diff --git a/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt b/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt new file mode 100644 index 00000000..41bfc599 --- /dev/null +++ b/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt @@ -0,0 +1,124 @@ +* REM ############################################################################################# +* REM # # +* REM # Title : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273 # +* REM # Author : Aleff # +* REM # Version : 1.0 # +* REM # Category : incident-response # +* REM # Target : Cisco IOS XE # +* REM # # +* REM ############################################################################################# + + +QUACK DELAY 3000 +QUACK CTRL-ALT t +QUACK DELAY 1000 + + +QUACK STRING echo 'while true; do +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1) +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING if [ $? -eq 0]; then +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # Attack detected, here you decide what to do in this moment +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # 1. Send an email to sec-team +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # 2. Do some other ops +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # ... +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # 3. What do you want to do? +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # Can you reboot the system or you need to do something else before? +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # Do you want to close it? +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # ... +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # The only one way to close the backdoor is reboot the system, so don t change it (?)... +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # |-> See the Conseguence section in README +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING reboot +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING else +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING # You are safe :-) +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING fi +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING fi +QUACK ENTER +QUACK DELAY 500 + +QUACK STRING sleep 300 # wait time +QUACK ENTER +QUACK DELAY 500 + + +* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME. +* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path +QUACK STRING done' > #PATH-TO-SCRIPT#SCRIPT-NAME +QUACK ENTER +QUACK DELAY 500 + +* REM To avoid some bad DELAY I decided to use only one command row + +* REM Old script +* REM STRINGLN sudo chmod +x #SCRIPT-NAME +* REM DELAY 500 +* REM STRINGLN #SUDO-PSWD +* REM DELAY 3000 +* REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $ +* REM STRINGLN exit + +* REM Optimized script + +* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME. +* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path +QUACK STRING sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit +QUACK ENTER +QUACK DELAY 500 + +* REM Here you must set your sudo password that permit to give the executable permissions to the file +QUACK STRING #SUDO-PSWD +QUACK ENTER