New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import DoS module for Cisco CVE-2017-3881 #8615

Merged
merged 1 commit into from Jun 30, 2017

Conversation

Projects
None yet
5 participants
@busterb
Contributor

busterb commented Jun 25, 2017

This originally comes from https://github.com/artkond/cisco-rce/blob/master/ios_telnet_rocem.rb. As part of this weekend's Metasploit hackathon, we were able to verify with a couple of 3750's as well.

We've been following the great blog by @artkond ( https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ )looking at how to convert this exploit to work on more switch firmware versions, but it seemed interesting to at least get the DoS module in.

Verification

List the steps needed to make sure this thing works

  • Target the exploit at a slave paired slave switch running the affected firmware version
  • Verify that it reboots and displays a backtrace on the console output.
add @artkond's DoS module for Cisco CVE-2017-3881
This makes a few improvements, adds module docs.
@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Jun 27, 2017

Contributor

Issues addressed, it still sends a packet, though I don't have access to the hardware anymore to test.

Contributor

busterb commented Jun 27, 2017

Issues addressed, it still sends a packet, though I don't have access to the hardware anymore to test.

@artkond

This comment has been minimized.

Show comment
Hide comment
@artkond

artkond Jun 27, 2017

Just a quick comment. Switches don't need to be configured in cluster mode to get exploited. Cluster-mode telnet options get parsed regardless. That's the vulnerability itself (aside from the buffer overflow).

artkond commented Jun 27, 2017

Just a quick comment. Switches don't need to be configured in cluster mode to get exploited. Cluster-mode telnet options get parsed regardless. That's the vulnerability itself (aside from the buffer overflow).

@busterb busterb merged commit 0d9f57a into rapid7:master Jun 30, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb pushed a commit that referenced this pull request Jun 30, 2017

@busterb busterb self-assigned this Jun 30, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Jun 30, 2017

Contributor

Ah, thanks @artkond . We originally tested on a newer switch that seemed vulnerable but we couldn't get it to fail, but I think it's because the clustering was managed via a different mechanism with stack cables in the back. So we clustered some older switches and didn't reverify the unclustered case on those.

Contributor

busterb commented Jun 30, 2017

Ah, thanks @artkond . We originally tested on a newer switch that seemed vulnerable but we couldn't get it to fail, but I think it's because the clustering was managed via a different mechanism with stack cables in the back. So we clustered some older switches and didn't reverify the unclustered case on those.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Jun 30, 2017

Contributor

Forgot to push the revised docs to the PR first, added: 796fe99

Contributor

busterb commented Jun 30, 2017

Forgot to push the revised docs to the PR first, added: 796fe99

@alrosenthal-r7

This comment has been minimized.

Show comment
Hide comment
@alrosenthal-r7

alrosenthal-r7 Jul 12, 2017

Release Notes

The auxiliary/dos/cisco/ios_telnet_rocem module has been added to the framework. This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches.

alrosenthal-r7 commented Jul 12, 2017

Release Notes

The auxiliary/dos/cisco/ios_telnet_rocem module has been added to the framework. This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches.

@busterb busterb deleted the busterb:CVE-2017-3881 branch Jan 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment