow.
Parameter "submit_url" is read from HTTP request into $s2_7
$s2_7 is used as 2nd parameter in sub_40bddc at 0x416b8c
arg2 is assigned to $s2, stack variable var_120 is constructed using sprintf. When arg2 has excessive length, this would result an stack buffer overflow.
I'm not able to provide full exploit for this vulnerability due to legal reasons.