06/01/2021

How We Hacked a TP-Link Router and Took Home $55,000 in Pwn2Own

Learn tricks and techniques like these, with us, on our embedded device hacking training!

http://training.flashback.sh/

In this video we will show you how we found and exploited vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.

We made a total of $55,000 hacking routers in this competition!

For in-depth details, refer to our advisories:

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md

https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md

The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer "patched" firmwares.

The command injection described in this video is the improved one.

The vulnerabilities exploited in this video are:

- CVE-2020-10882

- CVE-2020-10883

- CVE-2020-10884

- CVE-2020-28347

All vulnerabilities have been fixed by TP-Link in current firmware versions.

Previous

Extracting Firmware from Embedded Devices (SPI NOR Flash) ⚡

Next

Hacker's Guide to UART Root Shells