D-Link DCS-935L Buffer Overflow Vulnerability in HNAP Service Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the D-Link DCS-935L camera, affecting versions through 1.10.01. The issue arises in the HNAP service's `SetDeviceSettings` function, where the `AdminPassword` argument is not properly validated. This flaw allows for remote exploitation by sending a crafted XML request, leading to unauthorized execution of code on the device.

Impact

Exploitation of this vulnerability results in unauthorized remote code execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, log into the device's web interface to obtain administrative privileges. Then, send a POST request to the HNAP service's `SetDeviceSettings` endpoint with a crafted XML payload. The `AdminPassword` field must contain a hex-encoded string that, when decoded, executes MIPS shellcode. This payload should be designed to overflow the stack buffer by overwriting the return address, directing the execution flow to the injected shellcode.