cbcvebase.
CVE-2017-13772
published 2017-10-23

CVE-2017-13772: Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the…

PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
52.56%
98.8th percentile
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the (1) ping_addr parameter to PingIframeRpm.htm or (2) dnsserver2 parameter to WanStaticIpV6CfgRpm.htm.

Detection & IOCsextracted from sources · hover to see the quote

url/userRpm/PingIframeRpm.htm
url/userRpm/WanStaticIpV6CfgRpm.htm
url/userRpm/LoginRpm.htm?Save=Save
cookieAuthorization=Basic <base64(admin:md5(password))>
port31337
commandping_addr=<payload>&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20
commanddnsserver2=<payload>&ipv6Enable=on&wantype=2&ipType=2&mtu=1480&dnsType=1
bytes
41*160 + sleep_addr + call_gadget + sleep_gadget + 4A*28 + stack_gadget + shellcode
bytes
\x2a\xb3\x5c\xa0
bytes
\x2a\xb2\xe9\x74
bytes
\x2a\xb1\xbf\xa8
bytes
\x2a\xb2\x26\xd8
bytes
\x2A\xB3\x7C\x60
bytes
\x2A\xB1\x78\x40
bytes
\x2a\xb3\x50\x90
bytes
\x2A\xAF\x84\xC0
bytes
\x2A\xB2\xDC\xF0
bytes
\x26\x40\x08\x01 (XOR $t0,$t0,$t0 NOP sled, repeated 12 times)
  • Detect exploit attempts by monitoring HTTP GET requests to /userRpm/PingIframeRpm.htm where the 'ping_addr' parameter value is abnormally long (>160 bytes) or contains non-IP characters, indicating a buffer overflow attempt.
  • Detect exploit attempts by monitoring HTTP GET requests to /userRpm/WanStaticIpV6CfgRpm.htm where the 'dnsserver2' parameter value is abnormally long (>111 bytes) or contains binary/shellcode content.
  • Alert on outbound TCP connections from TP-Link router management IPs to attacker-controlled hosts on port 31337, which is the hardcoded reverse/bind shell port used in both public exploits.
  • Detect the exploit's authentication pattern: HTTP requests to /userRpm/LoginRpm.htm?Save=Save carrying a Cookie header of the form 'Authorization=Basic <base64>' where the credential encodes admin:<md5hash> rather than admin:<plaintext>.
  • Look for the MIPS NOP sled signature (\x26\x40\x08\x01 repeated) in HTTP request bodies or parameters targeting TP-Link router endpoints, as this is the XOR-based NOP used in the shellcode delivery.
  • Flag HTTP requests to PingIframeRpm.htm that include a Referer header pointing to DiagnosticRpm.htm, combined with an oversized ping_addr parameter — this matches the exploit's exact request construction.
  • Identify the WDR4300 exploit variant by checking the WWW-Authenticate response header for the string 'WDR4300', which the exploit uses to fingerprint the target before delivering the payload.
  • Detect known ROP gadget addresses in HTTP request parameters: presence of byte sequences \x2a\xb2\xe9\x74, \x2a\xb1\xbf\xa8, \x2a\xb2\x26\xd8, \x2a\xb3\x5c\xa0 (WDR4300 libc offsets) or \x2A\xB3\x7C\x60, \x2A\xB1\x78\x40, \x2A\xAF\x84\xC0, \x2A\xB2\xDC\xF0 (WR940N libc offsets) in URL-encoded parameters.
  • ·The ROP gadget addresses and libc base (0x2aae2000) are firmware-version specific. The WDR4300 exploit targets firmware 3.13.33 and 3.14.3; the WR940N exploit targets a different firmware build. Gadget addresses will differ across firmware versions and hardware revisions.
  • ·The exploit bad characters are 0x20 (space) and 0x00 (null). Any attacker IP containing octets .0. or .32. will cause shellcode corruption, limiting the range of attacker IPs usable in the reverse shell payload.
  • ·The NVD entry references TP-Link WR940N hardware version 4, but public exploits also demonstrate exploitation of WDR4300 v1 (N750). Detection rules should cover both device models.
  • ·Older firmware (e.g., 3.13.33) uses HTTP Basic Authorization header directly rather than the cookie-based auth flow used in newer firmware. Detection logic must account for both authentication patterns.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.