forked from Medicean/VulApps
-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathpoc.py
More file actions
113 lines (99 loc) · 3.91 KB
/
poc.py
File metadata and controls
113 lines (99 loc) · 3.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Medici.Yan
# Exp: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zip
import socket
import struct
def sendsnmp(ip, data):
ret = ''
try:
UDPClient = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
UDPClient.settimeout(4)
UDPClient.sendto(data, (ip, 161))
ret, addr = UDPClient.recvfrom(1024)
except socket.error, msg:
# connection reset by peer
# port not open
if msg.errno == 10054:
return None
finally:
UDPClient.close()
return ret
def make_get_request(community):
request_id = 601835777
data = '\x02\x01\x00\x04' + struct.pack("b", len(community)) + community + '\xa0\x1c\x02\x04'+ struct.pack("!I", request_id) + '\x02\x01\x00\x02\x01\x00\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01\x01\x01\x00\x05\x00'
message = '\x30' + struct.pack("b", len(data)) + data
return message
def get_ver_string(ret, community):
request_id = 601835777
if ret[0] != "\x30":
return None
community_len = struct.unpack("b", ret[6])[0]
if community_len != len(community):
return None
data_index = 7 + community_len
if ret[data_index] != "\xa2":
return None
ret_request_id = struct.unpack(
"!I", ret[data_index + 4: data_index + 8])[0]
if ret_request_id != request_id:
return None
ver_string = ret[data_index + 30:]
return ver_string
def parse_ver_string(vers_string):
if vers_string == "Cisco Adaptive Security Appliance Version 8.0(2)":
return "asa802"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.0(3)":
return "asa803"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.0(3)6":
return "asa803-6"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.0(4)":
return "asa804"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.0(4)32":
return "asa804-32"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.0(5)":
return "asa805"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.2(1)":
return "asa821"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.2(2)":
return "asa822"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.2(3)":
return "asa823"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.2(4)":
return "asa824"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.2(5)":
return "asa825"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.3(1)":
return "asa831"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.3(2)":
return "asa832"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.4(1)":
return "asa841"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.4(2)":
return "asa842"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.4(3)":
return "asa843"
elif vers_string == "Cisco Adaptive Security Appliance Version 8.4(4)":
return "asa844"
else:
return None
def assign(service, arg):
if service == fingerprint.snmp:
return True, arg
def audit(arg):
ip = arg['ip']
community = arg['community']
message = make_get_request(community)
ret = sendsnmp(ip, message)
ver_string = ""
vul_version = ""
if ret:
ver_string = get_ver_string(ret, community)
if ver_string:
vul_version = parse_ver_string(ver_string)
if vul_version:
security_hole(
"Cisco %s SNMP 远程命令执行: [ip=>%s];[community=>%s];[ver_string=> %s]" % (vul_version, ip, community, ver_string))
if __name__ == '__main__':
from dummy import *
audit(assign(fingerprint.snmp, {"ip": '172.17.0.3', "community": "public"})[1])