New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Archer c7 traversal #18003
Archer c7 traversal #18003
Conversation
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: bcoles <bcoles@gmail.com>
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
@@ -0,0 +1,44 @@ | |||
## Vulnerable Application | |||
|
|||
This module attempts to spider files from an archer c7 router using a known traversal vulnerability |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a firmware version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After scouring and searching my old data, I found the version and firmware tested on. C7_V1_141204_US
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Auxiliary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this gets the file, perhaps it would make more sense as a gather
module?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had no idea there was even a gather section until now. I was mostly modeling off of other traversal modules and scanners like dirb. I'm not sure if it belongs with them or in the gather bucket since it can easily go either way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I second @bwatters-r7 on this. Scanner modules are usually used to find and report on a vulnerability, not to exploit them. I understand many scanner modules in Metasploit are not following this rule, but this is the direction we would like to take. If a module gathers information by exploiting a vulnerability, a gather
module is the best option. This kind of module can have a check
and an exploit
methods. The former can be used as a simple scanner to check if the host is vulnerable and the latter actually exploit the vulnerability to gather the data.
Note that RHOSTS
option is very flexible and can be used to run both methods against multiple targets without the need of a scanner module. You can, for example, uses CIDR syntax or get the list of targets from a local file using file://
prefix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, after reading the next comment, I realize you might not have the actual device to test. This will be a problem if you radically change the module structure, like I suggested just above. With that in mind, it might be better to keep the scanner module implementation as it is right now, or we won't be able to accept it. I suppose this has been throughly tested when you had access to the router. That said, if you have HTTP traces or/and PCAP you recorded at this time, that would be helpful for us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do actually. I have a pcap of the exploit taken ahead of time
archerc7traversal.pcapng.gz
I also have been attempting to gain access to the router that I used, but I'm unsure if its bricked or not. If I am to test it, it would be a while.
] | ||
) | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to have a check method; it does not need to be major, but something to verify we're talking to a router that looks to be the right version/model.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So... this module was developed last fall for a grad project. The router that was testing with was being loaned for the semester, and I cannot find the firmware description to save my life. So I wont be able to add a check or a version finder if I wanted. The check in this case is if it produces a file or a 404 sadly.
Thanks @rad10 for your contribution. I reviewed the PCAP and everything looks good to me. I'll go ahead and land it. |
Release NotesThis adds a scanner module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer c7 routers. This vulnerability is identified as CVE-2015-3035. |
Vulnerable Application
This module attempts to spider files from an archer c7 router using a known traversal vulnerability
Verification Steps
use auxiliary/scanner/http/archer_c7_traversal
set RHOSTS <addr>
set FILE <file>
run
Scenarios
Archer C7