adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77,971 Commits 27 Branches 1,043 Tags
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
Commit Graph

12 Commits

Author SHA1 Message Date
jheysel-r7 08e227faca Merge pull request #19934 from sfewer-r7/bugfix-cisco-iosxe-rce 
Improve exploit/linux/misc/cisco_ios_xe_rce (CVE-2023-20198 + CVE-2023-20273)
 2025-03-27 16:51:16 -07:00
sfewer-r7 4c5137846c call fail_with upon failure rather than passing around Failure's as variables. 2025-03-13 09:41:58 +00:00
sfewer-r7 2f5758b8ed improve the logic here 2025-03-04 09:22:11 +00:00
sfewer-r7 efb0d5da4c fix typo, C1000v should be CSR1000v. Be consistant with IOS XE and not IOS-XE. 2025-03-04 09:09:32 +00:00
sfewer-r7 94606036bd typos in comments 2025-03-03 20:45:37 +00:00
sfewer-r7 9c075c7cce Previously the check routine only leveraged the first vuln in the chain, CVE-2023-20198, to perform a version based check. However the second vuln in the chain, CVE-2023-20273, was not verified as to working, so a return code of CheckCode::Vulnerable may no have been acurate if the target was vulnerable to CVE-2023-20198 but not CVE-2023-20273. Now we leverage both CVE-2023-20198 and CVE-2023-20273 to ensure the target is actually vulnerable. For example, it has been observed that the C8000v series appliance version 17.6.5 is vulnerable to CVE-2023-20198, but not vulnerable to CVE-2023-20273, even though the IOS-XE version indicates they should be vulnerable to CVE-2023-20273. As this exploit chains both CVE-2023-20198 and CVE-2023-20273 together, the check routine must verify both CVEs work as expected in order to return CheckCode::Vulnerable (i.e. we cannot solely rely on a version based check via CVE-2023-20198). 2025-03-03 20:29:20 +00:00
sfewer-r7 4a38605576 bugfix the check routine, to get a suitable response from a targets webui path, we must have the trailing slash (seen in a C8000v target, verified to work in both C8000v and C1000v targets) 2025-03-03 20:25:31 +00:00
sfewer-r7 e71a851e3f mention that the C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273. Inspecting the Lua code shows this appliance has additional command injection filtering in place (see pexec_setsid in /usr/binos/openresty/nginx/conf/pexec.lua) which prevents the injection from working 2025-03-03 20:22:46 +00:00
cgranleese-r7 0017fbdf56 Updates more dead links 2025-02-28 10:30:14 +00:00
fanqiaojun 6b2bdc893b chore: remove repetitive words 
Signed-off-by: fanqiaojun <fanqiaojun@yeah.net>
 2024-04-15 11:06:50 +08:00
sfewer-r7 2a56c3f28b remove redundant \d in check regex 2023-11-07 09:21:04 +00:00
sfewer-r7 25ef7d1272 add the RCE exploit 2023-11-06 17:12:40 +00:00