Skip to content

Atea-Redteam/CVE-2023-20198

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 

Repository files navigation

CVE-2023-20198

CVE-2023-20198 Checkscript based on: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ Including the updated where there is an Authorization header to check for the known implant.

!! Upgraded to look for upgraded implant

The script checks length of returned response with code 200, and checks if length is shorter then 32 characters. Each IP returning shorter length than 32 chars should be checked to se if device is compromised. This script only gives you an indicator, not proof that the device is compromised.

The script also checks if the implant has been upgraded, as dicovered by Fox-IT: https://github.com/fox-it/cisco-ios-xe-implant-detection

Run:

python cve-2023-20198.py


and enter you desired subnet to scan. For example:

python CVE-2023-20198


Enter the subnet (CIDR notation): 10.0.0.0/22

IP: 10.0.0.94 - Error: no reply

IP: 10.0.0.94 - Error: no reply

IP: 10.0.0.96 - Status: 200

IP: 10.0.0.96 - Response is a potentially suspicious: 


IPs with status code 200, suspicious length, should be checked:

['10.0.0.96']

IPs with status code 200, but no IOC:

[]

Releases

No releases published

Packages

No packages published

Languages