Authenticated command injection in TP-Link router configuration import

This repository is a real proof-of-concept exploit for CVE-2026-3227 targeting vulnerable TP-Link router firmware. Its purpose is to take a legitimate router backup, decrypt it, modify a specific XML field used later in command construction, and then re-encrypt the configuration into a format the router will accept. The exploit chain is: decrypt backup -> edit XML -> re-encrypt using the vendor's own native code under emulation -> manually upload the malicious backup -> trigger Port Triggering processing so the injected shell fragment executes as root. Repository structure: the main operator entry point is POC/generate_payload.py, which orchestrates the workflow. POC/python_utils/decrypt_config.py implements DES-ECB decryption with a hardcoded key (478da50bf9e3d2cf), MD5 verification, and a custom decompression routine to recover the XML configuration. POC/python_utils/xml_editor.py locates the WANIPConnection block with Name val='ewan_ipoe_d' and updates or inserts the X_TP_IfName attribute value with the attacker-supplied payload. POC/python_utils/encrypt_config.py does not reimplement the router encryption algorithm; instead it launches qemu-mipsel against an extracted TP-Link httpd binary with LD_PRELOAD=create_config.so and QEMU_LD_PREFIX=squashfs-root so the router's own libraries generate a valid encrypted config. POC/c_hook/create_config.c is the key offensive component: a MIPS-targeted shared object that hooks __uClibc_main, replaces the program's main with harness_main, dlopens libcutil.so and libcmm.so, resolves internal functions such as cen_compressBuff, cen_md5MakeDigest, cen_desMinDo, and computes the DES key address from dm_shmInit/libcmm base offsets. compile_hook.sh builds this shared object for MIPS little-endian. Main exploit capability: authenticated persistent OS command injection via malicious configuration restore. The README states the vulnerable sink is an iptables command built from unsanitized X_TP_IfName data and executed through util_execSystem/system(). The provided example payload is ';reboot;' and the repository notes a practical payload length limit of roughly 15 characters. This is enough for destructive actions like persistent reboot loops and potentially compact backdoor/bootstrap commands. The exploit is operational rather than weaponized: it includes a working payload-generation pipeline and native-code hook, but payload delivery and triggering are still partly manual and environment-specific. Fingerprintable targets/endpoints include the router upload endpoint http://192.168.0.1/cgi/confup, the management page http://192.168.0.1/mainFrame.htm, the example router IP 192.168.0.1, the required JSESSIONID cookie, and local file/library paths such as squashfs-root/usr/bin/httpd, libcutil.so, libcmm.so, and create_config.so. No external C2 or remote callback infrastructure is present; the exploit is focused on local generation of a malicious config and authenticated upload to the router web interface.