Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
Description
This module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
Author(s)
- Pedro Ribeiro <pedrib@gmail.com>
- Radek Domanski <radek.domanski@gmail.com>
Platform
Linux
Architectures
armle
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/misc/cisco_rv340_sslvpn
msf exploit(cisco_rv340_sslvpn) > show targets
...targets...
msf exploit(cisco_rv340_sslvpn) > set TARGET < target-id >
msf exploit(cisco_rv340_sslvpn) > show options
...show and set options...
msf exploit(cisco_rv340_sslvpn) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security