Collection of exploits created by NSIDE ATTACK LOGIC GmbH
NSIDE discovered a buffer overflow in the webserver of the HomeBox 6441 in firmware 01.01.30. The vulnerability was reported and resolved in 2018.
While NSIDE analyzed CVE-2017-8220 for an IoT hacking series article, a format-string vulnerability was observed in the already present exploit chain.
NSIDE created an exploit script that does not abuse the trivial OS Command injection that was already present, but leverages the format-string to a root shell. The purpose of this excercise was to develop a step by step guide for exploit development in NSIDEs IoT hacking series in the iX magazine.
The exploit works on firmware version TL-WR841Nv14_EU_0.9.1_4.16 and was patched in TL-WR841Nv14_EU_0.9.1_4.17.