CVE-2023-20198 PoC — Cisco IOS XE Software 安全漏洞

Source

Associated Vulnerability

Description

This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273

Readme

# Cisco IOS XE Device Scanner User Guide for CVE-2023-20198-Scanner

This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273. This Python script checks for compromised Cisco IOS XE devices by making HTTP and HTTPS requests. It supports multiple ways to specify target IPs and provides threading for faster scanning.

## ChangeLog
- Added new Authentication NGINX Configuration file from [Talos Security's blog](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/)
- Added [Explainer for configuration LUA script functionality](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/Exploitation_Explainer.md).
- Added CURL from Talos Blog along with Authorization HEX value provided by Talos Security.


A few things you can do with this scipt:

- [Scan a Single IP](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--ip)
- [Scan a list of IP's (Provide a file with each IP on a new line and pass it via argument)](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--target_file)
- [Scan a CIDR range](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--cidr)
- [Specify a custom UserAgent](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--user_agent)
- Specify new IOC's within the response.text using a file (IOCS.txt is the default file. Ensure each IOC is on a new line.) *Known IOCS will be updated regularly should new ones become known. All current IOC's are already implemented directly into the code for clarity.
- [Ability to specify a proxy for scans](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--proxy)
- Concurrent Processing for speed and efficiency.
- [Rate Limiting](https://github.com/Shadow0ps/CVE-2023-20198-Scanner/blob/main/README.md#--rate_limit)
- Logging of compromised hosts.
- Visual indication of potentially compromised hosts vs "clean" hosts. - This is not a guarantee and is based strictly off the known IOC's.

## Requirements

- Python 3.x
- Required Python packages: `requests`, `termcolor`, `tqdm`

Install the required Python packages using pip if you haven't already:

```bash
pip install requests termcolor tqdm
```

## Usage

The script provides several command-line options for flexibility:

### `--target_file`

Specify a file containing a list of Cisco IOS XE Device IPs or hostnames. The IPs or hostnames should be listed one per line.

Example:

```bash
python iosxe-scanner.py --target_file targets.txt
```

### `--cidr`

Specify a CIDR range to scan. The script will generate all the IPs in the specified range and scan them.

Example:

```bash
python iosxe-scanner.py --cidr 192.168.1.0/24
```

### `--ip`

Specify a single IP to scan.

Example:

```bash
python iosxe-scanner.py --ip 192.168.1.1
```

### `--user_agent`

Set a custom User-Agent header for the HTTP requests. The default is `CISCO-IOS-Shell-Scanner-cisco-sa-iosxe-webui-privesc-j22SaA4z`.

Example:

```bash
python iosxe-scanner.py --user_agent "MyCustomUserAgent"
```

### `--rate_limit`

Set a rate limit in seconds between requests. The default is 1 second.

Example:

```bash
python iosxe-scanner.py --rate_limit 0.5
```

### `--proxy`

Specify an HTTP Proxy to use for requests.

Example:

```bash
python iosxe-scanner.py --proxy http://127.0.0.1:8080
```

### `--iocs_file`

Specify a file containing Indicators of Compromise (IoCs) to look for in the response text. The default is `IOCS.txt`.

Example:

```bash
python iosxe-scanner.py --iocs_file custom_iocs.txt
```

## Examples

### Scan a list of targets from a file with a rate limit of 0.5 seconds

```bash
python iosxe-scanner.py --target_file targets.txt --rate_limit 0.5
```

### Scan a CIDR range using a proxy

```bash
python iosxe-scanner.py --cidr 192.168.1.0/24 --proxy http://127.0.0.1:8080
```

### Scan a single IP with a custom User-Agent

```bash
python iosxe-scanner.py --ip 192.168.1.1 --user_agent "MyCustomUserAgent"
```

### Scan using a custom IoCs file

```bash
python iosxe-scanner.py --iocs_file custom_iocs.txt
```

## Notes

- This script disables SSL certificate verification for making HTTPS requests. Use this feature cautiously.
- This script is presented "As Is" with NO WARRANTY. USE AT YOUR OWN RISK!
- Use of this script may be illegal in your country or jurisdiction. While it only makes simple HTTP(S) requests and checks for specific responses it's up to you to determine whether or not its use is legal/ethical and appropriate. DONT BE A JERK.

If you find this script useful feel free to let me know or give me a follow on Twitter(𝕏) <https://twitter.com/shadow0pz>

File Snapshot

 [4.0K]  /data/pocs/16e2dcd0e308e3e352a56f030b09bc72701c41d3
├── [4.9K]  Exploitation_Explainer.md
├── [  38]  IOCS.txt
├── [4.8K]  iosxe-scanner.py
├── [4.6K]  README.md
└── [ 131]  targets.txt

0 directories, 5 files

Remarks