Created
June 16, 2023 09:06
Revisions
-
jhacker91 created this gist
Jun 16, 2023 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,25 @@ # Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220 # Exploit Author: Giuseppe Compare # Date : 26/05/2023 # CVE: CVE-2023-34832 # Vendor Homepage: https://www.tp-link.com/ # Version: TP-Link Archer AX10(EU)_V1.2_230220 Buffer Overflow There is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49 memset(&DAT_000283a4,0,0x800); sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4); //line 47-49 sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]); The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow. Remediation Guarantee that storage for strings has sufficient space for character data and the null terminator. Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants. Double check that your buffer is as large as you specify. Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.