TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution
Description
This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski). This module was updated in November 2020, after a bypass was discovered for the patch TP-Link issued. The new injection technique works on older firmware too. All firmware versions up to (but excluding) releases 201029 and 201030 are exploitable.
Author(s)
- Pedro Ribeiro <pedrib@gmail.com>
- Radek Domanski <radek.domanski <Radek Domanski <radek.domanski@gmail.com> @RabbitPro>
Platform
Linux
Architectures
mipsbe
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/misc/tplink_archer_a7_c7_lan_rce
msf exploit(tplink_archer_a7_c7_lan_rce) > show targets
...targets...
msf exploit(tplink_archer_a7_c7_lan_rce) > set TARGET < target-id >
msf exploit(tplink_archer_a7_c7_lan_rce) > show options
...show and set options...
msf exploit(tplink_archer_a7_c7_lan_rce) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security