• Stars
    star
    271
  • Rank 151,717 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 2 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2022-27255 - Realtek eCos SDK SIP ALG buffer overflow

This repository contains the materials for the talk "Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtekโ€™s SDK for eCos OS.", which was presented at DEFCON30.

The contents of this repo include:

  • analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).
  • exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
  • ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.
  • DEFCON: Slide deck & poc video.

Vulnerable devices:

  • Nexxt Nebula 300 Plus
  • Tenda F6 V5.0
  • Tenda F3 V3
  • Tenda F9 V2.0
  • Tenda AC5 V3.0
  • Tenda AC6 V5.0
  • Tenda AC7 V4.0
  • Tenda A9 V3
  • Tenda AC8 V2.0
  • Tenda AC10 V3
  • Tenda AC11 V2.0
  • Tenda FH456 V4.0
  • Zyxel NBG6615 V1.00
  • Intelbras RF 301K V1.1.15
  • Multilaser AC1200 RE018
  • iBall 300M-MIMO (iB-WRB303N)
  • Brostrend AC1200 extender
  • MT-Link MT-WR850N
  • MT-Link MT-WR950N
  • Everest EWR-301
  • D-Link DIR-822 h/w version B
  • Speedefy K4
  • Ultra-Link Wireless N300 Universal Range Extender
  • Keo KLR 301
  • QPCOM QP-WR347N
  • NEXT 504N
  • Nisuta NS-WIR303N (probably V2)
  • Rockspace AC2100 Dual Band Wi-Fi Range Extender
  • KNUP KP-R04
  • Hikvision DS-3WR12-E

If you find a new vulnerable device, please submit a pull request.

Acknowledgements

  • Octavio Gianatiempo (@ogianatiempo).
  • Octavio Galland (@GallandOctavio)
  • Javier Aguinaga (@pastaCLS)
  • Emilio Couto (@ekio_jp)

Corrections:

  • @munchkindev

More Repositories

1

faraday

Open Source Vulnerability Management Platform
Python
4,784
star
2

evilgrade

Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
Perl
1,282
star
3

spoilerwall

Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!
Python
760
star
4

emploleaks

An OSINT tool that helps detect members of a company with leaked credentials
Python
520
star
5

CVE-2023-21036

Detection and sanitization for Acropalypse Now - CVE-2023-21036
Python
77
star
6

faraday_plugins

Security tools report parsers for Faradaysec.com
Python
48
star
7

faraday-cli

Faraday's Command Line Interface
Python
41
star
8

faraday_agent_dispatcher

Faraday Agent Dispatcher launches any security tools and send results to Faradaysec Platform.
Python
39
star
9

cscan

Faraday Continuous Scanning
Python
33
star
10

distro_checker

Cross Distribution Exploit Testing
Shell
27
star
11

draytek-arsenal

Reverse Engineering and Observability toolkit for Draytek firewalls
Python
27
star
12

CVE-2016-2776

CVE-2016-2776
Ruby
27
star
13

Exploit-CVE-2021-21086

Python
26
star
14

faraday_bugbounty

Faraday Workspaces for Bug Bounties
20
star
15

isr-sqlget

ISR-sqlget It's a blind SQL injection tool developed in Perl.
Perl
14
star
16

wardriving

Wardriving ekoparty
Python
13
star
17

ezviz_lan_rce

C
10
star
18

faraday_angular_frontend

Faraday's frontend angular code, you need a Faraday server to serve the API
JavaScript
10
star
19

faraday_burp

Burp Extension for collaboration in Faraday
Java
9
star
20

code

Lab tools
Perl
8
star
21

gorrabot

Gorrabot is a bot made to automate checks and processes in the development process.
Python
8
star
22

faraday-client

GTK client of FaradaySEC
Python
6
star
23

alexafaraday

Alexa skill example for Faraday API
Python
5
star
24

faraday_templates

5
star
25

faraday_addon

A browser extension for faradaysec platform https://faradaysec.com
JavaScript
4
star
26

nec_aterm_tools

C
3
star
27

presentations

Talks & Workshops & Meetups slides
JavaScript
3
star
28

gha-faraday-report-uploader

Shell
2
star
29

Labs

Faraday Labs (security research)
2
star
30

faraday_agent_parameters_types

The faraday agents run code remotely from the faraday server. The server sets the parameters of the code, and this repository sets the models to by used by both sides.
Python
2
star
31

pictureme

Java
2
star
32

eko2020-challenge

JavaScript
1
star
33

faraday_zap

Zap Extension for collaboration in Faraday
Java
1
star
34

docker-faraday-report-uploader

Shell
1
star
35

faraday-vmpipelines

HTML
1
star
36

SymaX5SW-Rx-Tx

Syma X5SW Telemetry and Transmissor
Python
1
star