Hack The Emulated Planet: Vulnerability Hunting on Planet WGS-804HPT Industrial Switches

This blog describes Team82's discovery of three vulnerabilities in the Planet WGS-804HPT industrial switch—including a pre-auth stack-buffer overflow in dispatcher.cgi and an OS command injection—that allow unauthenticated remote code execution. The authors explain firmware extraction, using binwalk and QEMU user/system emulation to recreate the device environment, static analysis of the Boa-based web service, remote debugging, exploit development (including MIPS shellcode) and a working PoC; the vendor was privately notified and released a firmware update.