module

Cisco RV340 SSL VPN Unauthenticated Remote Code Execution

Try Surface Command
Back to search
Disclosed
2022-02-02
Created
2022-05-11

Description

This module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN
functionality. The default SSL VPN configuration is exploitable, with no authentication
required and works over the Internet!
The stack is executable and no ASLR is in place, which makes exploitation easier.
Successful execution of this module results in a reverse root shell. A custom payload is
used as Metasploit does not have ARMLE null free shellcode.
This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon
2022. For more information check the referenced advisory.
This module has been tested in firmware versions 1.0.03.15 and above and works with around
65% reliability. The service restarts automatically so you can keep trying until you pwn it.
Only the RV340 router was tested, but other RV series routers should work out of the box.

Authors

Pedro Ribeiro pedrib@gmail.com
Radek Domanski radek.domanski@gmail.com

Platform

Linux

Architectures

armle

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/misc/cisco_rv340_sslvpn
    msf exploit(cisco_rv340_sslvpn) > show targets
        ...targets...
    msf exploit(cisco_rv340_sslvpn) > set TARGET < target-id >
    msf exploit(cisco_rv340_sslvpn) > show options
        ...show and set options...
    msf exploit(cisco_rv340_sslvpn) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today