CVE-2017-13772
published 2017-10-23CVE-2017-13772: Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the…
PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
52.56%
98.8th percentile
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the (1) ping_addr parameter to PingIframeRpm.htm or (2) dnsserver2 parameter to WanStaticIpV6CfgRpm.htm.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
41*160 + sleep_addr + call_gadget + sleep_gadget + 4A*28 + stack_gadget + shellcode
bytes↗
\x2a\xb3\x5c\xa0
bytes↗
\x2a\xb2\xe9\x74
bytes↗
\x2a\xb1\xbf\xa8
bytes↗
\x2a\xb2\x26\xd8
bytes↗
\x2A\xB3\x7C\x60
bytes↗
\x2A\xB1\x78\x40
bytes↗
\x2a\xb3\x50\x90
bytes↗
\x2A\xAF\x84\xC0
bytes↗
\x2A\xB2\xDC\xF0
bytes↗
\x26\x40\x08\x01 (XOR $t0,$t0,$t0 NOP sled, repeated 12 times)
- →Detect exploit attempts by monitoring HTTP GET requests to /userRpm/PingIframeRpm.htm where the 'ping_addr' parameter value is abnormally long (>160 bytes) or contains non-IP characters, indicating a buffer overflow attempt. ↗
- →Detect exploit attempts by monitoring HTTP GET requests to /userRpm/WanStaticIpV6CfgRpm.htm where the 'dnsserver2' parameter value is abnormally long (>111 bytes) or contains binary/shellcode content. ↗
- →Alert on outbound TCP connections from TP-Link router management IPs to attacker-controlled hosts on port 31337, which is the hardcoded reverse/bind shell port used in both public exploits. ↗
- →Detect the exploit's authentication pattern: HTTP requests to /userRpm/LoginRpm.htm?Save=Save carrying a Cookie header of the form 'Authorization=Basic <base64>' where the credential encodes admin:<md5hash> rather than admin:<plaintext>. ↗
- →Look for the MIPS NOP sled signature (\x26\x40\x08\x01 repeated) in HTTP request bodies or parameters targeting TP-Link router endpoints, as this is the XOR-based NOP used in the shellcode delivery. ↗
- →Flag HTTP requests to PingIframeRpm.htm that include a Referer header pointing to DiagnosticRpm.htm, combined with an oversized ping_addr parameter — this matches the exploit's exact request construction. ↗
- →Identify the WDR4300 exploit variant by checking the WWW-Authenticate response header for the string 'WDR4300', which the exploit uses to fingerprint the target before delivering the payload. ↗
- →Detect known ROP gadget addresses in HTTP request parameters: presence of byte sequences \x2a\xb2\xe9\x74, \x2a\xb1\xbf\xa8, \x2a\xb2\x26\xd8, \x2a\xb3\x5c\xa0 (WDR4300 libc offsets) or \x2A\xB3\x7C\x60, \x2A\xB1\x78\x40, \x2A\xAF\x84\xC0, \x2A\xB2\xDC\xF0 (WR940N libc offsets) in URL-encoded parameters. ↗
- ·The ROP gadget addresses and libc base (0x2aae2000) are firmware-version specific. The WDR4300 exploit targets firmware 3.13.33 and 3.14.3; the WR940N exploit targets a different firmware build. Gadget addresses will differ across firmware versions and hardware revisions. ↗
- ·The exploit bad characters are 0x20 (space) and 0x00 (null). Any attacker IP containing octets .0. or .32. will cause shellcode corruption, limiting the range of attacker IPs usable in the reverse shell payload. ↗
- ·The NVD entry references TP-Link WR940N hardware version 4, but public exploits also demonstrate exploitation of WDR4300 v1 (N750). Detection rules should cover both device models. ↗
- ·Older firmware (e.g., 3.13.33) uses HTTP Basic Authorization header directly rather than the cookie-based auth flow used in newer firmware. Detection logic must account for both authentication patterns. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TP-Link WDR4300 - Remote Code Execution (Authenticated)
exploitdb·2020-11-05·CVSS 8.8
CVE-2017-13772 [HIGH] TP-Link WDR4300 - Remote Code Execution (Authenticated)
TP-Link WDR4300 - Remote Code Execution (Authenticated)
---
# Exploit Title: TP-Link WDR4300 - Remote Code Execution (Authenticated)
# Date: 2020-08-28
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://www.tp-link.com/se/home-networking/wifi-router/tl-wdr4300/
# Version: TL-WDR4300, N750 Wireless Dual Band Gigabit Router
# Tested on: Firmware version 3.13.33 and 3.14.3
# CVE : CVE-2017-13772
#!/usr/bin/python3
import sys
import hashlib
import base64
import requests
import binascii
import socket
"""
RCE via stack-based overflow on TP-Link WDR4300 (N750) devices, using CVE-2017-13772.
Tested on Firmware versions 3.13.33, Build 130618 and 3.14.3 Build 150518, hardware WDR4300 v1
Usage:
1) Start listener on attacker machine: nc -nlvvp 31337
2) Execute script: python exploit.py
Exploit-DB
TP-Link WR940N - (Authenticated) Remote Code
exploitdb·2017-10-17
CVE-2017-13772 TP-Link WR940N - (Authenticated) Remote Code
TP-Link WR940N - (Authenticated) Remote Code
---
import urllib2
import base64
import hashlib
from optparse import *
import sys
import urllibbanner = (
"___________________________________________________________________________\n"
"WR940N Authenticated Remote Code Exploit\n"
"This exploit will open a bind shell on the remote target\n"
"The port is 31337, you can change that in the code if you wish\n"
"This exploit requires authentication, if you know the creds, then\n"
"use the -u -p options, otherwise default is admin:admin\n"
"___________________________________________________________________________"
)
def login(ip, user, pwd):
print "[+] Attempting to login to http://%s %s:%s"%(ip,user,pwd)
#### Generate the auth cookie of the form b64enc('admin:' + md5('admin'))
hash = hashlib.md
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158999/TP-Link-WDR4300-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/43022/https://www.fidusinfosec.com/tp-link-remote-code-execution-cve-2017-13772/http://packetstormsecurity.com/files/158999/TP-Link-WDR4300-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/43022/https://www.fidusinfosec.com/tp-link-remote-code-execution-cve-2017-13772/
2017-10-23
Published