tplink_deco_exploits/uboot at main · naf419/tplink_deco_exploits

History

Name		Name	Last commit message	Last commit date
parent directory ..
README.md		README.md
build_fw.py		build_fw.py
deco_all_webfailsafe_faux_fw_tftp_v2.bin		deco_all_webfailsafe_faux_fw_tftp_v2.bin
shellcode		shellcode
shellcode.asm		shellcode.asm
shellcode.bin		shellcode.bin
shellcode.lk		shellcode.lk
shellcode.o		shellcode.o

README.md

Vulnerability

In tplink deco firmware, a modification was made to uboot to add http upload functionality to support firmware installation directly from the bootloader as a failsafe procedure
This modification introduced an unconstrained sscanf reading the "fw-type" field from the user-provided firmware file into a fixed 256-byte stack buffer

Exploit

Take control of PC by overflowing stack buffer enough to overwrite return address
Point new return address to location within user-submitted firmware file to run arbitrary shellcode

Shellcode

Developed to load a boot image via tftp and execute it from RAM, as if following commands were run from a uboot prompt:

setenv serverip 192.168.0.2
setenv ipaddr 192.168.0.1
tftpboot 0x82000000 initramfs-kernel.bin
bootm 0x82000000

dynamically search RAM for required uboot symbols addresses (run_command, NetReceive) so shellcode works on multiple devices with slightly different u-boot builds

Possible Applicable Devices

According to tplink, uboot http recovery is present on the following devices:

Deco E4
Deco M4
Deco P9
Deco M9 Plus
Deco X20/X60 V1 (firmware 1.2.5 or later version)
Deco X20 V1.2 and later version
Deco X60 V2 and later
Deco S4

but these devices come in different "versions" which may have completely different hardware and uboot

Devices With Confirmed Working Exploit

Deco S4 v2
Deco S4R(EU) v2
Deco S4 v2.6
Deco M4R v1
Deco M4R v2
Deco M4R v2.6
Deco P9 v1.80
Deco P9 v2.0
Expecting others should work with dynamic version, let me know if you have tested it with another device/version

Devices that will not work with exploit

Deco S4 v3.6 (ARM board)
Deco M9 Plus V1 and V2 (ARM board)
Deco M4R V3 (ARM board)
Deco X20 V3 (different firmware validation code)

Building

export STAGING_DIR=~/tplink/openwrt/staging_dir/
$STAGING_DIR/toolchain-mips_24kc_gcc-11.3.0_musl/bin/mips-openwrt-linux-musl-as -march mips32r2 shellcode.asm -o shellcode.o
$STAGING_DIR/toolchain-mips_24kc_gcc-11.3.0_musl/bin/mips-openwrt-linux-musl-ld -T shellcode.lk shellcode.o -o shellcode$STAGING_DIR/toolchain-mips_24kc_gcc-11.3.0_musl/bin/mips-openwrt-linux-musl-objcopy -j ".text" -O binary shellcode shellcode.bin
python build_fw.py > deco_all_webfailsafe_faux_fw_tftp.bin

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

uboot

uboot

README.md

Vulnerability

Exploit

Shellcode

Possible Applicable Devices

Devices With Confirmed Working Exploit

Devices that will not work with exploit

Building

Files

uboot

Directory actions

More options

Directory actions

More options

Latest commit

History

uboot

Folders and files

parent directory

README.md

Vulnerability

Exploit

Shellcode

Possible Applicable Devices

Devices With Confirmed Working Exploit

Devices that will not work with exploit

Building