Authenticated command injection in TP-Link /userRpm/WlanNetworkRpm

This repository is a minimal Python proof-of-concept exploit consisting of a single executable script (xp.py) and a trivial README containing only an image link. The script is a standalone remote command injection exploit targeting TP-Link router functionality related to wireless configuration. It supports two exploitation paths: (1) an HTTP-based attack against the router web admin endpoint /userRpm/WlanNetworkRpm.htm, and (2) a UDP-based TDDP mode that sends a crafted packet to port 1040. In both cases, the exploit places shell metacharacters around an attacker-controlled command in an SSID-related field, indicating the underlying vulnerability is command injection during processing of wireless settings. The HTTP mode uses a Cookie header with Authorization=Basic <base64> and defaults to admin/admin credentials, then submits parameters such as ssid1, channel, mode, chanWidth, secType, and Save. The TDDP mode builds a 380-byte buffer, writes integer values at fixed offsets, inserts the command into a 32-byte SSID field, and sends the packet over UDP. The default payload is a benign reconnaissance command ('uname -a'), but the user can supply arbitrary commands with -cmd. Overall, this is a real exploit script, not a detector, and is operational but basic: it provides direct RCE capability with hardcoded protocol logic and limited response handling.

This repository contains a Metasploit auxiliary module (tplink_ssid1_rce.rb) that exploits an authenticated command injection vulnerability (CVE-2023-33538) in TP-Link TL-WR940N (V2/V4) and TL-WR841N (V8/V10) routers. The exploit targets the 'ssid1' parameter in the /userRpm/WlanNetworkRpm.htm HTTP endpoint, allowing arbitrary shell command execution on the device. The module requires the attacker to supply a valid Authorization cookie and session path, which must be manually extracted after logging into the router's web interface. The exploit is operational, allowing the user to specify any shell command to execute. The repository includes a README with usage instructions and references, and the main exploit logic is implemented in a single Ruby file compatible with the Metasploit framework.

This repository contains a Python exploit script (tplink.py) targeting a command injection vulnerability in TP-Link TL-WR940N and TL-WR841N routers. The exploit abuses improper input sanitization in the 'ssid1' parameter of the '/userRpm/WlanNetworkRpm.htm' HTTP endpoint, allowing an attacker to execute arbitrary commands on the router. The script supports three main functions: testing for vulnerability (default command: reboot), executing custom commands, and obtaining a reverse shell (if the router supports the required binaries). The script can automatically detect random path components in the URL, which are present in some firmware versions. The exploit requires valid credentials (default: admin/admin) and network access to the router. The repository consists of a README.md with usage instructions and a single Python script implementing the exploit logic. No detection-only scripts or fake payloads are present; the code is operational and provides real exploitation capabilities.